CN116389114B - Static and dynamic identity consistency verification method and system - Google Patents

Abstract

The invention discloses a static and dynamic identity consistency verification method and a system, wherein the static and dynamic identity consistency verification method comprises the following steps: a static authentication phase and a dynamic authentication phase; the static identity verification stage is used for primary identity verification of a login user, and static one-time identity verification of single factors or multiple factors can be carried out on the user according to static identity verification modes such as password, dynamic short message password, face recognition, digital certificate or quoted third party identity verification and the like; the dynamic identity verification stage performs identity verification based on continuous detection of biological behavior characteristics, performs cluster analysis by using an improved Kmeans algorithm, performs uncertainty reasoning based on reliability correction, performs model training and matching by using an XGBoost algorithm after parameter optimization to obtain final dynamic identity reliability, and finally performs authorized access or exits to a static verification stage for re-verification based on the result so as to improve the safety and rationality of the zero trust system.

Description

Static and dynamic identity consistency verification method and system

Technical Field

The invention relates to a static and dynamic identity consistency verification method and system, and belongs to the technical field of zero trust and network security.

Background

In the cloud computing and big data age, the network security boundary is gradually broken, the internal and external threats are increasingly stronger, the traditional boundary security architecture is difficult to deal with, and the zero trust security architecture is generated. The zero trust security architecture is based on four key capabilities of taking identity as a base stone, business security access, continuous trust evaluation and dynamic access control, is a solution for constructing a dynamic virtual boundary taking the identity as the base stone, and is a new generation network security architecture for realizing comprehensive identity, authorization dynamic, risk quantification and management automation.

The essence of zero trust is that the identity authentication is used as a base stone for dynamic access control, and the comprehensive identity is the premise and the base stone for realizing zero trust, so that the accuracy of user identity authentication is directly related to the security of a zero trust system. Conventional authentication is mainly static authentication, and password-based single-factor recognition is a typical representative thereof, but with the development of computer performance and related technologies, most systems based on the authentication can be cracked only by brute force cracking. Subsequently, a way of verifying by using biometric features such as fingerprint, sound, retina and the like and using unique devices such as smart cards, stamps and the like appears, and although the two ways enhance the reliability of user authentication to a certain extent, there are certain limitations due to the special requirements of the devices.

In addition, the authentication modes are all one-time authentication modes, namely, after the user successfully logs in the system, the user has corresponding authority until log out. While zero trust emphasizes continuous trust evaluations, dynamic continuous authentication techniques are essential to zero trust systems. The existing dynamic continuous identity verification mode is mostly based on continuous monitoring of biological behavior characteristics, such as keystroke dynamic characteristics, touch screen dynamic, eyeball movement, gait and the like. The identity verification system has the advantages of no interference, improvement of user experience, no vulnerability to network attack and the like, and can provide higher-level security. However, the authentication and recognition of the user are only performed according to the behavior characteristics of the individual, and there is still a certain limitation, for example, during the day when the illumination is sufficient, the facial expression of the user can be clearly recognized by the camera, and during the night when the illumination is dark, the recognition of the facial expression has a certain ambiguity. While continuous dynamic verification can also affect the performance of the system to some extent. In view of this current situation, research on static and dynamic identity fusion verification technologies is a problem to be solved in the field.

Disclosure of Invention

The invention aims to: aiming at the existing identity consistency verification scheme, the invention provides a safer and more reasonable identity consistency verification scheme.

The existing static identity verification scheme relies on passwords, fingerprints, smart cards and other modes to verify users, but the mode is a one-time verification mode, has certain requirements on equipment, does not accord with a zero trust concept, performs identity verification through detection of biological behavior characteristics, does not consider context information such as environment and the like, and has certain limitations. Therefore, the invention provides a static and dynamic identity consistency verification method, which can configure passwords, dynamic short message passwords, face identification, digital certificates or quoted third party identity verification and other modes as required to carry out single-factor or multi-factor static disposable identity verification on users, then carry out dynamic continuous identity verification based on continuous detection of biological behavior characteristics, carry out continuous detection on user data, carry out cluster analysis by using an improved Kmeans algorithm, carry out uncertainty reasoning based on reliability correction, carry out model training and matching by using an XGBoost algorithm after parameter optimization to obtain final dynamic identity reliability, and finally carry out authorized access or exit to a static verification stage for re-verification based on the result so as to improve the safety and rationality of a zero trust system.

In order to solve the technical problems, the technical scheme adopted by the invention is as follows:

a static and dynamic identity consistency verification method comprises the following steps: a static authentication phase and a dynamic authentication phase; the static identity verification stage is used for primary identity verification of a login user, and static one-time identity verification of single factors or multiple factors can be carried out on the user according to static identity verification modes such as password, dynamic short message password, face recognition, digital certificate or quoted third party identity verification and the like; the dynamic identity verification stage performs identity verification based on continuous detection of biological behavior characteristics, performs cluster analysis by using an improved Kmeans algorithm, performs uncertainty reasoning based on reliability correction, performs model training and matching by using an XGBoost algorithm after parameter optimization to obtain final dynamic identity reliability, and finally performs authorized access or exits to a static verification stage for re-verification based on the result so as to improve the safety and rationality of the zero trust system.

