CN117240519A

CN117240519A - Access control method, device and storage medium

Info

Publication number: CN117240519A
Application number: CN202311118165.4A
Authority: CN
Inventors: 朱海龙; 郭洋; 刘一珉; 王倩
Original assignee: China Mobile Communications Group Co Ltd; China Mobile Chengdu ICT Co Ltd
Current assignee: China Mobile Communications Group Co Ltd; China Mobile Chengdu ICT Co Ltd
Priority date: 2023-08-31
Filing date: 2023-08-31
Publication date: 2023-12-15

Abstract

The invention discloses an access control method, an access control device and a storage medium, wherein the access control method comprises the following steps: sending a first verification code corresponding to a user account to a client; receiving a second verification code and a user image sent by the client; the user image is used for verifying whether the user in the image is the user corresponding to the user account; and determining whether to verify the user face image information in the user image aiming at the user account according to the comparison result of the first verification code and the second verification code.

Description

Access control method, device and storage medium

Technical Field

The present invention relates to the field of security, and in particular, to an access control method, apparatus, and storage medium.

Background

The access control system is a functional module which is almost provided by all modern information systems and is used for controlling the accessible range of the information resource, so that the information resource is only browsed and used by the roles with access rights.

Various access control systems provide a client login function, wherein login means that a client provides information capable of proving identity for the access control system, the client is converted into a login state after verification, and the client opens access rights. The existing login mode has the problems that illegal access is caused after account passwords are shared or leaked, and the like.

Therefore, it is necessary to provide an access control method to solve the problem of illegal access at present.

Disclosure of Invention

Accordingly, a primary object of the present invention is to provide a method, apparatus and storage medium for access control.

In order to achieve the above purpose, the technical scheme of the invention is realized as follows:

the embodiment of the invention provides an access control method, which is applied to a server; the method comprises the following steps:

sending a first verification code corresponding to a user account to a client;

receiving a second verification code and a user image sent by the client; the user image is used for verifying whether the user in the image is the user corresponding to the user account;

and determining whether to verify the user face image information in the user image aiming at the user account according to the comparison result of the first verification code and the second verification code.

In the above scheme, the sending, to the client, the first verification code corresponding to the user account includes:

receiving identification information of a camera device sent by the client, wherein the camera device is used for shooting the user image;

and under the condition that the identification information corresponds to the client, sending the first verification code corresponding to the user account to the client.

In the above scheme, the receiving the second verification code and the user image sent by the client includes:

and receiving the user image, wherein the user image comprises a gesture corresponding to the second verification code.

In the above scheme, the user account has a corresponding third verification code, where the third verification code includes N characters, and N is an integer greater than or equal to 2;

the characters contained in the first verification code are the same as the characters contained in the third verification code, and the sequence of the characters contained in the first verification code is different from the sequence of the characters contained in the third verification code;

the determining whether to verify the user face image information of the user image for the user account according to the comparison result of the first verification code and the second verification code includes:

and if the second verification code is the same as the third verification code, verifying the user face image information of the user image aiming at the user account.

and receiving N user images, wherein the second verification code comprises N characters, each user image respectively comprises a gesture corresponding to 1 character, and the sequence of the N user images is the sequence of the N characters corresponding to the user images.

In the above scheme, the method further comprises:

performing continuity check on a plurality of frames of images shot by the camera device, wherein the plurality of frames of images at least comprise the user image;

and verifying the user image under the condition that the multi-frame image shot by the image shooting device passes the continuity check.

The embodiment of the invention provides an access control method, which is applied to a client; the method comprises the following steps:

responding to login operation aiming at a user account, and displaying a first verification code corresponding to the user account sent by a server;

acquiring a shot user image, and sending a second verification code and the user image to the server;

the second verification code is used for comparing the server side with the first verification code and determining whether to verify the user face image information in the user image aiming at the user account according to a comparison result; the user image is used for verifying whether the user in the image is the user corresponding to the user account.

In the above scheme, the first verification code corresponding to the user account sent by the display server includes:

sending identification information of a camera device to the server, wherein the camera device is used for shooting the user image;

And displaying the first verification code sent by the server when the identification information is determined to correspond to the client.

The embodiment of the invention provides an access control device, which comprises: the device comprises a first sending module, a first receiving module and a first comparison module; wherein,

the first sending module is used for sending a first verification code corresponding to the user account to the client;

the first receiving module is used for receiving the second verification code and the user image sent by the client; the user image is used for verifying whether the user in the image is the user corresponding to the user account;

the first comparison module is used for determining whether to verify the user face image information in the user image aiming at the user account according to the comparison result of the first verification code and the second verification code.

In the above scheme, the first sending module is specifically configured to receive identification information of an image capturing device sent by the client, where the image capturing device is configured to capture an image of the user;

In the above scheme, the first receiving module is specifically configured to receive the user image, where the user image includes a gesture corresponding to the second verification code.

the first comparison module is specifically configured to verify, if the second verification code is the same as the third verification code, user face image information of the user image with respect to the user account.

In the above scheme, the first receiving module is specifically configured to receive N user images, where the second verification code includes N characters, each user image includes a gesture corresponding to 1 character, and an order of the N user images is an order of the N characters corresponding to the user images.

In the above scheme, the device further comprises a first checking module;

the first checking module is used for continuously checking a plurality of frames of images shot by the camera device, wherein the plurality of frames of images at least comprise the user image;

The embodiment of the invention provides an access control device, which comprises: the first processing module and the second processing module; wherein,

the first processing module is used for responding to login operation aiming at a user account and displaying a first verification code corresponding to the user account, which is sent by a server;

the second processing module is used for acquiring a shot user image and sending a second verification code and the user image to the server;

In the above scheme, the first processing module is specifically configured to send identification information of a camera device to the server, where the camera device is configured to capture an image of the user;

The embodiment of the invention provides an access control device, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor realizes the steps of the access control method at the server side when executing the program; or,

the processor, when executing the program, implements the steps of the access control method on the client side.

