CN112949690A - Continuous identity authentication method based on mouse behavior time-frequency joint analysis - Google Patents

Continuous identity authentication method based on mouse behavior time-frequency joint analysis Download PDF

Info

Publication number
CN112949690A
CN112949690A CN202110145423.2A CN202110145423A CN112949690A CN 112949690 A CN112949690 A CN 112949690A CN 202110145423 A CN202110145423 A CN 202110145423A CN 112949690 A CN112949690 A CN 112949690A
Authority
CN
China
Prior art keywords
mouse
user
time
behavior
frequency
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110145423.2A
Other languages
Chinese (zh)
Inventor
易茜
张一弓
易树平
李嘉佳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chongqing University
Original Assignee
Chongqing University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chongqing University filed Critical Chongqing University
Priority to CN202110145423.2A priority Critical patent/CN112949690A/en
Publication of CN112949690A publication Critical patent/CN112949690A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • G06F21/46Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2218/00Aspects of pattern recognition specially adapted for signal processing
    • G06F2218/08Feature extraction

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Security & Cryptography (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Evolutionary Computation (AREA)
  • Evolutionary Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Artificial Intelligence (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses a continuous identity authentication method based on mouse behavior time-frequency joint analysis, which comprises the following steps: continuously collecting a user mouse behavior data set; extracting mouse motion behavior time domain characteristics and mouse motion behavior frequency domain characteristics from the user mouse behavior data set; generating a time-frequency domain characteristic of the mouse behavior of the user based on the time-domain characteristic of the mouse behavior and the frequency-domain characteristic of the mouse behavior; inputting the time-frequency domain characteristics of the user mouse behavior into a credible interaction model to obtain a corresponding trust value; when the trust value is less than or equal to the lock threshold, the user is locked. Compared with the prior art, the method expands the mining of the mouse behavior characteristics from the time domain to the frequency domain by using the time-frequency joint analysis method, constructs the corresponding credible interaction model, can more accurately and continuously verify the identity of the interaction subject, and further effectively protects the security of the network account.