The static and dynamic identity consistency verification method specifically comprises the following steps:

step one: carrying out system configuration, configuring a static identity verification mode, and selecting one or more than two static identity verification modes to carry out single-factor or multi-factor verification;

step two: carrying out identity verification on the user according to the configuration, judging whether the login time of the user exceeds a time limit t, if not, turning to the next step, otherwise, returning to re-login;

step three: continuously and uninterruptedly collecting user information data, wherein the user information data comprises user behavior characteristics and context information;

step four: performing cluster analysis on the user information data by using an improved Kmeans algorithm;

step five: performing reliability correction on the clustering analysis result based on the reliability correction mode, and calculating the comprehensive reliability of the dynamic identity verification conclusion by utilizing the corrected knowledge reliability value to obtain a supervision data set for training and prediction;

step six: the supervision data set is expressed in a formalized mode, 75% of data is used as a training set to be input into an XGBoost model with optimized training parameters, and then the reliability of a user identity verification conclusion is predicted by using a test set;

step seven: comparing the predicted conclusion reliability with a preset reliability threshold lambda, and judging the user reliability if the conclusion reliability is larger than the reliability threshold lambda, wherein the user can continue to access the system; if the reliability of the conclusion is smaller than the reliability threshold lambda, the user is judged to be not reliable, the access of the user is terminated, and the static identity verification is carried out in a returning mode.

Because the Kmeans algorithm is sensitive to the initial center, the clustering result is difficult to find the global optimal solution, so that the pollen pollination algorithm is used for optimizing and improving the solution. The improved Kmeans algorithm is specifically as follows:

(1) Initializing FPA (pollination algorithm) control parameters, wherein the control parameters comprise population size N, maximum iteration times Maxgen and transition probability p;

(2) Initializing population, randomly generating initial solution x according to given upper and lower bounds ₁ ,x ₂ ,...,x _n And calculating the corresponding fitness value;

(3) Finding out an optimal solution g and a fitness value f (g) according to the initial population and the fitness value thereof;

(4) Generating a new population, determining whether global searching or local searching is adopted according to the value of the transition probability p epsilon [0,1], adopting a global searching strategy when the generated random number rand epsilon U [0,1] is smaller than p, otherwise adopting a local searching strategy, wherein the formula is as follows:

wherein,representing the specific pollen position after the t-th iteration update of the pollen individual i when the pollen individual performs a global or local search link in the pollen pollination algorithm; />And->Representing the specific pollen position of any two pollen individuals in the pollen population at the time of the t-th iteration update, while the selection of the two pollen positions is random and different from the specific pollen iA location; and ε U0, 1]The method comprises the steps of carrying out a first treatment on the surface of the Gamma is the step size control factor; the parameter L represents the pollination strength, essentially a step size, obeying the lewy distribution, and the formula is as follows:

λ is a constant, taking λ=1.5 in this algorithm; Γ (λ) is a standard gamma function; s is(s) ₀ Is the minimum step size; s is the step size, and the calculation formula is as follows:

wherein mu and v are two random numbers and conform to standard normal distribution mu-N (0, sigma) ² ) v-N (0, 1), where the variance sigma ² Is obtained by the following formula:

(5) Updating the population and the optimal solution, replacing a new solution with better quality than the stored solution according to the fitness value, and obtaining the optimal solution g;

(6) Checking a stopping standard, repeatedly executing the steps (4) and (5) until the maximum iteration number is reached, wherein the solution at the moment is the initial clustering center m _k ；

(7) Calculating each sample x and cluster center m _k Euclidean distance betweenWherein x is _i Is the ith feature of sample x, m _ki Is the cluster center m _k Is the ith feature of (2).

(8) Dividing each sample into a cluster center m closest to the sample _k Corresponding cluster C _k ；

(9) Calculating the average value of all samples in each cluster, and updating a cluster center;

(10) Repeating the steps (7), (8) and (9) until the clustering center is unchanged;

(11) And carrying out marking processing according to the category to obtain various information data of the user.

The above-mentioned reliability correction algorithm is as follows:

(1) Setting CE _x ＝{C ₁ ,C ₂ ,...,C _n The user information data of the current access user comprises user behavior information and context information thereof, wherein C _i I=1, 2,..n is an information parameter;

(2) Providing a measure of the degree of confidence CF (X, C) of the knowledge of the user authentication result for each message _i ) With a value between-1 and 1, a value of 1 representing extreme confidence and a value of-1 representing extreme confidence, providing an importance weight w for each piece of information _i Wherein

(3) Calculating the average credibility of knowledge

(4) Calculating the distance between the knowledge credibility and the knowledge average credibility of each information:

(5) Calculating a confidence level correction value of the knowledge:

the specific algorithm for the integrated confidence level is as follows:

(1) Providing credibility CF (C _i )；

(2) Calculating the credibility CF of the user identity verification result when each information acts independently _i (X)＝CF(C _i )CF′(X,C _i )；