The embodiment of the invention also provides a computer readable storage medium, on which a computer program is stored, which when being executed by a processor, realizes the steps of the access control method of the server side; or,

the computer program, when executed by a processor, implements the steps of the access control method on the client side.

The embodiment of the invention provides an access control method, an access control device and a storage medium, wherein the method is applied to a server; the method comprises the following steps: sending a first verification code corresponding to a user account to a client; receiving a second verification code and a user image sent by the client; the user image is used for verifying whether the user in the image is the user corresponding to the user account; determining whether to verify the user face image information in the user image aiming at the user account according to the comparison result of the first verification code and the second verification code; thus, the anti-fake detection of the face image can be realized through verification code verification and face recognition verification, and the face image is prevented from being forged, so that illegal access is prevented;

Correspondingly, another access control method, device and storage medium provided by the embodiment of the invention are applied to the client; the method comprises the following steps: responding to login operation aiming at a user account, and displaying a first verification code corresponding to the user account sent by a server; acquiring a shot user image, and sending a second verification code and the user image to the server; the second verification code is used for comparing the server side with the first verification code and determining whether to verify the user face image information in the user image aiming at the user account according to a comparison result; the user image is used for verifying whether the user in the image is the user corresponding to the user account; in this way, by receiving the first verification code and sending the second verification code, the received verification code and the sent verification code are the same, the user image is determined to be collected by the camera device after the server sends the first verification code, and the prerecorded user image or the user image with the authorized user face is prevented from being sent to the server by an unauthorized user, so that the face image can be prevented from being forged, the anti-counterfeiting detection of the face image is realized, and illegal access is prevented.

Drawings

Fig. 1 is a schematic flow chart of an access control method according to an embodiment of the present invention;

FIG. 2 is a schematic diagram of different numbers corresponding to different gestures according to an embodiment of the present invention;

fig. 3 is a flow chart of another access control method according to an embodiment of the present invention;

fig. 4 is a schematic diagram of a server system module of an access control system according to an embodiment of the present invention;

FIG. 5 is a schematic diagram of an access state time sequence according to an embodiment of the present invention;

fig. 6 is a schematic flow chart of an access control method according to an embodiment of the present invention;

fig. 7 is a flowchart of another access control method according to an embodiment of the present invention;

FIG. 8 is a flowchart of a method for a user to log on to a log off access control system according to an embodiment of the present invention;

fig. 9 is a schematic structural diagram of an access control device according to an embodiment of the present invention;

fig. 10 is a schematic structural diagram of another access control device according to an embodiment of the present invention;

fig. 11 is a schematic structural diagram of another access control device according to an embodiment of the present invention.

Detailed Description

The present invention will be described in further detail with reference to examples.

The related art to user login will be described before describing the present invention in further detail with reference to the embodiments.

The current common login modes comprise an account password, a first verification code, an account password, a human face verification and the like.

When the login mode of "account password+face verification" is adopted, the face image for face verification is easily forged, for example: the illegal user can read the pre-recorded video stream by disguising the network camera, or actively send the image frame with the face of the login user to the server by the client tool, so that the face verification is unreliable, and the login safety problem exists.

Therefore, it is desirable to provide an access control method that solves the problem that face images currently used for face verification are easily counterfeited.

Fig. 1 is a schematic flow chart of an access control method according to an embodiment of the present invention; as shown in fig. 1, the access control method may be applied to a server; the method comprises the following steps:

step 101, a first verification code corresponding to a user account is sent to a client;

specifically, the first verification code may be a random number, and the user account may be a user account that requests verification (such as login verification).

Here, the server end is an end that sends the first verification code, for example, may be a server;

the client is one end for receiving the first verification code, for example, may be a mobile phone, a computer or other terminals.

In one possible implementation, the client may send a login request to the server, and the server may send a first verification code to the client after receiving the login request.

102, receiving a second verification code and a user image sent by the client; the user image is used for verifying whether the user in the image is the user corresponding to the user account;

in one possible implementation, after receiving the first verification code, the client sends the second verification code and the user image to the server. The user image is used to verify the identity of the user account.

Specifically, after receiving the first verification code, the client displays the first verification code sent by the server, detects a user image from a video stream acquired by the camera device, acquires a first detected image frame containing the user image, and sends the image frame containing the user image and the received first verification code (namely, the second verification code) to the server.

Step 103, determining whether to verify the user face image information in the user image according to the comparison result of the first verification code and the second verification code.

In one possible implementation, verifying user face image information in the user image includes, but is not limited to: and verifying the face of the user image, namely performing face verification. Specifically, after the server side sends the first verification code to the client side, the sent first verification code can be saved. After receiving the second verification code, the server side can compare whether the first verification code is the same as the second verification code, when the first verification code is the same as the second verification code, the user image is acquired by the client side in real time after the server side sends the first verification code, and is not prerecorded or actively sent to the server side to perform user account verification, and whether the user in the received user image is the user corresponding to the user account is verified.

In some embodiments, the sending, to the client, a first verification code corresponding to the user account includes:

Specifically, the server receives identification information of the camera device sent by the client, detects whether the identification information is identification information corresponding to a user account, and if the detection is passed, sends a first verification code to the client. In this way, the image pickup device is ensured to be the image pickup device corresponding to the user account.

In practical application, before the camera of the client is used for the first time, the identification information of the camera can be registered to the server. For example, registration may be completed by entering registration information including identification information of the image pickup apparatus, user account information, and the like into the server. In addition, when the image pickup apparatus is damaged or the user needs to replace the image pickup apparatus, the image pickup apparatus also needs to be re-registered.

In some embodiments, before the receiving the identification information of the image capturing apparatus sent by the client, the method further includes:

receiving a camera verification request sent by the client; the camera verification request comprises the user account;

acquiring identification information of a corresponding camera device according to the user account;

And sending the identification information of the camera device to the client.