Description

Continuous identity authentication method based on mouse behavior time-frequency joint analysis
Technical Field
The invention relates to the field of information security, in particular to a continuous identity authentication method based on mouse behavior time-frequency joint analysis.
Background
By 2019, the total amount of network users reaches 45.4 hundred million in 77.5 hundred million population in the world, and accounts for 59 percent of the total population. Each network user has its own network account, and due to the more and more popular real-name system requirements, the accounts almost relate to the private information of the user himself, even economic assets and the like. Therefore, protecting the security of network accounts becomes an important challenge.
At present, the most popular way is to set a password for an account to verify the identity of a login user, i.e. Static Authentication (SA). Static authentication has its limitations. For example, session hijacking may jump over the SA, and password hacking may spoof the SA. Obviously, the interaction process comes from an untrusted interaction subject, and the SA cannot detect the untrusted interaction behavior, so a technology is needed to supplement the SA.
Researchers propose to judge whether the mouse belongs to a real user according to the characteristics of the mouse interaction behavior of the user in the time domain. These studies have demonstrated that the behavior pattern of a user's mouse is unique and can be used to verify identity. However, no one's behavior can always behave in the same way. The research considers the relationship between the behavior and the identity, and provides a trust concept, namely the behavior deviating from the template greatly reduces the identity trust of the current user, and the behavior close to the template increases the identity trust. Research of Continuous Authentication (CA) constructs an association relationship between user behaviors and identity reliability, and realizes determination of user identities based on Continuous evaluation of behaviors. However, in the prior art, the mining of the characteristics of the mouse behavior pattern is mainly concentrated on the time domain, the frequency domain characteristics are ignored, and the accuracy is poor.
Disclosure of Invention
Therefore, the problems to be solved by the invention are: the time domain and frequency domain characteristics of the mouse behavior data are comprehensively considered, and the identity of the interaction subject is continuously verified more accurately.
In order to solve the technical problems, the invention adopts the following technical scheme:
a continuous identity authentication method based on mouse behavior time-frequency joint analysis comprises the following steps:
s1, continuously collecting a user mouse behavior data set;
s2, extracting mouse motion behavior time domain characteristics and mouse motion behavior frequency domain characteristics from the user mouse behavior data set;
s3, generating time-frequency domain characteristics of the mouse behavior of the user based on the time-domain characteristics of the mouse behavior and the frequency-domain characteristics of the mouse behavior;
s4, inputting the time-frequency domain characteristics of the user mouse behavior into a trusted interaction model to obtain a corresponding trust value;
and S5, locking the user when the trust value is less than or equal to the locking threshold value.
Preferably, step S2 includes:
s201, preprocessing data in a user mouse behavior data set, deleting repeated values and null values, and sequencing according to a time sequence;
s202, calculating time domain characteristics of mouse movement behaviors based on the relation between mouse positions and time in a user mouse behavior data set;
s203, calculating the instantaneous frequency and the instantaneous energy of the characteristics related to time in the time domain characteristics of the mouse movement behaviors by using the HHT algorithm to obtain the frequency domain characteristics of the mouse movement behaviors.
Preferably, in step S203, the IMF filtering rule includes: 70% of the instantaneous frequency in the high frequency component is lower than 13 Hz; the 50% instantaneous frequency in the low frequency component is higher than 0.5 Hz.
Preferably, step S3 includes:
s301, dividing a plurality of motion segments at intervals based on different mouse operation behaviors;
s302, generating corresponding user mouse behavior time-frequency domain characteristics based on the mouse motion behavior time-domain characteristics and the mouse motion behavior frequency-domain characteristics corresponding to each motion segment.
Preferably, step S4 includes:
s401, inputting the time-frequency domain characteristics of the user mouse behavior corresponding to each motion segment into a regression model, and generating a deviation value between the time-frequency domain characteristics of the user mouse behavior corresponding to each motion segment and a real user behavior mode template;
s402, inputting the deviation value into a credible interaction model, and generating a corresponding reward value or penalty value based on the difference value of the deviation value and a reward or penalty threshold value;
and S403, updating the user identity trust value based on the reward value or the penalty value, and locking the user when the user identity trust value is lower than a locking threshold value.
Preferably, when the user identity trust value is updated based on the reward value after the user identity trust value reaches the upper limit, the user identity trust value is not increased any more.
In summary, the invention discloses a continuous identity authentication method based on mouse behavior time-frequency joint analysis, compared with the prior art, the invention expands the mining of mouse behavior characteristics from time domain to frequency domain by using the time-frequency joint analysis method, constructs a corresponding credible interaction model, can more accurately and continuously verify the identity of an interaction subject, and further effectively protects the security of a network account.
Drawings
For purposes of promoting a better understanding of the objects, aspects and advantages of the invention, reference will now be made in detail to the present invention as illustrated in the accompanying drawings, in which:
FIG. 1 is a schematic diagram of a continuous identity authentication method based on mouse behavior time-frequency joint analysis according to the present invention;
FIG. 2 is a system architecture for collecting user mouse behavior data in accordance with the present invention;