(3) Synthesizing the first knowledge and the second knowledge by the following formula, then synthesizing the synthesized knowledge and the third knowledge, and the like, and finally obtaining the comprehensive credibility of the conclusion:

a static and dynamic identity consistency verification system comprising: the system comprises a static verification module, an acquisition module, a data processing module, a training prediction module and a result execution module;

the static verification module is used for carrying out primary identity verification on a login user, and can carry out single-factor or multi-factor static one-time identity verification on the user in a static identity verification mode such as password, dynamic short message password, face recognition, digital certificate or quoted third party identity verification and the like according to requirements;

the static verification module is used for primary verification of the identity of the login user, and a software password mode can be used for enabling the user to provide a required account password for identity verification; or a hardware smart card is used, and is inserted into special equipment for reading to perform identity verification; or using biometric identification, comparing the biometric features of the user, such as fingerprint, palm, retina, iris, etc., with the data in the database for authentication, etc. In addition, the static authentication module can also communicate with a third party system, and refers to a static authentication mode provided by the third party system. The static authentication module can perform not only the single-factor authentication, but also multi-factor static authentication by configuring a plurality of modes.

Because the static verification mode is a one-time verification mode, namely, resources in the system can be accessed after verification is successful. Therefore, in order to ensure the security of the system, a time period t needs to be set, and when the login time of the user exceeds the time period, static identity verification needs to be performed again.

The acquisition module is used for continuously acquiring the user behavior characteristics and the context information thereof and storing the acquired data in the database for other modules to use; this is the first step in continuous authentication of the user. Various user operation information is collected through devices such as a sensor, including authentication frequency, login time, overseas IP access and the like; and user behavior information including keystroke dynamics, body posture, eye movement, gait of walking, etc. The collection includes not only the user data but also environmental context, location context, time context and any other contextual information related to each authentication or access attempt and will be stored in a database.

The data processing module is used for preprocessing the collected original data, carrying out cluster analysis on user data information through an improved Kmeans algorithm, carrying out reliability correction on the user behavior characteristics, the knowledge such as the context information and the like based on a reliability correction mode, and calculating the comprehensive reliability of the dynamic identity verification conclusion by utilizing the corrected knowledge reliability value;

the data processing module is mainly used for preprocessing the collected original data, carrying out min-max standardization processing, simultaneously processing lost data, discarding noise and redundant data, and integrating data from different sources. And then carrying out cluster analysis on the user data information through an improved Kmeans algorithm, processing unbalance of the data, and carrying out marking processing according to the category. And taking different influences of the reliability of the acquired information on the conclusion into consideration, carrying out reliability correction on the knowledge such as the user and the context information thereof based on a reliability correction mode, and calculating the comprehensive reliability of the dynamic identity verification conclusion by utilizing the corrected knowledge reliability value to obtain a supervision data set for training and prediction.

The training prediction module is used for carrying out model training by adopting an XGBOOST algorithm, and the trained model is used for predicting a user dynamic identity verification result;

and the result execution module is used for comparing the credibility of the dynamic authentication conclusion of the user predicted by the model with a set credibility threshold lambda to judge the dynamic authentication result and displaying the information such as user behavior, context information, static authentication result, dynamic authentication result and the like.

The result processing module disclosed by the invention compares the credibility of the dynamic user identity verification conclusion predicted by the model with a set credibility threshold lambda, and when the credibility of the conclusion is more than or equal to lambda, the verification is successful, and the authorized access is executed; otherwise, the verification fails, and the static verification stage is exited to perform the verification again. Meanwhile, the result processing module displays information such as user behaviors, context information, static verification results, dynamic verification results and the like, and is used for assisting an administrator in better analysis and processing.

Because the Kmeans algorithm is sensitive to the initial center, the clustering result is difficult to find the global optimal solution, so that the pollen pollination algorithm is used for optimizing and improving the solution. The improved Kmeans algorithm is specifically as follows:

(1) Initializing FPA control parameters, wherein the control parameters comprise a population size N, a maximum iteration number Maxgen and a transition probability p;

(2) Initializing population, randomly generating initial solution x according to given upper and lower bounds ₁ ,x ₂ ,…,x _n And calculating the corresponding fitness value;

(3) Finding out an optimal solution g and a fitness value f (g) according to the initial population and the fitness value thereof;

(4) Generating a new population, determining whether global searching or local searching is adopted according to the value of the transition probability p epsilon [0,1], adopting a global searching strategy when the generated random number rand epsilon U [0,1] is smaller than p, otherwise adopting a local searching strategy, wherein the formula is as follows:

wherein,representing the specific pollen position after the t-th iteration update of the pollen individual i when the pollen individual performs a global or local search link in the pollen pollination algorithm; />And->Representing the specific pollen position of any two pollen individuals in the pollen population at the time of the t-th iteration update, while the selection of the two pollen positions is random and different from the specific position of pollen i. And ε U0, 1]Gamma is a step control factor, the parameter L represents the pollination strength, essentially a step, obeying the lewy distribution, the formula is as follows:

λ is a constant, taking λ=1.5 in this algorithm; Γ (λ) is a standard gamma function; s is(s) ₀ Is the minimum step size; s is the step size, and the calculation formula is as follows:

wherein mu and v are two random numbers and conform to standard normal distribution mu-N (0, sigma) ² ) v-N (0, 1), where the variance sigma ² Is obtained by the following formula:

(5) Updating the population and the optimal solution, replacing a new solution with better quality than the stored solution according to the fitness value, and obtaining the optimal solution g;

(6) Checking a stopping standard, repeatedly executing the steps (4) and (5) until the maximum iteration number is reached, wherein the solution at the moment is the initial clustering center m _k ；

(7) Calculating each sample x and cluster center m _k Euclidean distance betweenWherein x is _i Is the ith feature of sample x, m _ki Is the cluster center m _k Is the ith feature of (2).