Specifically, the server receives a camera verification request which is initiated by the client and carries the user account, acquires the identification information of the corresponding registered camera according to the user account, sends the identification information to the client, and opens the camera corresponding to the identification information according to the identification information, if the client is successfully opened, the camera is verified, and if the client is failed to be opened, the camera is not verified. The identification information sent by the server to the client may be encrypted, and the client may decrypt the encrypted identification information. In practical application, different encryption modes can be agreed according to different requirements, and the method is not limited herein.

In this way, the image pickup apparatus is prevented from being falsified by transmitting the identification information of the image pickup apparatus corresponding to the user and verifying whether the identification information of the opened image pickup apparatus is registered.

In some embodiments, the method further comprises:

In one possible implementation, the different gesture corresponds to a different second verification code.

For example, as shown in fig. 2, different numbers corresponding to different gestures may be represented by extending a finger to represent 1; alternatively, two fingers may be extended to compare the gesture of "V" to indicate 2; alternatively, five finger representations 5 may be opened. Different numbers corresponding to different gestures can be determined according to actual application requirements, and the method is not limited herein.

The user image sent by the client may include, but is not limited to, the user's upper body, including the user's head (including face), shoulder, hand, elbow. In this way, the server may recognize gestures in the user's image.

In one possible implementation, the server may instruct the user to display the first verification code through a gesture.

The server sends a first verification code to the client, the first verification code implicitly indicates the user to display the first verification code through gestures, and the server receives a user image which is sent by the client and contains the upper body of the user. Thus, verification of the verification code can be achieved through gesture comparison.

Here, the first verification code may be any number, letter, specific gesture, limb gesture, and limb action track, and the user needs to perform corresponding verification according to any number, letter, specific gesture, limb gesture, and limb action track.

For example, the server sends the number 2 as the first verification code to the client, and instructs the user to make a gesture corresponding to the number 2, and the client makes a gesture of "V" in front of the image capturing device. Here, the gesture of "V" is the second verification code. Thus, verification of the verification code by means of gesture comparison is achieved.

In some embodiments, the user account has a corresponding third verification code, where the third verification code includes N characters, where N is an integer greater than or equal to 2;

Here, the number of digits of the authentication code is configurable.

Specifically, the third verification code may be a verification code which is registered by the user at the same time when the user registers the account, the first verification code may be a verification code which is sent to the client after the server breaks up the third verification code, and the second verification code may be a verification code corresponding to a gesture which is sequentially put out by the user according to the normal sequence of the third verification code; when the server detects that the numbers and the sequences of the gesture verification code and the registration verification code are the same, the verification is indicated to pass through the verification code, and then the face verification is performed.

For example, assuming that the verification code is a random number, the third verification code is a verification code that the user registers at the same time when registering the account, and is "528"; the first verification code is a verification code which is sent to the client after the third verification code is disturbed by the server, and is 285; the second verification code is a random number corresponding to the gesture put out by the user; and indicating the user to sequentially put out corresponding gestures according to the sequence of registering the verification codes, and verifying the human face through verification codes when the random number 528 corresponding to the gesture put out by the user is verified. Therefore, on one hand, the difficulty of verification codes can be improved by disturbing the sequence of the numbers; on the other hand, verification of the verification code through gesture comparison can be achieved, and the problem of face image forging can be avoided through continuous gestures.

In one possible implementation, the number of times that the error is allowed to be verified is configurable. The verification error is that the second verification code and the third verification code are different in comparison.

For example, since a user may have a memory error, and the gesture indicates that the sequence of the corresponding verification codes is wrong, the number of times of allowing verification errors is 2 times or 3 times, etc. may be configured according to actual requirements.

In some embodiments, the receiving the second verification code and the user image sent by the client includes:

Specifically, the first verification code sent by the server side comprises N characters, the user is instructed to sequentially put out corresponding gestures according to the sequence of the third verification code, and user images containing the user gestures, which are sequentially sent by the client side, are received until the N user images are received.

For example, assuming that the third verification code is "528", the user sequentially puts out the gestures corresponding to "5", "2" and "8", and the client sequentially sends a user image including the gesture corresponding to "5", a user image including the gesture corresponding to "2" and a user image including the gesture corresponding to "8", and the server sequentially receives a user image including the gesture corresponding to "5", a user image including the gesture corresponding to "2" and a user image including the gesture corresponding to "8". Thus, verification of a plurality of verification codes is achieved by sequentially comparing gestures corresponding to the verification codes.

In some embodiments, the gesture corresponding to the second verification code includes: gesture corresponding to N characters respectively.

Specifically, each user image may include gestures corresponding to N characters.

For example, assuming that the verification code is a random number, the server sends the number "34" to the client, and instructs the user to display the gesture corresponding to the number "3" with the left hand and display the gesture corresponding to the number "4" with the right hand before the camera device. Therefore, the difficulty of verification codes is improved and the safety is further improved by simultaneously displaying the gestures corresponding to the verification codes.

In some embodiments, the method further comprises:

Specifically, when the client starts to collect the user image, the server detects the continuity of the user image, and when the user image is detected to be interrupted, there may be video material switching, that is, there is a possibility of falsification of the video stream, and the client will restart to collect the image. In addition, the server continuously stores the continuity of the detected user image in the process, and the last step is carried out again once the discontinuity of the user image is detected.

Here, the continuity check of the multi-frame image shot by the camera device can be performed by detecting the distance between the corresponding feature points of two adjacent frames of images, if the distance does not exceed the preset threshold value, the continuity check is successful; alternatively, the continuity detection may be successful by detecting the optical flow between two adjacent frames of images, if the optical flow rate of change is less than a preset threshold.

In one possible implementation manner, before the client extracts the user image from the video stream shot by the camera device, that is, before receiving the user image sent by the client, a continuity check is performed on the multi-frame image shot by the camera device;

in one possible implementation manner, after receiving the user image collected by the client or before sending the first verification code, performing continuity check on the multi-frame image shot by the camera device;

in one possible implementation, the multi-frame image captured by the camera device is continuously checked before the first verification code, the second verification code and the user image are verified.