FIG. 3 is a schematic diagram of an empirical mode decomposition process of acceleration signals of a user mouse behavior;
FIG. 4 is Hilbert spectra of IMF2 and IMF3 screened for IMF based on Hilbert spectra;
FIG. 5 is a schematic diagram of a trusted interaction model detection process;
FIG. 6 is a user data partitioning for scenario 1;
FIG. 7 is a user data partitioning for scenario 2;
FIG. 8 is a user data partitioning for scenario 3;
FIG. 9 is a process of internal detection of the trusted interaction model in scenario 1;
FIG. 10 is a process of external detection of the trusted interaction model in scenario 2;
FIG. 11 is a process of self-testing of the trusted interaction model in scenario 3;
FIG. 12 is a process of self-testing a user who uses a touchpad and a mouse alternately by the trusted interaction model in scenario 3. .
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings.
As shown in fig. 1, a continuous identity authentication method based on mouse behavior time-frequency joint analysis includes:
s1, continuously collecting a user mouse behavior data set;
s2, extracting mouse motion behavior time domain characteristics and mouse motion behavior frequency domain characteristics from the user mouse behavior data set;
s3, generating time-frequency domain characteristics of the mouse behavior of the user based on the time-domain characteristics of the mouse behavior and the frequency-domain characteristics of the mouse behavior;
s4, inputting the time-frequency domain characteristics of the user mouse behavior into a trusted interaction model to obtain a corresponding trust value;
and S5, locking the user when the trust value is less than or equal to the locking threshold value.
Compared with the prior art, the method expands the mining of the mouse behavior characteristics from the time domain to the frequency domain by using the time-frequency joint analysis method, constructs the corresponding credible interaction model, can more accurately and continuously verify the identity of the interaction subject, and further effectively protects the security of the network account.
In specific implementation, step S2 includes:
s201, preprocessing data in a user mouse behavior data set, deleting repeated values and null values, and sequencing according to a time sequence;
in the invention, the collection of data in the mouse behavior data set can be realized by an embedded code technology, and the data can be recorded when a user accesses a website, as shown in fig. 2. Recording is performed in units of milliseconds, and a comma separator csv format file is generated. The original data only comprises events, time stamps, X-axis coordinates, Y-axis coordinates and user IDs.
Some studies in the prior art use data in an uncontrolled environment, but the data acquisition period is short and only a few days are needed, and it is difficult for such cases to completely contain all the behavior pattern characteristics of the user. Thus, the present invention employs data collected over a long period of time (which may take two and a half years) for model training.
After the data is collected, Python can be used for cleaning the original data, deleting repeated values and null values and sequencing the repeated values and the null values according to the time sequence
S202, calculating time domain characteristics of mouse movement behaviors based on the relation between mouse positions and time in a user mouse behavior data set;
as shown in Table 1, in the present invention, 14 mouse motion behavior time domain characteristics, such as X-axis velocity, Y-axis velocity, tangential velocity, etc., of each user can be calculated according to the relationship between the mouse position and the time.
TABLE 1 mouse behavior time Domain characterization
Figure BDA0002930006610000041
S203, calculating the instantaneous frequency and the instantaneous energy of the characteristics related to time in the time domain characteristics of the mouse movement behaviors by using the HHT algorithm to obtain the frequency domain characteristics of the mouse movement behaviors.
And selecting 9 characteristics related to time in the table 1 as original signals, and calculating instantaneous frequency and instantaneous energy of the original signals by using HHT (Hilbert-Huang transform), so as to obtain 18-dimensional frequency domain characteristics.
HHT is a time-frequency transform method suitable for analyzing nonlinear, unsteady-state signals, and can be used to analyze mouse behavior. The HHT gets rid of the limitation of a heisenberg inaccuracy measuring principle in a linear time-frequency analysis method, adaptively decomposes an original signal into a plurality of linear and steady Intrinsic Mode Functions (IMFs) through Empirical Mode Decomposition (EMD), then screens out effective IMFs, calculates the instantaneous frequency and the instantaneous energy of the signal by Hilbert transformation, and represents the characteristics of a user mouse behavior mode.
The EMD concept considers that the original signal is composed of a series of IMFs, each IMF component containing an intrinsic vibration mode of the signal. IMF needs to satisfy two basic conditions: for a signal, the number of extreme points and zero-crossing points of the signal must be equal or at most different by one point; and secondly, at any point, the average value of an upper envelope and a lower envelope which are formed by the local maximum value and the local minimum value is 0. The EMD algorithm decomposes a complex unsteady signal into the sum of a plurality of eigenmode functions, and actually, the EMD algorithm performs stabilization processing on the unsteady signal. And retains the original characteristics of the original signal during the decomposition process. The decomposition is adaptive and thus better reflects the essential information of tremor in the signal.
Calling the "EMD ()" module in Matlab performs EMD on the input signal. The process of a certain user mouse acceleration signal EMD is shown in FIG. 3. The first line is the acceleration raw signal, down to IMF1 through 10 after EMD, with the residual term omitted.
The Hilbert transform defines the instantaneous frequency as: let x (t) be a real signal, the Hilbert transform constitutes the analytic signal:
Figure BDA0002930006610000051
in the formula (I), the compound is shown in the specification,
Figure BDA0002930006610000052
is Hilbert transform of x (t), and z (t) is the analytic signal of x (t). Wherein:
Figure BDA0002930006610000053
θ(t)=arctan[v(t)/u(t)]
defining instantaneous frequency fiComprises the following steps:
fi=1/2π·dθ/dt
i.e. the instantaneous frequency of the real signal x (t) is defined as the derivative of the phase of the corresponding analytic signal z (t).
Defining a natural mode function ci(t) the corresponding instantaneous energy distribution is:
Figure BDA0002930006610000054
E(t)=∑Ei(t)
where e (t) represents the instantaneous energy value of the signal at any time t, which is the norm of the amplitude at the Hilbert transform. It describes the energy transfer and the fluctuation history of the signal at different times.
Then, dividing the motion segment, and calculating the maximum value, the minimum value, the average value, the standard deviation and the range of the 14-dimensional time domain feature and the 18-dimensional frequency domain instantaneous feature in the table 2 to form 160 time-frequency domain features.
Finally, the motion segment distance s of each motion segment is calculatednDuration t of a motion segmentnAnd the path jitter rate J, the calculation formula is as follows:
Figure BDA0002930006610000061
Figure BDA0002930006610000062
Figure BDA0002930006610000063
finally, 163 time-frequency domain characteristics are obtained, as shown in table 2.
TABLE 2 mouse behavior time-frequency domain characteristics
Figure BDA0002930006610000064
Figure BDA0002930006610000071
In specific implementation, in step S203, the IMF filtering rule includes: 70% of the instantaneous frequency in the high frequency component is lower than 13 Hz; the 50% instantaneous frequency in the low frequency component is higher than 0.5 Hz.
The IMFs obtained after EMD do not all reflect the unique behavior characteristics of individuals when the users use the mice, and proper IMFs capable of reflecting the essence of signals need to be screened. In the research, researchers screen the IMFs by calculating the correlation coefficient between each IMF and the original signal for the mechanical vibration signal to obtain a decision threshold. However, the above method does not perform well in the present study, and often retains high frequency noise components such as IMF1, but discards low frequency information related to human physiological motion.
In order to concentrate on exploring information reflecting user behaviors and characteristics varying from person to person in mouse data, the present invention screens IMFs based on frequency distribution of human physiological motion. The upper limit of the frequency of the human controlled movement is not more than 12.46Hz, researchers select low-frequency information of 0.5-4Hz when analyzing the arm movement intermittent control strategy, and comprehensively, the invention mainly focuses on frequency domain information within 0.5-13 Hz. Different from the orthogonal decomposition process of wavelet transformation and other methods, the EMD is a self-adaptive decomposition process, so that the bandwidth of each IMF is uncertain. Therefore, the instantaneous frequency of each IMF is obtained through Hilbert transformation, and the IMFs are reasonably screened according to the upper limit of the human motion frequency. Defining an IMF screening rule, wherein 70 percent of instantaneous frequency (generally IMF1-IMF3) in high-frequency components is lower than 13 Hz; ② the 50% instantaneous frequency of the low frequency component (typically after IMF 4) is higher than 0.5 Hz.
For example, the IMF2 and IMF3 after the X user acceleration signal EMD are subjected to Hilbert transform to obtain an H spectrogram, and as shown in FIG. 4, a color bar represents the instantaneous energy Ei(t) of (d). Obviously, the instantaneous frequency of the left IMF2 is only 60% lower than the upper frequency limit of 13Hz, and the instantaneous frequency of the right IMF3 is 77% distributed within 13Hz, so that the IMF3 is retained and the IMF2 is discarded, and the other similar reasons are adopted.
In specific implementation, step S3 includes:
s301, dividing a plurality of motion segments at intervals based on different mouse operation behaviors;
s302, generating corresponding user mouse behavior time-frequency domain characteristics based on the mouse motion behavior time-domain characteristics and the mouse motion behavior frequency-domain characteristics corresponding to each motion segment.
The characteristic feature of the mouse operated by the user is often expressed in a section of continuous operation, namely, in a section of signal sequence. The method comprises the following steps that researchers extract data of four motions of mouse movement, mouse click dragging, movement between two clicks and mouse silence to construct a histogram as a feature; some researchers divide the mouse operation behavior into three levels to calculate the motion characteristics respectively.
In daily life, namely an uncontrolled environment, a user can perform interactive operations such as data search, data downloading, local uploading, online communication and the like after logging in. In the operations, the copper pot controls the mouse to move and clicks the function keys on the interactive interface, and the effective interactive process is completed. In addition, the user can browse interface information and type information by using a keyboard, and the operations can divide mouse behaviors into a plurality of motion segments at intervals. The invention divides the motion segments according to the characteristics.
Three mouse events are defined, as shown in Table 3:
TABLE 3 tagging of mouse behavior events
Figure BDA0002930006610000081
Four mouse motion segments are defined:
the method comprises the following steps of: a motion without a click, the time interval between two adjacent mouse motion events is less than tau, and the duration of the whole motion process exceeds delta:
Figure BDA0002930006610000082
(ii) MMud: the motion segment from the start of the up key to the end of the key press:
Figure BDA0002930006610000083
③ MMum: motion segment from the beginning of mouse silence to the end of button press:
Figure BDA0002930006610000084
MMmd starts from pressing the key and has short movement until the mouse is silent:
Figure BDA0002930006610000085
each motion segment is treated as a mouse operation. And calculating the time-frequency domain characteristics of each mouse behavior to further describe the characteristics of the interactive behavior to form a sample.
In specific implementation, step S4 includes:
s401, inputting the time-frequency domain characteristics of the user mouse behavior corresponding to each motion segment into a regression model, and generating a deviation value between the time-frequency domain characteristics of the user mouse behavior corresponding to each motion segment and a real user behavior mode template;
s402, inputting the deviation value into a credible interaction model, and generating a corresponding reward value or penalty value based on the difference value of the deviation value and a reward or penalty threshold value;