(8) Dividing each sample into a cluster center m closest to the sample _k Corresponding cluster C _k ；

(9) Calculating the average value of all samples in each cluster, and updating a cluster center;

(10) Repeating the steps (7), (8) and (9) until the clustering center is unchanged;

(11) And carrying out marking processing according to the category to obtain various information data of the user.

The above-mentioned reliability correction algorithm is as follows:

(1) Setting CE _x ＝{C ₁ ,C ₂ ,...,C _n User information data of currently accessed user, wherein the user information data comprises user behavior information and context information thereof, C _i I=1, 2,..n is an information parameter;

(2) Providing a measure of the degree of confidence CF (X, C) of the knowledge of the user authentication result for each message _i ) With a value between-1 and 1, a value of 1 representing extreme confidence and a value of-1 representing extreme confidence, providing an importance weight w for each piece of information _i Wherein

(3) Calculating the average credibility of knowledge

(4) Calculating the distance between the knowledge credibility and the knowledge average credibility of each information:

(5) Calculating a confidence level correction value of the knowledge:

the specific algorithm for the integrated confidence level is as follows:

(1) Providing credibility CF (C _i )；

(2) Calculating the credibility CF of the user identity verification result when each information acts independently _i (X)＝CF(C _i )CF′(X,C _i )；

(3) Synthesizing the first knowledge and the second knowledge by the following formula, then synthesizing the synthesized knowledge and the third knowledge, and the like, and finally obtaining the comprehensive credibility of the conclusion:

the training prediction module adopts XGBoost algorithm to perform model training, and formally represents user behavior data and context information into the following form:

wherein X is _i (i=1, 2, …, n) represents a precondition; y is Y _j (j=1, 2, …, m) represents a conclusion;the reliability factor is used for representing the reliability of the related precondition, 75% of data is used as a training set to be input into the XGBoost model for training, and finally, the result is used for predicting the dynamic identity verification result of the user.

Because XGBoost model parameter values can greatly affect their accuracy, optimization of parameters is an important step in model training. The global optimization problem is solved by using the pollination algorithm, and parameters such as the number of the base classifiers, the learning rate, the maximum tree depth, the minimum leaf weight and the like are optimized, so that the accuracy of the model is improved.

The technology not mentioned in the present invention refers to the prior art.

The static and dynamic identity consistency verification method and system combine the static verification mode with the dynamic verification mode, can adapt to most scenes, have continuous identity consistency verification capability, improve the safety of a zero trust system and accord with the zero trust concept; performing parameter tuning on Kmeans and XGBoost algorithm by using a pollination algorithm, and improving the accuracy of the algorithm; the reliability of the premise and the conclusion is optimized by using a reliability correction-based mode, so that the influence of factors such as equipment acquisition on the identity verification accuracy is avoided; and during dynamic continuous identity verification, the user is not required to perform additional authentication actions, the dynamic continuous identity verification is completely transparent to the user, and the user experience is improved.

Drawings

Fig. 1 is a process flow diagram of an authentication system according to the present invention.

FIG. 2 is a block diagram illustrating the present invention.

FIG. 3 is a flowchart of the improved Kmeans algorithm of the present invention.

Detailed Description

For a better understanding of the present invention, the following examples are further illustrated, but are not limited to the following examples.

A static and dynamic identity consistency verification method comprises a static identity verification stage and a dynamic identity verification stage. The static identity verification stage is used for primary identity verification of a login user, and static one-time identity verification of single factor or multiple factors can be carried out on the user in a mode of configuring a password, a dynamic short message password, face recognition, a digital certificate or quoted third party identity verification and the like according to requirements. And in the dynamic identity verification stage, user behavior information and context information are continuously acquired and analyzed, an improved Kmeans algorithm is used for carrying out cluster analysis, uncertainty reasoning is carried out based on reliability correction, and then model training and prediction are carried out by using an XGBoost algorithm after parameter optimization, so that final dynamic identity reliability is obtained. And finally, performing authorized access based on the result or exiting to a static verification stage for re-verification.

Figure 1 shows a process flow diagram of an authentication system according to the invention.

Step S101: and (3) carrying out system configuration, configuring a static identity verification mode, and selecting one or more than two static identity verification modes to carry out single-factor or multi-factor verification.

Step S102: carrying out identity verification on the user according to the configuration, judging whether the login time of the user exceeds the time limit, and if not, going to the next step; otherwise, returning to log in again.