In some embodiments, after the determining that the multi-frame image captured by the image capturing device passes the continuity check, the method further includes:

Detecting whether a user in the image is a registered user.

In some embodiments, after the user image is verified, the server may send a new first verification code to the client, and repeat the steps 101 to 103 until the comparison of the preset number of first verification codes and the second verification codes and the verification of the user image are passed.

In some embodiments, the method further comprises:

storing a second verification code which passes the verification latest;

and when the second verification code sent by the client is detected to be the same as the stored second verification code, sending a new first verification code to the client.

For example, assuming that the verification code is a random number and the current server side has passed the verification of the second verification code 1, that is, the first verification code and the second verification code are the same and are both 1, the server side stores the random number 1, at this time, due to an unpredictable network failure, when the client side repeatedly initiates a verification request due to the failure of the previous face verification, the transmitted second verification code is still 1, and the server side transmits a new first verification code 2 to the client side, and at the same time, does not verify the face image information of the user in the user image transmitted in the previous verification request.

Therefore, the problem that the client repeatedly initiates the verification request due to network faults is solved by storing the latest second verification code which passes the verification.

Fig. 3 is a flow chart of another access control method according to an embodiment of the present invention; as shown in fig. 3, the access control method is applied to a client; the method comprises the following steps:

step 301, responding to a login operation aiming at a user account, and displaying a first verification code corresponding to the user account sent by a server;

Step 302, acquiring a shot user image, and sending a second verification code and the user image to the server;

Here, the second verification code may be generated by the user inputting according to the first verification code presented by the client.

In some embodiments, the first verification code corresponding to the user account sent by the display server includes:

Specifically, the client sends identification information of the camera device to the server, the server detects whether the identification information is corresponding to a user account, if the detection is passed, the server sends a first verification code to the client, and the client receives and displays the first verification code.

In some embodiments, before the sending the identification information of the image capturing apparatus to the server, the method further includes:

Sending a verification request of the camera device; the camera verification request comprises the user account;

receiving the encrypted identification information of the camera device sent by the server; the identification information of the camera device corresponds to the user account;

and opening the image pickup device corresponding to the identification information.

Specifically, the client initiates a camera verification request carrying a user account to the server, the server obtains the identification information of the corresponding registered camera according to the user account, the client receives the identification information sent by the server, and opens the camera corresponding to the identification information, if the client is successfully opened, the camera is verified, and if the client is opened, the camera is not verified. The identification information sent by the server to the client may be encrypted, and the client may decrypt the encrypted identification information. In practical application, different encryption modes can be agreed according to different requirements, and the method is not limited herein.

In some embodiments, the sending the second verification code and the user image to the server includes:

And sending the user image containing the gesture corresponding to the second verification code to the server.

For example, as shown in fig. 2, different numbers corresponding to different gestures may be represented by extending a finger to represent 1; alternatively, two fingers may be extended to compare the gesture of "V" to indicate 2; alternatively, five finger representations 5 may be opened. Different numbers corresponding to different gestures can be determined according to actual application requirements, and the method is not limited herein. Thus, verification of the verification code by means of gesture comparison is achieved.

N user images are sent to the server side; the second verification code comprises N characters, each user image comprises gestures corresponding to 1 character, and the sequence of the N user images is the sequence of the N characters corresponding to the user images.

Specifically, the camera device of the client acquires the video stream, after the client detects that the picture contains the user image, the client acquires a first user image containing the gesture corresponding to the first character, sends the first user image containing the gesture corresponding to the second character to the server, acquires the first user image containing the gesture corresponding to the second character, and sends the first user image to the server, and repeats the steps until N user images are sent to the server.

For example, assuming that the verification code is a random number, the server sends the number "34" to the client, and instructs the user to display the gesture corresponding to the number "3" with the left hand and display the gesture corresponding to the number "4" with the right hand before the camera device. Therefore, the difficulty of verification codes is improved and the safety is further improved by simultaneously displaying the gestures corresponding to the verification codes. A number of specific examples are provided below in connection with any of the embodiments described above:

the access control system adopts a Browser/Server (B/S) structure, and the client (B) is responsible for collecting terminal information or extracting image frames from video streams and sending the image frames to the Server for verification. Fig. 4 is a schematic diagram of a server system module of an access control system provided in an application embodiment of the present invention; as shown in fig. 4, the server (S) is composed of 4 modules: the system comprises an image anti-counterfeiting module 41, a face verification module 42, an access state monitoring module 43 and an access state tracking and publishing module 44.

The image anti-counterfeiting module is used for identifying the authenticity of the image acquired by the client so as to solve the human face image counterfeiting risk. The following 2 schemes are proposed.

Scheme 1:

the image anti-counterfeiting module requires that an authorized user register a unique identification code (PID) (i.e., identification information) of camera hardware (i.e., camera device) to a system (i.e., access control system) before using the face recognition function. And before the client reads the video stream of the camera to carry out face recognition, the PID of the camera is checked. When registering the camera PID, the user does not have the right to normally use the system at the moment, and the user needs to check the camera PID and provide the camera PID to an administrator to enter the system to finish registration, or a registration request comprising the camera PID can be submitted to the system to finish registration of the camera PID. In addition, when the camera is damaged or the user needs to replace the login device, the registered camera needs to be replaced, and the registered camera needs to be re-registered at the moment, and the registration method is still realized through the registration request input or submitted by an administrator.

Checking a camera: because the client may have more than one camera, the client cannot know which camera is registered, and the method is implemented by actively calling up the registered camera by the server. Specifically, firstly, a client initiates a verification request to a server (namely a server), wherein the request only carries a user account number and does not carry PID information; further, after receiving the request, the server obtains the registered camera PID according to the user account, the PID information is encrypted and written back to respond, the client decrypts and calls up the camera corresponding to the PID, if the call up is successful, the camera PID check is passed, otherwise, the current equipment does not have the registered camera, and the check is not passed.