and S403, updating the user identity trust value based on the reward value or the penalty value, and locking the user when the user identity trust value is lower than a locking threshold value.
In the present invention, the LSBoost algorithm may be selected to handle the regression problem. LSBoost is adapted to new weak learners to find the difference between the observed response and the aggregated predictions of all previous weak learners to minimize the mean square error.
When an intruder illegally logs in an account of a certain user, the trusted interaction model can continuously verify the identity trust value (Y axis) in the interaction process (X axis). After any account login, the current user identity trust value starts from the initial user identity trust value (which can be 100), the action of deviating from the template can cause the trust value to be reduced, and when the current user identity trust value is lower than the locking threshold Tlockout(90 deg. taken) the system locks the account. Then, a new round of password authentication is started, the account can be normally used, and at the moment, the identity information is usedAnd resetting the arbitrary value to the initial user identity trust value, and then restarting the trusted interaction model detection.
In specific implementation, when the user identity trust value reaches the upper limit and the user identity trust value is updated based on the reward value, the user identity trust value is not increased any more.
Since the behavior close to the template will cause the trust value to rise, but not exceed the upper limit (100 is desirable), this is to prevent the trust value from being too high after the real user operates for a period of time, so that the intruder benefits from it. The process of the trusted interaction model detection is pictorially shown in fig. 5.
Algorithm 1 explains the dynamic trust concept in the trusted interaction model. This algorithm includes four parameters and a function of confidence values for each mouse action. In algorithm 1, step2 shows the trust value function of the trusted interaction model. Here, the change in the confidence value (Δ S)i) Can be calculated using step2 based on the results of the regression model, where the regression model results SiThe deviation degree between the current mouse behavior and the real user behavior mode template is quantitatively expressed; ω represents the width of the sigmoid function; t represents a differentiating criterion for rewarding or penalizing the current operation; the P and R scores represent the maximum scores for the penalty and reward.
When the credible interaction model runs, the algorithm is based on the regression result S of each mouse behavioriCalculating the change (delta S) of the behavior to the user identity trust valuei) Then obtaining the identity trust value TV after the actioniAnd determines TViWhether or not it is below the locking threshold TlockoutAnd if so, locking the user. Otherwise, 1 is added to the locking times L, otherwise step2 is continuously executed for the next action until the user operation is stopped. And finally, the locking times L and the trust value curve TV can be output, and ANIA/ANGA or FAR/FRR can be obtained through calculation of the public x.
Figure BDA0002930006610000091
Figure BDA0002930006610000101
In order to verify the effect of the technical scheme disclosed by the invention, the following experiments are carried out:
the regression value of the real user is set to 100 and the negative sample is set to 0. The LSBoost tree is used for training a regression model, 5-step cross validation is carried out, and the number of the trees is 200. We have established three schemes to test the performance of the system: internal detection, external detection and self-detection.
(r) scenario 1 this scenario is set such that all data can be used for authentication. Assume a company has N employees, each with their own work account. In order to prevent problems caused by unexpected account mix-up situations, a set of trusted interaction detection system is respectively created for each employee to detect internal impersonators. The system uses all data of the employee as positive class samples for training and parameter adjustment, and uses the rest N-1 users as negative class samples. In order to make the model operate stably, the number of positive and negative samples should be basically consistent. If the number of true user samples is kiThen randomly selecting each negative class user
Figure BDA0002930006610000102
One sample was used for training. In FIG. 6, gray represents training data required for the trusted interaction model of User1, and white represents the data set used for testing. And forming a group of detection results of 32 × 31 ═ 992.
Scenario 2 this scenario is set to use a part of the user's data to train the trusted interaction model, and another part of the untrained user's data to perform authentication. And (3) testing the detection performance of the credible interaction model on the external intruder by considering the event of company secret or asset leakage caused by illegal login of a working account of an internal employee of the company by an external intruder other than the employee of the company. Selecting one user as a real user, and selecting data of the rest N-1 users,
Figure BDA0002930006610000111
data of a first user as a negative class for trainingThe refining is carried out by the following steps,
Figure BDA0002930006610000112
the data of the first user is used for testing as an external intruder. Randomly selecting each negative class user to keep the number of positive and negative samples in the training set basically the same
Figure BDA0002930006610000113
One sample was used for training. In FIG. 7, gray represents training data required for the trusted interaction model of User1, and white represents the test data set as an external intruder. Forming a set of 11 x 32-352 detection results.
And 3, setting the scene as a credible interaction model established by using a part of data of the real user and the same amount of other user data, and performing identity authentication by using the residual data of the real user. And (4) testing the accidental locking condition of the credible interaction model to the real user by considering the accidental locking condition of the system after the user legally logs in the own account. And selecting partial data of one user as a positive class, and selecting other user data with the same quantity as a negative class training model. However, the imbalance in the data set may cause some users to test too few samples, resulting in poor persuasiveness. Therefore, the present study generated new samples using the Borderline SMOTE algorithm to facilitate model validation. Selecting one user as a real user, wherein the total amount of the added samples is kiAnd using 50% of the data of the user as a positive class, and selecting the N-1 user data with the same quantity as the data of the other users as a negative class to train the credible interaction model. Similarly, to balance the training set, each user of the negative category is randomly selected