Step S103: and continuously collecting user information data, wherein the user information data comprises user behavior characteristics and context information.

Step S104: and (3) preprocessing data, and performing cluster analysis on the user information data by using an improved Kmeans algorithm.

Step S105: and carrying out reliability correction on the result of the cluster analysis based on the reliability correction mode, and calculating the comprehensive reliability of the dynamic identity verification conclusion by utilizing the corrected knowledge reliability value to obtain a supervision data set for training and prediction.

Step S106: and formally representing the supervision data set, inputting 75% of data as a training set into the XGBoost model with optimized training parameters, and predicting the credibility of the conclusion of the user identity verification by using the test set.

Step S107: by comparing the predicted conclusion reliability with a preset reliability threshold lambda, if the conclusion reliability is larger than the reliability threshold lambda, the user is judged to be reliable, and the user can continue to access the system; if the reliability of the conclusion is smaller than the reliability threshold lambda, the user is judged to be not reliable, the access of the user is terminated, and the static identity verification is carried out in a returning mode.

Fig. 2 shows a block diagram of the present invention. The system specifically comprises a static verification module, an acquisition module, a data processing module, a training prediction module and a result execution module.

And the static verification module is used for carrying out primary identity verification on a login user, and can carry out single-factor or multi-factor static disposable identity verification on the user in the modes of configuring passwords, dynamic short message passwords, face recognition, digital certificates or quoted third-party identity verification and the like according to requirements.

The static verification module is used for primary verification of the identity of the login user, and a software password mode can be used for enabling the user to provide a required account password for identity verification; or a hardware smart card is used, and is inserted into special equipment for reading to perform identity verification; or using biometric identification, comparing the biometric features of the user, such as fingerprint, palm, retina, iris, etc., with the data in the database for authentication, etc. In addition, the static authentication module can also communicate with a third party system, and refers to a static authentication mode provided by the third party system. The static authentication module can perform not only the single-factor authentication, but also multi-factor static authentication by configuring a plurality of modes.

Because the static verification mode is a one-time verification mode, namely, resources in the system can be accessed after verification is successful. Therefore, in order to ensure the security of the system, a time period t needs to be set, and when the login time of the user exceeds the time period, static identity verification needs to be performed again.

And the acquisition module is used for continuously acquiring the user behavior characteristics and the context information thereof and storing the acquired data in a database for other modules to use. This is the first step in continuous authentication of the user. Various user operation information is collected through devices such as a sensor, including authentication frequency, login time, overseas IP access and the like; and user behavior information including keystroke dynamics, body posture, eye movement, gait of walking, etc. The collection includes not only the user data but also environmental context, location context, time context and any other contextual information related to each authentication or access attempt and will be stored in a database.

The data processing module is used for preprocessing the collected original data, carrying out cluster analysis on the user data information through an improved Kmeans algorithm, carrying out reliability correction on the user behavior characteristics, the knowledge such as the context information and the like based on a reliability correction mode, and calculating the comprehensive reliability of the dynamic identity verification conclusion by utilizing the corrected knowledge reliability value.

The data processing module is mainly used for preprocessing the collected original data, carrying out min-max standardization processing, simultaneously processing lost data, discarding noise and redundant data, and integrating data from different sources. And then carrying out cluster analysis on the user data information through an improved Kmeans algorithm, processing unbalance of the data, and carrying out marking processing according to the category. And taking different influences of the reliability of the acquired information on the conclusion into consideration, carrying out reliability correction on the knowledge such as the user and the context information thereof based on a reliability correction mode, and calculating the comprehensive reliability of the dynamic identity verification conclusion by utilizing the corrected knowledge reliability value to obtain a supervision data set for training and prediction.

And training a prediction module. The module adopts XGBOOST algorithm to carry out model training, and the trained model is used for predicting the dynamic identity verification result of the user. Formally representing user behavior data and context information into the following form:

wherein X is _i (i=1, 2, …, n) represents a precondition; y is Y _j (j=1, 2, …, m) represents a conclusion;the reliability factor is used for representing the reliability of the related precondition, 75% of data is used as a training set to be input into the XGBoost model for training, and finally, the result is used for predicting the dynamic identity verification result of the user.

And the result execution module is used for comparing the credibility of the dynamic authentication conclusion of the user predicted by the model with a set credibility threshold lambda to judge the dynamic authentication result and displaying the information such as user behavior, context information, static authentication result, dynamic authentication result and the like.

FIG. 3 shows a process flow diagram of the modified Kmeans algorithm, specifically as follows:

step S301: the FPA control parameters are initialized. The control parameters include population size (N), maximum iteration number (Maxgen) and transition probability p.

Step S302: initializing a population. Randomly generating an initial solution x based on given upper and lower bounds ₁ ,x ₂ ,…,x _n And calculates its corresponding fitness value.

Step S303: the best solution is obtained from the initial population. And finding out the optimal solution g and the fitness value f (g) according to the initial population and the fitness value thereof.