After the PID verification of the camera is passed, the client sends a request for successfully opening the camera to the server, PID information is carried in the request, the server judges whether the PID information is registered after receiving the request, if the PID information is correct, a first response is returned to the client, a random number (namely a first verification code) is written in the first response, and the client receives the first response and obtains the random number (for example, random number 1). When the face recognition function is called, the client extracts a first image frame comprising a face from a video stream shot by the camera, the client sends an image frame picture (namely a user image) and the random number 1 (namely a second verification code) to the server together, the image anti-counterfeiting module authenticates the random number 1, the face is verified after the random number 1 passes authentication, a second response for indicating the face verification pass is returned to the client after the face verification passes, a new random number (such as the random number 2) (namely the first verification code) is written in the second response, and the process is repeated continuously. In addition, considering unpredictable network faults, the image anti-counterfeiting module can store the random number (namely the second verification code) which is verified last time, the previous example is that the random number 1 is stored, when the client repeatedly initiates the request due to the failure of the previous request for the face verification, the carried random number is still the previous time, namely the random number 1, the image anti-counterfeiting module can correctly write in a new random number in the response, but the image anti-counterfeiting module discards the image transmitted in the request.

Therefore, whether the camera is registered or not is judged, the safety of the data source is guaranteed, and the unauthorized user is prevented from forging the request and sending an unreal picture by continuously replacing the random number in the transmission process.

Scheme 2:

according to the scheme, on the premise of not interrupting the activities of the user, the gesture digital verification code and the image continuity detection are adopted for implementation, so that the influence of the image anti-counterfeiting verification on the user experience is reduced.

First, when the client starts to collect a face image (i.e., a user image), the server starts to detect continuity of image frames. The specific detection method can be a detection method which is mature in industry. When an interruption is detected, there may be a switching of the video material, i.e. there is a possibility of falsification of the video stream, the client will resume capturing the image, and the gesture verification described next also requires a rework.

Further, when it is detected that the user is registered in the system, and the verification of the gesture verification code (i.e., the second verification code) is required to be completed, at least the upper body of the user is required to be completely displayed in the screen (the definition of the upper body is the range of the head, the shoulder, the hand and the elbow). Specifically, the server sends a random number with a first bit range between 0 and 9 as a verification code (i.e., a first verification code) to the client, for example, 2, the client displays the observed verification code by using a gesture before the camera, for example, makes a gesture of "V", the server detects a face (i.e., a user image) and a gesture display (i.e., a second verification code) corresponding to the number, when the face matches with the login user, and the verification code (gesture) is correct, the server sends the verification code with a second bit range between 0 and 9 to the client, and repeats the foregoing process until a certain number of verification code confirmation (e.g., 3-bit verification codes) is completed. When the verification code is wrong, the verification of the first bit verification code is restarted after the number of the verification codes is cleared. In another implementation manner, the server sends a digital verification code with a predetermined number of digits to the client, for example, 3 digits are sent, the sent digits are arranged after the verification code (the third verification code) registered in advance by the user is scrambled (i.e. the first verification code), for example, the user registers the verification code (the third verification code) of "528" at the same time when registering the account, the server sends the digital verification code (the first verification code) of "285" to the client after scrambling "528", after the user sees "285", if the authorized user knows that "528" is registered by himself, the gesture (i.e. the second verification code) corresponding to "5", "2" and "8" is sequentially performed according to the order of "528", and the illegal user can perform gesture verification (i.e. the second verification code) according to the order of "285" even if the user does not know the registered correct digital verification code, if the server detects that the digital verification code is not paired, that the gesture cannot be verified, that is not only image continuity verification can be performed, but also the gesture continuity verification can be performed, and the gesture continuity verification can be further performed according to the gesture continuity verification order can be further performed by the gesture verification order.

It should be noted that the number of verification code digits and the number of allowed verification errors are both configurable, and the gesture verification code (i.e., the first verification code) is not limited to numbers, and may be any specific gesture, limb gesture, or limb action trajectory verification.

After the user passes through the verification code verification of the gesture, the follow-up work comprises that the system continuously detects the image continuity and the user access state, and the user is unaware.

Thus, the authenticity of the picture is ensured by combining the image continuity detection with the gesture verification code.

The image recognition module can be used for registering face information submitted by a user. Meanwhile, the image recognition module can also be used for detecting whether users in the pictures sent by the client are registered or not, transmitting registration information to the access state monitoring module for processing, acquiring pictures of the camera device by the client according to a certain frequency in the use process, and storing picture or video clips of the camera device when detecting that non-registered users exist. In addition, the image recognition module also has digital 0-9 gesture recognition capability, upper body picture integrity recognition capability and the like, and the capability can be obtained through training of deep learning or other machine learning algorithms.

The access state monitoring module is used for processing the registration information input by the image anti-counterfeiting module and the image identification module. Meanwhile, the access state monitoring module can rapidly detect the current access state of the user and can tolerate the conditions of shaking, turning head and the like of the user.

Specifically, as shown in fig. 5, the access state monitoring module maintains a fixed-length access state time sequence for each user account, pushes the access state time sequence to move at a fixed frequency, and eliminates the state of the tail of the access state time sequence. When a user has a new access state input, the access state time series header is inserted. And traversing the detection monitoring algorithm sequence from the head to the tail to count, and judging the current access state, wherein the current access state comprises the following steps: (1) When all the states in the access state time sequence are empty, judging that the current access state is that the user has left; (2) When the states in the access state time sequence simultaneously exist the user corresponding to the user account and the user corresponding to the non-user account (namely the authorized user and the non-authorized user), and the state proportion exceeds a threshold value, judging that the current access state is commonly accessed by the non-authorized user, wherein the state proportion comprises the time occupation ratio appearing in an image acquisition picture of the image pickup device or the area (display area) occupation ratio in a certain time in the image acquisition picture of the image pickup device; (3) When only unauthorized users exist in the states in the access state time sequence, judging that the current access state is unauthorized access; and (4) if not, judging the current access state as normal access. When the current access state is abnormal access, the access state monitoring module stores video images and transmits the access state of the user to the access state tracking and publishing module.