Figure BDA0002930006610000114
One sample was used for training. In FIG. 8, gray represents training data required for the trusted interaction model of User1, and white represents a test data set for testing for accidental locking of real users. And forming a 1 × 32-32 group detection result.
The four main parameters of the trusted interaction model are ω, T, P, R. In credible interaction detection, we focus more on the ability to detect intruders, so T is set as the average of the top 80% sample regression values at model training. P and R both take the value of 1, which represents that each action brings reward or punishment not exceeding 1 to the credible score of the current user identity at most; the value of parameter omega is 0.1.
The continuous authentication system is concerned not only about whether an intruder can be detected, but also about how quickly an intruder can be detected. Therefore, in addition to the evaluation indexes of the FAR and FRR classical identity authentication technologies, ANIA and ANGA are also selected.
ANIA indicates how many times of operation is needed on average, and the number of the intruders is locked by dividing the number of the intruder test sample sets by the number of locking times;
the ANGA represents how many times of mouse operation behaviors can be performed before the user himself is accidentally locked, and the calculation method is to divide the total number of samples of a real user test set by the locking times;
ATIA represents how long the mouse operation action can be carried out before the invader is locked, and the calculation method is to multiply the average time of each operation by ATIA;
ATGA represents how long the user can perform mouse operation before being accidentally locked, and the calculation method is to multiply the average time of each operation by ANGA;
the calculation formula of each evaluation index is as follows:
Figure BDA0002930006610000121
Figure BDA0002930006610000122
Figure BDA0002930006610000123
Figure BDA0002930006610000124
ATIA=ANIA×t
ATGA=ANGA×t
four credible interaction model (TIM) detection results are available, namely, non-self is not self (I @ I), non-self is self (I @ G), self is self (G @ G), self is non-self (G @ I), the first two are presented in S1 and S2 and are evaluated by ANIA; the latter two appear in S3, evaluated with ANGA. As shown in table 4:
TABLE 4 results obtained in three different scenarios
Figure BDA0002930006610000125
In the detection result of scenario 1, 992 intrusion behaviors performed on accounts of 32 users are all detected by the trusted interaction model, and FAR is 0. The process of detecting an internal impersonator by a trusted interaction model of a real user is shown in fig. 9. Based on the number of locks detected each time and the number of samples, we calculate ANIA to be 12.26(std is 5.32) according to formula x, that is, after 12.26 mouse movements on average, the intruder is locked by the trusted interaction model. The time average for each action is calculated to be 7.96s (std 6.86), which means that the TIM locks the action around 1.63min for the intruder, as shown in table 5.
Table 5 detection results of scenario 1
Figure BDA0002930006610000131
In the detection result of scenario 2, 352 intrusion behaviors performed on accounts of 32 users are all detected by the trusted interaction model, and FAR is 0. The process of detecting an external intruder by the trusted interaction model of a real user is shown in fig. 10. Based on the number of locks detected each time and the number of samples, we calculate ANIA to be 12.31(std is 4.66) according to formula x, that is, after 12.31 mouse movements on average, the intruder is locked by the trusted interaction model. Like S1, the occurrence of accidental locking of the real user occurs after about 1.63min of operation, as shown in table 6.
Table 6 detection results of scenario 2
Figure BDA0002930006610000132
In the detection result of scenario 3, 30 users were never locked out from 32 self-tests performed on accounts of 32 users, and 2 users were accidentally locked out. The process of detecting mouse behavior data of a real user by the trusted interaction model is shown in fig. 11.
Among the 2 accidentally locked users, one user's trust value curve is shown in fig. 12, and it can be seen that the first half of the mouse behavior data causes the trust value score to drop rapidly and be locked multiple times, while the latter part of the data is locked. We have investigated and interviewed the usage of the user's account and found that around 2018, 9 months, the user had attempted to use a mouse instead of the traditional digital control pad operation, resulting in the collected data originating from two different interactive devices, which substantially coincided with the results of fig. 12.
The other user is locked because the user account is used by others. The user with the account is involved in the development of a website to conduct our research. During the initial stage of the website establishment, others use the account to test the website. Thus, some data is not generated by the user. We understand that only two people, except the account owner, use the account.
Since the latter data are not all from himself, the user's results are not logged into the final result when calculating the performance index for the TIM according to the definitions of ANGA and ATGA. Therefore, the ANGA is 26.67, i.e. the intruder is locked by the trusted interaction model after 26.67 mouse movements on average. It was calculated that the case where accidental locking of the real user occurred after about 3.54min of operation, as shown in table 7.
Table 7 detection results of scenario 3
Figure BDA0002930006610000141
From the results analysis, it can be found that the TIM has an average value ANIA of 12.28 for the untrusted user detection indicators in both scenarios. Before an accidental lock on the real user occurs, the user typically experiences 26.67 mouse actions, i.e., ANGA 26.67. TIM can lock the intrusion after about 1.63min of operation; and the case where accidental locking of the real user occurs after about 3.54min of operation. This indicates excellent performance of the TIM.
Finally, it is noted that the above-mentioned embodiments illustrate rather than limit the invention, and that, while the invention has been described with reference to preferred embodiments thereof, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.