Step S304: a new population is generated. Determining whether global search or local search is adopted according to the value of the transition probability p epsilon [0,1], adopting a global search strategy when the generated random number rand epsilon U [0,1] is smaller than p, otherwise adopting a local search strategy, wherein the formula is as follows:

wherein,representing the specific pollen position after the t-th iteration update of the pollen individual i when the pollen individual performs a global or local search link in the pollen pollination algorithm; />And->Representing specific pollen positions of any two pollen individuals in the pollen population at the time of t-th iteration updating, wherein the selection of the two pollen positions is random and different from the specific position of pollen i; and ε U0, 1]The method comprises the steps of carrying out a first treatment on the surface of the Gamma is the step size control factor; the parameter L represents the pollination strength, essentially a step size, obeying the lewy distribution, and the formula is as follows:

λ is a constant, taking λ=1.5 in this algorithm; Γ (λ) is a standard gamma function; s is(s) ₀ Is the minimum step size; s is the step size, and the calculation formula is as follows:

wherein mu and v are two random numbers and conform to standard normal distribution mu-N (0, sigma) ² ) v-N (0, 1), where the variance sigma ² Is obtained by the following formula:

step S305: the population and best solution are updated. According to the fitness value, a new solution of better quality than the stored solution is replaced and the best solution g is obtained.

Step S306: check stop criteria. Steps S304, S305 are repeatedly performed until the maximum number of iterations is reached. The solution at this time is the initial cluster center m _k 。

Step S307: calculating each sample x and cluster center m _k Euclidean distance betweenWherein x is _i Is the ith feature of sample x, m _ki Is the cluster center m _k Is the ith feature of (2).

Step S308: dividing each sample into a cluster center m closest to the sample _k Corresponding cluster C _k 。

Step S309: and calculating the average value of all samples in each cluster, and updating the cluster center.

Step S310: steps S307, S308, S310 are repeated until the cluster center is unchanged.

Step S311: and carrying out marking processing according to the category to obtain various information data of the user.

The reliability correction algorithm is as follows:

(1) Setting CE _x ＝{C ₁ ,C ₂ ,...,C _n User information data of currently accessed user, wherein the user information data comprises user behavior information and context information thereof, C _i I=1, 2,..n is an information parameter;

(2) Providing a measure of the degree of confidence CF (X, C) of the knowledge of the user authentication result for each message _i ) With a value between-1 and 1, a value of 1 representing extreme confidence and a value of-1 representing extreme confidence, providing an importance weight w for each piece of information _i Wherein

(3) Calculating the average credibility of knowledge

(4) Calculating the distance between the knowledge credibility and the knowledge average credibility of each information:

(5) Calculating a confidence level correction value of the knowledge:

the algorithm for integrating the confidence level is as follows:

(1) Providing credibility CF (C _i )；

(2) Calculating the credibility CF of the user identity verification result when each information acts independently _i (X)＝CF(C _i )CF′(X,C _i )；

(3) Synthesizing the first knowledge and the second knowledge by the following formula, then synthesizing the synthesized knowledge and the third knowledge, and the like, and finally obtaining the comprehensive credibility of the conclusion:

the static and dynamic identity consistency verification method can be used for carrying out single-factor or multi-factor static one-time identity verification on the user in the modes of configuring passwords, dynamic short message passwords, face recognition, digital certificates or quoted third-party identity verification and the like according to requirements. And then carrying out dynamic continuous identity verification based on continuous detection of user behaviors and context information thereof, carrying out cluster analysis by using an improved Kmeans algorithm, simultaneously carrying out uncertainty reasoning based on a reliability correction mode, and then carrying out model training and prediction by using an XGBoost algorithm after parameter optimization to obtain final reliability. And finally, executing authorized access based on the result or exiting to a static verification stage for re-verification, thereby improving the security and rationality of the zero trust system. The method can adapt to most scenes, has continuous identity consistency verification capability, improves the safety of a zero trust system, accords with the zero trust concept, and has high accuracy and good user experience.

The method and the system provided by the invention can effectively solve the problems of complexity, insufficient safety and the like of the current identity authentication mode, combine the advantages of static authentication and dynamic authentication, have the advantages of user friendliness, have continuous authentication capability, can adapt to most scenes and accord with the zero trust concept. It should be noted that modifications and adaptations to the present invention may occur to one skilled in the art without departing from the principles of the present invention and are intended to be comprehended within the scope of the present invention. The components not explicitly described in this embodiment can be implemented by using the prior art.

Claims (7)

1. A static and dynamic identity consistency verification method is characterized in that: comprising the following steps: a static authentication phase and a dynamic authentication phase; the static identity verification stage is used for carrying out primary identity verification on a login user, and carrying out single-factor or multi-factor static one-time identity verification on the user in a static identity verification mode; the dynamic identity verification stage performs identity verification based on continuous detection of biological behavior characteristics, performs cluster analysis by using an improved Kmeans algorithm, performs uncertainty reasoning based on reliability correction, then performs model training and matching by using a XGBoost algorithm after parameter optimization to obtain final dynamic identity reliability, and finally performs authorized access or exits to a static verification stage based on the result to perform re-verification; the method specifically comprises the following steps:

step one: performing system configuration, configuring a static identity verification mode, and selecting one or more than two static identity verification modes to perform single-factor or multi-factor verification;