Therefore, the access state monitoring module adopts a state time sequence to maintain state information, has the function of efficiently judging the access state of the user, and has fault tolerance capacity due to the adoption of a threshold judgment mode.

The access state tracking and publishing module provides user access state information for the authorized third party rights management system.

Specifically, the third party rights management system obtains the user access status information in two ways: query and push. The query mode is that the third party authority management system actively queries the user registration state, so that the third party authority management system judges whether the current user is allowed to log in when the user logs in; the pushing mode is that the access state tracking and publishing module judges whether the access state of each user changes, when the change of the access state of the user is detected, the latest user access state is pushed to the third party authority management system, and the third party authority management system performs screen locking or log-out actions according to the access state of the user. The access state tracking and publishing module can realize decoupling of the access control system and the third party authority management system.

Thus, the access state tracking and publishing module has state change detection and publishing capability, reduces the coupling degree with the third party system, and reduces the quantity of state messages required to be processed by the third party system

In summary, the access control system acquires face information of a user as user identity information, detects the user identity information in real time in the user login and access process, locks a screen of the system when an unauthorized user appears, logs out the user when an authorized user leaves (for example, leaves a lens for more than 30 seconds), ensures the access safety of the system, ensures that only authorized personnel can access on a designated terminal, realizes the login when people walk, and avoids the problems of account sharing, remote control access, common access of multiple people and the like; meanwhile, the access control system can finish image anti-counterfeiting verification, image continuity detection is combined with gesture verification, and the user is required to finish matching at the beginning, so that the user activity is not interrupted in the follow-up normal use unless suspected image counterfeiting is detected, and the access control system has good practical value; meanwhile, a user access state monitoring and publishing module in the access control system can be integrated with a software development kit (SDK, software Development Kit) through simple docking to obtain any third party authority management system with a high security level, and the access control system and the third party authority management system are low in coupling degree, low in technical complexity and easy to realize; therefore, the access control system can effectively prevent account sharing, prevent unauthorized users from browsing together with authorized users, prevent remote desktop control, realize automatic log-out when users leave, and guarantee high security level.

Fig. 6 is a flow chart of an access control method according to an embodiment of the present invention. As shown in fig. 6, the process includes the steps of:

step 601, a user logs in a user account by using an account password at a client;

step 602, the client initiates a camera verification request with the user account,

step 603, the server obtains the identification information of the registered camera device according to the user account, encrypts and sends the encrypted identification information to the client;

step 604, the client decrypts and opens the camera device corresponding to the identification information;

step 605, the client initiates a request to the server with the identification information, and the server detects the identification information;

step 606, judging whether the verification is carried out through the camera device; if yes, go to step 607;

step 607, the server sends the verification code;

step 608, the client extracts the user image and sends the user image to the server;

step 609, judging whether the transmission is successful; if the transmission is successful, step 611 is performed; if the transmission is unsuccessful, go to step 610;

step 610, retry;

step 611, verifying the verification code by the server;

step 612, judging whether the verification is passed; if yes, go to step 613;

step 613, judging whether to repeat the verification; if yes, go to step 615; if not, go to step 614;

Step 614, user face verification, enter step 616;

step 615, discarding the user image in the verification;

step 616, send a new verification code.

Therefore, the camera device is checked to ensure the safety of the data source, and meanwhile, the verification code is continuously replaced in the transmission process, so that the unauthorized user is prevented from forging the request, and the image of the unauthorized user is sent.

Fig. 7 is a flowchart of another access control method according to an embodiment of the present invention. As shown in fig. 7, the flow includes the steps of:

step 701, turning on an image pickup device to start to collect images;

step 702, starting to detect picture continuity;

step 703, the server detects whether the user is a registered user; if yes, go to step 704; if not, return to step 702;

step 704, starting gesture verification code verification;

step 705, the server sends a verification code;

step 706, the user makes a corresponding gesture according to the verification code displayed by the client;

step 707, judging whether the pictures are continuous; if yes, go to step 708; if not, return to step 704;

step 708, judging whether the upper body of the user is completely displayed, whether gesture verification is correct, and whether the face of the user is correct; if both match, go to step 709; if there is a non-compliance, return to step 704;

Step 709, judging whether all the verification is passed; if yes, go to step 710; if not, returning to step 705;

step 710, finishing verification.

The embodiment of the invention provides a method for a user to log in to a log-out access control system, which comprises the following steps:

fig. 8 is a flowchart of a method for a user to log on to log off from an access control system according to an embodiment of the present invention. As shown in fig. 8, the flow includes the steps of:

step 801, a user registers face information in an access control system;

step 802, authorizing a user to log in a target system (a system to be accessed) by using an account number and password, and automatically opening a client integrated in the target system;

803, the client reads the picture of the camera (i.e. the camera device), transmits the picture to the server, and the server starts image continuity detection;

step 804, the server detects whether a registered user appears in the image, and if so, sends a random number with 1 bit ranging from 0 to 9 to the client as a verification code (i.e. a first verification code);

step 805, the user displays the upper body in the picture according to the verification code (i.e. the first verification code), and presents the verification code seen by the user through gestures. The server side judges whether the user in the picture is a login user or not and judges whether the gesture (namely the second verification code) corresponding to the verification code is correct or not. If the verification code is incorrect, the number of the passed verification codes is cleared, and verification is restarted;

Step 806, repeating step 804 and step 805 until a certain number of verification code gestures (i.e. second verification codes) are verified;

step 807, the access state monitoring module receives the user registration information, detects whether the registration state time sequence of the user is currently established, and if not, immediately establishes. User registration state information is inserted into the header of the registration state time sequence. The access state monitoring module pushes the time sequence to update at a fixed frequency, and eliminates the tail state;

step 808, the access state monitoring module traverses the user access state time sequence and calculates all user access states. Specific: if the time sequence (i.e. the user access state time sequence) is empty, no action is performed; if the fact that the number of the states of the common browsing of the users exceeds a certain threshold value is detected, judging that the users are in the common browsing state; if the number of states of the undetected authorized user exceeds a certain threshold value and the latest state shows that the authorized user is not detected, judging that the user is in a leaving state; if only the state quantity of the unauthorized users is detected to exceed a certain threshold value, judging that the unauthorized access state is currently in. Transmitting the user access state to an access state tracking and publishing module;