Claims (6)

1. A continuous identity authentication method based on mouse behavior time-frequency joint analysis is characterized by comprising the following steps:
s1, continuously collecting a user mouse behavior data set;
s2, extracting mouse motion behavior time domain characteristics and mouse motion behavior frequency domain characteristics from the user mouse behavior data set;
s3, generating time-frequency domain characteristics of the mouse behavior of the user based on the time-domain characteristics of the mouse behavior and the frequency-domain characteristics of the mouse behavior;
s4, inputting the time-frequency domain characteristics of the user mouse behavior into a trusted interaction model to obtain a corresponding trust value;
and S5, locking the user when the trust value is less than or equal to the locking threshold value.
2. The continuous identity authentication method based on mouse behavior time-frequency joint analysis as claimed in claim 1, wherein step S2 includes:
s201, preprocessing data in a user mouse behavior data set, deleting repeated values and null values, and sequencing according to a time sequence;
s202, calculating time domain characteristics of mouse movement behaviors based on the relation between mouse positions and time in a user mouse behavior data set;
s203, calculating the instantaneous frequency and the instantaneous energy of the characteristics related to time in the time domain characteristics of the mouse movement behaviors by using the HHT algorithm to obtain the frequency domain characteristics of the mouse movement behaviors.
3. The continuous identity authentication method based on mouse behavior time-frequency joint analysis according to claim 2, wherein in step S203, the IMF filtering rule includes: 70% of the instantaneous frequency in the high frequency component is lower than 13 Hz; the 50% instantaneous frequency in the low frequency component is higher than 0.5 Hz.
4. The continuous identity authentication method based on mouse behavior time-frequency joint analysis as claimed in claim 1, wherein step S3 includes:
s301, dividing a plurality of motion segments at intervals based on different mouse operation behaviors;
s302, generating corresponding user mouse behavior time-frequency domain characteristics based on the mouse motion behavior time-domain characteristics and the mouse motion behavior frequency-domain characteristics corresponding to each motion segment.
5. The continuous identity authentication method based on mouse behavior time-frequency joint analysis as claimed in claim 1, wherein step S4 includes:
s401, inputting the time-frequency domain characteristics of the user mouse behavior corresponding to each motion segment into a regression model, and generating a deviation value between the time-frequency domain characteristics of the user mouse behavior corresponding to each motion segment and a real user behavior mode template;
s402, inputting the deviation value into a credible interaction model, and generating a corresponding reward value or penalty value based on the difference value of the deviation value and a reward or penalty threshold value;
and S403, updating the user identity trust value based on the reward value or the penalty value, and locking the user when the user identity trust value is lower than a locking threshold value.
6. The method of claim 5, wherein the user identity trust value is not increased when the user identity trust value is updated based on the reward value after reaching an upper limit.
CN202110145423.2A 2021-02-02 2021-02-02 Continuous identity authentication method based on mouse behavior time-frequency joint analysis Pending CN112949690A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110145423.2A CN112949690A (en) 2021-02-02 2021-02-02 Continuous identity authentication method based on mouse behavior time-frequency joint analysis