step two: carrying out identity verification on the user according to the configuration, judging whether the login time of the user exceeds a time limit t, if not, turning to the next step, otherwise, returning to re-login;

step three: continuously and uninterruptedly collecting user information data, wherein the user information data comprises user behavior characteristics and context information;

step four: performing cluster analysis on the user information data by using an improved Kmeans algorithm;

step five: performing reliability correction on the clustering analysis result based on the reliability correction mode, and calculating the comprehensive reliability of the dynamic identity verification conclusion by utilizing the corrected knowledge reliability value to obtain a supervision data set for training and prediction;

step six: the supervision data set is expressed in a formalized mode, 75% of data is used as a training set to be input into an XGBoost model with optimized training parameters, and then the reliability of a conclusion of user identity verification is predicted by using a testing set;

step seven: comparing the predicted conclusion reliability with a preset reliability threshold lambda, and judging the user reliability if the conclusion reliability is larger than the reliability threshold lambda, wherein the user can continue to access the system; if the reliability of the conclusion is smaller than the reliability threshold lambda, the user is judged to be not reliable, the access of the user is terminated, and the static identity verification is carried out in a returning mode.

2. The method of claim 1, wherein: in the fourth step, the improved Kmeans algorithm is specifically as follows:

(1) Initializing FPA control parameters, wherein the control parameters comprise a population size N, a maximum iteration number Maxgen and a transition probability p;

(2) Initializing population, randomly generating initial solution x according to given upper and lower bounds ₁ ,x ₂ ,…,x _n And calculating the corresponding fitness value;

(3) Finding out an optimal solution g and a fitness value f (g) according to the initial population and the fitness value thereof;

(4) Generating a new population, determining whether global searching or local searching is adopted according to the value of the transition probability p epsilon [0,1], adopting a global searching strategy when the generated random number rand epsilon U [0,1] is smaller than p, otherwise adopting a local searching strategy, wherein the formula is as follows:

wherein,representing the specific pollen position after the t-th iteration update of the pollen individual i when the pollen individual performs a global or local search link in the pollen pollination algorithm; />And->Representing specific pollen positions of any two pollen individuals in the pollen population at the time of t-th iteration updating, wherein the selection of the two pollen positions is random and different from the specific position of pollen i; epsilon U0, 1]The method comprises the steps of carrying out a first treatment on the surface of the Gamma is the step size control factor; the parameter L represents the pollination strength, essentially a step size, obeying the lewy distribution, and the formula is as follows:

λ is a constant, taking λ=1.5 in this algorithm; Γ (λ) is a standard gamma function; s is(s) ₀ Is the minimum step size; s is the step size, and the calculation formula is as follows:

wherein mu and v are two random numbers and conform to standard normal distribution mu-N (0, sigma) ² ) v-N (0, 1), where the variance sigma ² Is obtained by the following formula:

(5) Updating the population and the optimal solution, replacing a new solution with better quality than the stored solution according to the fitness value, and obtaining the optimal solution g;

(6) Checking a stopping standard, repeatedly executing the steps (4) and (5) until the maximum iteration number is reached, wherein the solution at the moment is the initial clustering center m _k ；

(7) Calculating each sample x and cluster center m _k Euclidean distance betweenWherein x is _i Is the ith feature of sample x, m _ki Is the cluster center m _k Is the ith feature of (2);

(8) Dividing each sample into a cluster center m closest to the sample _k Corresponding cluster C _k ；

(9) Calculating the average value of all samples in each cluster, and updating a cluster center;

(10) Repeating the steps (7), (8) and (9) until the clustering center is unchanged;

(11) And carrying out marking processing according to the category to obtain various information data of the user.

3. A method according to claim 1 or 2, characterized in that: in the fifth step, the reliability correction algorithm is as follows:

(1) Setting CE _x ＝{C ₁ ,C ₂ ,...,C _n User information data of currently accessed user, wherein the user information data comprises user behavior information and context information thereof, C _i I=1, 2,..n is an information parameter;

(2) Providing a measure of the degree of confidence CF (X, C) of the knowledge of the user authentication result for each message _i ) With a value between-1 and 1, a value of 1 representing extreme confidence and a value of-1 representing extreme confidence, providing an importance weight w for each piece of information _i Wherein

(3) Calculating the average credibility of knowledge

(4) Calculating the distance between the knowledge credibility and the knowledge average credibility of each information:

(5) Calculating a confidence level correction value of the knowledge:

the algorithm for integrating the confidence level is as follows:

(1) Providing credibility CF (C _i )；

(2) Calculating the credibility CF of the user identity verification result when each information acts independently _i (X)＝CF(C _i )CF′(X,C _i )；

(3) Synthesizing the first knowledge and the second knowledge by the following formula, then synthesizing the synthesized knowledge and the third knowledge, and the like, and finally obtaining the comprehensive credibility of the conclusion:

4. a static and dynamic identity consistency verification system, characterized by: comprising the following steps: the system comprises a static verification module, an acquisition module, a data processing module, a training prediction module and a result execution module;

the static authentication module is used for carrying out single-factor or multi-factor static one-time identity authentication on the user by adopting a static identity authentication mode for the initial identity authentication of the login user;

the acquisition module is used for continuously acquiring the user behavior characteristics and the context information thereof and storing the acquired data in the database for other modules to use;

the data processing module is used for preprocessing the collected original data, carrying out cluster analysis on the user behavior characteristics through an improved Kmeans algorithm, carrying out reliability correction on the user behavior characteristics and the context information thereof based on a reliability correction mode, and calculating the comprehensive reliability of the dynamic identity verification conclusion by utilizing the corrected knowledge reliability value;

the training prediction module is used for carrying out model training by adopting an XGBoost algorithm, and the trained model is used for predicting a user dynamic identity verification result;

and the result execution module is used for comparing the credibility of the dynamic user identity verification conclusion predicted by the model with a set credibility threshold lambda to judge the dynamic identity verification result and displaying the user behavior, the context information, the static verification result and the dynamic verification result.

5. The system as set forth in claim 4, wherein: the improved Kmeans algorithm is specifically as follows:

(1) Initializing FPA control parameters, wherein the control parameters comprise a population size N, a maximum iteration number Maxgen and a transition probability p;

(2) Initializing population, randomly generating initial solution x according to given upper and lower bounds ₁ ,x ₂ ,…,x _n And calculating the corresponding fitness value;

(3) Finding out an optimal solution g and a fitness value f (g) according to the initial population and the fitness value thereof;

(4) Generating a new population, determining whether global searching or local searching is adopted according to the value of the transition probability p epsilon [0,1], adopting a global searching strategy when the generated random number rand epsilon U [0,1] is smaller than p, otherwise adopting a local searching strategy, wherein the formula is as follows:

wherein,representing the specific pollen position after the t-th iteration update of the pollen individual i when the pollen individual performs a global or local search link in the pollen pollination algorithm; />And->Representing specific pollen positions of any two pollen individuals in the pollen population at the time of t-th iteration updating, wherein the selection of the two pollen positions is random and different from the specific position of pollen i; epsilon U0, 1]The method comprises the steps of carrying out a first treatment on the surface of the Gamma is the step size control factor; the parameter L represents the pollination strength, essentially a step size, obeying the lewy distribution, and the formula is as follows:

λ is a constant, taking λ=1.5 in this algorithm; gamma (lambda) is standard gammaMa Hanshu; s is(s) ₀ Is the minimum step size; s is the step size, and the calculation formula is as follows:

wherein mu and v are two random numbers and conform to standard normal distribution mu-N (0, sigma) ² ) v-N (0, 1), where the variance sigma ² Is obtained by the following formula:

(5) Updating the population and the optimal solution, replacing a new solution with better quality than the stored solution according to the fitness value, and obtaining the optimal solution g;

(6) Checking a stopping standard, repeatedly executing the steps (4) and (5) until the maximum iteration number is reached, wherein the solution at the moment is the initial clustering center m _k ；

(7) Calculating each sample x and cluster center m _k Euclidean distance betweenWherein x is _i Is the ith feature of sample x, m _ki Is the cluster center m _k Is the ith feature of (2);

(8) Dividing each sample into a cluster center m closest to the sample _k Corresponding cluster C _k ；

(9) Calculating the average value of all samples in each cluster, and updating a cluster center;

(10) Repeating the steps (7), (8) and (9) until the clustering center is unchanged;

(11) And carrying out marking processing according to the category to obtain various information data of the user.

6. The system according to claim 4 or 5, wherein: the reliability correction algorithm is as follows:

(1) Is provided withCE _x ＝{C ₁ ,C ₂ ,...,C _n The user information data is currently accessed, and the user information data comprises user behavior information and context information thereof, wherein C _i I=1, 2,..n is an information parameter;

(2) Providing a measure of the degree of confidence CF (X, C) of the knowledge of the user authentication result for each message _i ) With a value between-1 and 1, a value of 1 representing extreme confidence and a value of-1 representing extreme confidence, providing an importance weight w for each piece of information _i Wherein

(3) Calculating the average credibility of knowledge

(4) Calculating the distance between the knowledge credibility and the knowledge average credibility of each information:

(5) Calculating a confidence level correction value of the knowledge:

the algorithm for integrating the confidence level is as follows:

(1) Providing credibility CF (C _i )；

(2) Calculating the credibility CF of the user identity verification result when each information acts independently _i (X)＝CF(C _i )CF′(X,C _i )；

(3) Synthesizing the first knowledge and the second knowledge by the following formula, then synthesizing the synthesized knowledge and the third knowledge, and the like, and finally obtaining the comprehensive credibility of the conclusion:

7. the system according to claim 4 or 5, wherein: the training prediction module adopts XGBoost algorithm to perform model training, and formalizes user behavior data and context information into the following form:

wherein X is _i (i=1, 2, …, n) represents a precondition; y is Y _j (j=1, 2, …, m) represents a conclusion;the reliability factor is used for representing the reliability of the related precondition, 75% of data is used as a training set to be input into the XGBoost model for training, and finally, the result is used for predicting the dynamic identity verification result of the user.