Step 809, the access state tracking and publishing module judges whether the last two access states of each user are the same, if the access states are detected to be different, the access states are pushed to a third party authority management system;

in step 8010, a user logs in a third party authority management system on the terminal in step 801, the third party authority management system actively inquires the access state of the user from the access state tracking and publishing module, and if the user is not in a normal access state, the third party authority management system can intercept the login. Otherwise, the user can log in normally;

in step 8011, during normal access of the user, if co-access of unauthorized users occurs, the state release module pushes the access state to a third party authority management system, and the third party authority management system can select operations such as prompting, screen locking and the like; if the user leaves, the third party rights management system may choose to log out of the current user.

Thus, through verification of the verification code, the user image is ensured not to be counterfeited; and the access state tracking and publishing module monitors the current access user to prevent the access of unauthorized users, and meanwhile, the access state tracking and publishing module has the state change detection and publishing capability, so that the coupling degree with a third party system is reduced, and the quantity of state messages required to be processed by the third party system is reduced.

The access control system can be widely applied to various scenes with login access control, and has good application value, for example:

scene one: the 4A system widely used inside the group company is matched with a virtual private network (VPN, virtual Private Network), and has higher security, but can still be accessed by unauthorized users when the account number of the authorized user is borrowed and matched with the authentication code. Even if the account is not borrowed, the remote desktop connection is opened after the authorized user logs in the system, and the remote desktop connection information can still be accessed by the unauthorized user after being borrowed or revealed to the unauthorized user. The access control system tracks the access state by using the face recognition technology by opening the local camera (namely the camera device) in the use process, and the authenticity of the image is identified in use, so that the account number can be prevented from being borrowed and connected with a remote desktop.

Scene II: the important information systems of security units such as military police, finance and the like can have the conditions of unauthorized users accessing by accident in addition to the conditions of account number lending, remote desktop and the like, and can also have the conditions of authorized users leaving briefly and being accessed by unauthorized users, the access control system can complete some protection actions (such as screen locking) when the authorized users leave through detecting the authorized states of the users in the picture in real time, and simultaneously, the important information systems can make corresponding actions when the authorized users leave, record unauthorized access sites and facilitate tracking.

Scene III: the code scanning ordering system developed by the middle shift (capital) industrial institute has the tenant management system as a business core, can be used for opening tenants, tenant payment sensitive information configuration, tenant information statistics and the like, is accessed into the access control system, improves the overall security of the system and prevents unauthorized access.

Fig. 9 is a schematic structural diagram of an access control device according to an embodiment of the present invention; as shown in fig. 9, the device is applied to a server; the device comprises: a first sending module, a first receiving module, a first comparing module, wherein,

Specifically, the first sending module is further configured to receive identification information of an image capturing device sent by the client, where the image capturing device is configured to capture the user image;

Specifically, the first receiving module is further configured to receive the user image, where the user image includes a gesture corresponding to the second verification code.

Specifically, the user account has a corresponding third verification code, wherein the third verification code comprises N characters, and N is an integer greater than or equal to 2;

the first comparison module is further configured to verify, if the second verification code is the same as the third verification code, user face image information of the user image with respect to the user account.

Specifically, the first receiving module is further configured to receive N user images, where the second verification code includes N characters, each user image includes a gesture corresponding to 1 character, and an order of the N user images is an order of the N characters corresponding to the user images.

Specifically, the apparatus further comprises a first inspection module;

It should be noted that: in the access control device provided in the above embodiment, when implementing the corresponding access control method, only the division of each program module is used for illustration, in practical application, the processing allocation may be performed by different program modules according to needs, that is, the internal structure of the processing device is divided into different program modules, so as to complete all or part of the processing described above. In addition, the apparatus provided in the foregoing embodiments and the embodiments of the corresponding methods belong to the same concept, and specific implementation processes of the apparatus and the embodiments of the methods are detailed in the method embodiments, which are not described herein again.

Fig. 10 is a schematic structural diagram of another access control device according to an embodiment of the present invention; as shown in fig. 10, the access control device includes: the first processing module and the second processing module; wherein,

Specifically, the first processing module is further configured to send identification information of a camera device to the server, where the camera device is configured to capture an image of the user;

It should be noted that: in the access control device provided in the above embodiment, when implementing the corresponding access control method, only the division of each program module is used for illustration, in practical application, the process allocation may be completed by different program modules according to needs, that is, the internal structure of the server is divided into different program modules, so as to complete all or part of the processes described above. In addition, the apparatus provided in the foregoing embodiments and the embodiments of the corresponding methods belong to the same concept, and specific implementation processes of the apparatus and the embodiments of the methods are detailed in the method embodiments, which are not described herein again.

Fig. 11 is a schematic structural diagram of another access control device according to an embodiment of the present invention; as shown in fig. 11, the apparatus 110 includes: a processor 1101 and a memory 1102 for storing a computer program capable of running on the processor; wherein,

when the apparatus is applied to a server, the processor 1101 is configured to execute, when executing the computer program: sending a first verification code corresponding to a user account to a client; receiving a second verification code and a user image sent by the client; the user image is used for verifying whether the user in the image is the user corresponding to the user account; and determining whether to verify the user face image information in the user image aiming at the user account according to the comparison result of the first verification code and the second verification code. The corresponding flow implemented by the server in each method of the embodiment of the present invention is implemented when the processor runs the computer program, and is not described herein for brevity.

When the apparatus is applied to a client, the processor 1101 is configured to execute, when running the computer program: responding to login operation aiming at a user account, and displaying a first verification code corresponding to the user account sent by a server; acquiring a shot user image, and sending a second verification code and the user image to the server; the second verification code is used for comparing the server side with the first verification code and determining whether to verify the user face image information in the user image aiming at the user account according to a comparison result; the user image is used for verifying whether the user in the image is the user corresponding to the user account. The corresponding flow implemented by the client in each method of the embodiments of the present invention is implemented when the processor runs the computer program, and is not described herein for brevity.

In practical applications, the apparatus 110 may further include: at least one network interface 1103. The various components in the access control device 110 are coupled together by a bus system 1104. It is to be appreciated that the bus system 1104 is employed to facilitate connected communications between the components. The bus system 1104 includes a power bus, a control bus, and a status signal bus in addition to the data bus. But for clarity of illustration, the various buses are labeled as bus system 1104 in fig. 11. Wherein the number of the processors 1101 may be at least one. The network interface 1103 is used for wired or wireless communication between the access control apparatus 110 and other devices.

The memory 1102 in embodiments of the present invention is used to store various types of data to support the operation of the access control device 110.

The method disclosed in the above embodiment of the present invention may be applied to the processor 1101 or implemented by the processor 1101. The processor 1101 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuitry in hardware in the processor 1101 or instructions in software. The Processor 1101 may be a general purpose Processor, a DiGital Signal Processor (DSP), or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. The processor 1101 may implement or perform the methods, steps and logic blocks disclosed in embodiments of the present invention. The general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiment of the invention can be directly embodied in the hardware of the decoding processor or can be implemented by combining hardware and software modules in the decoding processor. The software modules may be located in a storage medium including memory 1102 and processor 1101 reads information from memory 1102 and performs the steps of the methods described above in connection with the hardware.

In an exemplary embodiment, the access control device 110 may be implemented by one or more application specific integrated circuits (ASIC, application Specific Integrated Circuit), DSPs, programmable logic devices (PLD, programmable Logic Device), complex programmable logic devices (CPLD, complex Programmable Logic Device), field-programmable gate arrays (FPGA, field-Programmable Gate Array), general purpose processors, controllers, microcontrollers (MCU, micro Controller Unit), microprocessors (Microprocessor), or other electronic components for performing the aforementioned methods.

The embodiment of the invention also provides a computer readable storage medium, on which a computer program is stored;

when the computer readable storage medium is applied to a server, the computer program is executed by a processor to perform: sending a first verification code corresponding to a user account to a client; receiving a second verification code and a user image sent by the client; the user image is used for verifying whether the user in the image is the user corresponding to the user account; and determining whether to verify the user face image information in the user image aiming at the user account according to the comparison result of the first verification code and the second verification code.

The corresponding flow implemented by the server in each method of the embodiment of the present application is implemented when the computer program is executed by the processor, and is not described herein for brevity.

When applied to a client, the computer program, when executed by a processor, performs: responding to login operation aiming at a user account, and displaying a first verification code corresponding to the user account sent by a server; acquiring a shot user image, and sending a second verification code and the user image to the server; the second verification code is used for comparing the server side with the first verification code and determining whether to verify the user face image information in the user image aiming at the user account according to a comparison result; the user image is used for verifying whether the user in the image is the user corresponding to the user account.

The corresponding flow implemented by the client in each method of the embodiments of the present application is implemented when the computer program is executed by the processor, and is not described herein for brevity.

In the several embodiments provided by the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The above described device embodiments are only illustrative, e.g. the division of the units is only one logical function division, and there may be other divisions in practice, such as: multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. In addition, the various components shown or discussed may be coupled or directly coupled or communicatively coupled to each other via some interface, whether indirectly coupled or communicatively coupled to devices or units, whether electrically, mechanically, or otherwise.

The units described as separate units may or may not be physically separate, and units displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units; some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in each embodiment of the present invention may be integrated in one processing unit, or each unit may be separately used as one unit, or two or more units may be integrated in one unit; the integrated units may be implemented in hardware or in hardware plus software functional units.

Those of ordinary skill in the art will appreciate that: all or part of the steps for implementing the above method embodiments may be implemented by hardware associated with program instructions, where the foregoing program may be stored in a computer readable storage medium, and when executed, the program performs steps including the above method embodiments; and the aforementioned storage medium includes: a mobile storage device, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk or an optical disk, or the like, which can store program codes.

Alternatively, the above-described integrated units of the present invention may be stored in a computer-readable storage medium if implemented in the form of software functional modules and sold or used as separate products. Based on such understanding, the technical solutions of the embodiments of the present invention may be embodied in essence or a part contributing to the prior art in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the methods described in the embodiments of the present invention. And the aforementioned storage medium includes: a removable storage device, ROM, RAM, magnetic or optical disk, or other medium capable of storing program code.

The foregoing is merely illustrative of the present invention, and the present invention is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims

1. An access control method, applied to a server, comprising:

sending a first verification code corresponding to a user account to a client;

2. The method of claim 1, wherein the sending, to the client, the first verification code corresponding to the user account includes:

3. The method of claim 1, wherein the receiving the second verification code and the user image sent by the client comprises:

4. The method of claim 3, wherein the step of,

the user account is provided with a corresponding third verification code, the third verification code comprises N characters, and N is an integer greater than or equal to 2;

5. The method of claim 4, wherein the receiving the second verification code and the user image sent by the client comprises:

6. The method according to any one of claims 1 to 5, further comprising:

7. An access control method, applied to a client, comprising:

8. The method of claim 7, wherein the displaying the first verification code corresponding to the user account sent by the server includes:

9. An access control device, applied to a server, comprising:

and the first comparison module is used for determining whether to verify the user face image information in the user image aiming at the user account according to the comparison result of the first verification code and the second verification code.

10. An access control apparatus for use with a client, the apparatus comprising:

11. An access control device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the method of any one of claims 1 to 6 when the program is executed by the processor; or,

the processor, when executing the program, implements the steps of the method of claim 7 or 8.

12. A computer readable storage medium having stored thereon a computer program, characterized in that the computer program when executed by a processor realizes the steps of the method according to any of claims 1 to 6; or,

which computer program, when being executed by a processor, carries out the steps of the method according to claim 7 or 8.