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110145423.2A CN112949690A (en) 2021-02-02 2021-02-02 Continuous identity authentication method based on mouse behavior time-frequency joint analysis

Publications (1)

Publication Number Publication Date
CN112949690A true CN112949690A (en) 2021-06-11

Family

ID=76241884

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110145423.2A Pending CN112949690A (en) 2021-02-02 2021-02-02 Continuous identity authentication method based on mouse behavior time-frequency joint analysis

Country Status (1)

Country Link
CN (1) CN112949690A (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109871673A (en) * 2019-03-11 2019-06-11 重庆邮电大学 Based on the lasting identity identifying method and system in different context environmentals
CN109871676A (en) * 2019-03-14 2019-06-11 重庆邮电大学 Three identity identifying methods and system based on mouse behavior
CN112019373A (en) * 2020-07-10 2020-12-01 浙江工业大学 Smart home security data acquisition method based on dynamic trust evaluation model

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109871673A (en) * 2019-03-11 2019-06-11 重庆邮电大学 Based on the lasting identity identifying method and system in different context environmentals
CN109871676A (en) * 2019-03-14 2019-06-11 重庆邮电大学 Three identity identifying methods and system based on mouse behavior
CN112019373A (en) * 2020-07-10 2020-12-01 浙江工业大学 Smart home security data acquisition method based on dynamic trust evaluation model

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
SOUMIK MONDAL等: "A Computational Approach to the Continuous Authentication Biometric System", 《INFORMATION SCIENCES》, vol. 304, pages 5 *
YIGONG ZHANG等: "Use Mouse Ballistic Movement for User Authentication Based on Hilbert-Huang Transform", 《ADVANCES IN HUMAN FACTORS IN CYBERSECURITY: AHFE 2020 VIRTUAL CONFERENCE ON HUMAN FACTORS IN CYBERSECURITY》, pages 2 *
颜丽菁: "基于用户鼠标行为的身份认证方法研究", 《中国优秀硕士学位论文全文数据库:信息科技辑》, no. 2018, pages 138 - 149 *

Similar Documents

Publication Publication Date Title
CA2535542C (en) System and method for determining a computer user profile from a motion-based input device
Biggio et al. Pattern recognition systems under attack: Design issues and research challenges
US10084822B2 (en) Intrusion detection and prevention system and method for generating detection rules and taking countermeasures
Murali et al. A survey on intrusion detection approaches
Mac et al. Detecting attacks on web applications using autoencoder
Dhanalakshmi et al. Intrusion detection using data mining along fuzzy logic and genetic algorithms
Ahmed et al. Detecting Computer Intrusions Using Behavioral Biometrics.
CN112688928A (en) Network attack flow data enhancement method and system combining self-encoder and WGAN
Alkawaz et al. A comprehensive survey on identification and analysis of phishing website based on machine learning methods
Li et al. Detecting anomalous user behaviors in workflow-driven web applications
Voris et al. Active authentication using file system decoys and user behavior modeling: results of a large scale study
CN116957049B (en) Unsupervised internal threat detection method based on countermeasure self-encoder
Furnell et al. Applications of keystroke analysis for improved login security and continuous user authentication
CN111600905A (en) Anomaly detection method based on Internet of things
Sánchez et al. Studying the robustness of anti-adversarial federated learning models detecting cyberattacks in iot spectrum sensors
Said et al. Towards a hybrid immune algorithm based on danger theory for database security
Mehmood et al. Privilege escalation attack detection and mitigation in cloud using machine learning
Ahmed et al. Digital fingerprinting based on keystroke dynamics.
Wang et al. Profiling program and user behaviors for anomaly intrusion detection based on non-negative matrix factorization
CN117478403A (en) Whole scene network security threat association analysis method and system
Stanić Continuous user verification based on behavioral biometrics using mouse dynamics
Savenko et al. Botnet detection approach based on the distributed systems
Paricherla et al. Machine learning techniques for accurate classification and detection of intrusions in computer network
CN112949690A (en) Continuous identity authentication method based on mouse behavior time-frequency joint analysis
AL-Maliki et al. Comparison study for NLP using machine learning techniques to detecting SQL injection vulnerabilities

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination