WO2017032261A1 - Identity authentication method, device and apparatus - Google Patents

Identity authentication method, device and apparatus Download PDF

Info

Publication number
WO2017032261A1
WO2017032261A1 PCT/CN2016/095801 CN2016095801W WO2017032261A1 WO 2017032261 A1 WO2017032261 A1 WO 2017032261A1 CN 2016095801 W CN2016095801 W CN 2016095801W WO 2017032261 A1 WO2017032261 A1 WO 2017032261A1
Authority
WO
WIPO (PCT)
Prior art keywords
feature data
user
data
identity authentication
account
Prior art date
Application number
PCT/CN2016/095801
Other languages
French (fr)
Chinese (zh)
Inventor
刘发章
华锦芝
Original Assignee
中国银联股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国银联股份有限公司 filed Critical 中国银联股份有限公司
Publication of WO2017032261A1 publication Critical patent/WO2017032261A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication

Definitions

  • the present invention relates to the field of identity authentication technologies, and in particular, to an identity authentication method, apparatus, and device.
  • the existing identity authentication is generally used for authentication at login.
  • a malicious user obtains the account rights of a normal user through various attack means, and can masquerade as a normal user to log in to the system to perform an illegal operation, resulting in user loss.
  • the current identity authentication scheme based on keystroke behavior is a one-time behavior, which is only authenticated at login, and has shortcomings such as low accuracy and inability to learn autonomously.
  • the invention provides an identity authentication method and device, so as to at least solve the problem that the existing identity authentication misidentification rate is high.
  • an identity authentication method including:
  • the user calculates the first feature data according to the keystroke behavior when the user inputs the data
  • the second feature data is used to represent a keystroke behavior of a legitimate user corresponding to the account
  • an identity authentication apparatus comprising:
  • a first feature calculation module configured to calculate first feature data according to a keystroke behavior when the user inputs data in a process of logging in to the account by the user;
  • a difference calculation module configured to calculate a difference between the first feature data and a second feature data; the second feature data is used to represent a keystroke behavior of a legitimate user corresponding to the account;
  • the alarm processing module is configured to perform alarm processing when the difference is greater than a preset threshold.
  • an identity authentication device including:
  • a memory coupled to the processor via a bus interface and configured to store programs and data used by the processor in performing operations
  • the processor is configured to read a program in the memory and perform the following process:
  • the user calculates the first feature data according to the keystroke behavior when the user inputs the data
  • the second feature data is used to represent a keystroke behavior of a legitimate user corresponding to the account
  • the user's keystroke behavior is always detected during the process of logging in the account to the account, and the identity authentication is performed throughout the process, and the sample size detected is larger, even if the malicious user obtains the login information to bypass
  • the authentication is also recognized during the use process because the keystroke behavior is different from the legal user's keystroke behavior, so that the alarm processing is performed to avoid account security damage; in addition, by continuously storing the representation in the database
  • the first feature data of the legal user keystroke behavior, and using the data to update the second feature data can independently learn the change of the user's keystroke behavior over time, and ensure that the second feature data always represents the latest hit of the legitimate user.
  • the characteristics of the key behavior, the accuracy of identity authentication is higher.
  • FIG. 1 is a flow chart of an identity authentication method according to an embodiment of the present invention.
  • FIG. 2 is a flow chart of an identity authentication method according to an embodiment of the present invention.
  • FIG. 3 is a structural block diagram of an identity authentication apparatus according to an embodiment of the present invention.
  • FIG. 4 is a block diagram showing the structure of an identity authentication apparatus according to an embodiment of the present invention.
  • FIG. 5 is a structural block diagram of an identity authentication apparatus according to an embodiment of the present invention.
  • FIG. 6 is a structural block diagram of an identity authentication apparatus according to an embodiment of the present invention.
  • FIG. 7 is a structural block diagram of an identity authentication device according to an embodiment of the present invention.
  • FIG. 8 is a flowchart of a first login of a user according to an embodiment of the present invention.
  • FIG. 9 is a flow diagram of a user's non-initial login in accordance with an embodiment of the present invention.
  • the identity authentication based on the keystroke behavior is only executed when the account is logged in. Since the information input by the user is small, the sample used for the identity authentication is also less, which often leads to an incorrect authentication result and a high error rate.
  • the present disclosure provides an identity authentication method, as shown in FIG. 1, the process includes:
  • Step 1 During the process of logging in the account to the account, the user calculates the first feature data according to the keystroke behavior when the user inputs the data.
  • the first feature data is data for characterizing the keystroke behavior of the user, and includes, for example, but not limited to, a frequency of a keystroke when the user inputs data, a time interval of the keystroke, and a duration of each keystroke. One or more.
  • the "account” referred to in the present invention includes, but is not limited to, a bank account, a website account, and the like.
  • the identity authentication method further includes: prompting the user to input a preset data (for example, may be a text containing text and/or numbers and/or letters), and the step 1 is specifically based on the user.
  • the first feature data is calculated by the keystroke behavior when the preset data is input.
  • Step 2 Calculate a difference between the first feature data and a second feature data.
  • the second feature data is data for characterizing the keystroke behavior of the legal user corresponding to the account, and includes, for example, but not limited to, the frequency of the keystroke when the legal user inputs the data, the time interval of the keystroke, and each keystroke. One or more of the durations.
  • the step 2 is specifically calculating a Mahalanobis distance of the first feature data and the second feature data.
  • the step 2 is specifically calculating the Euclidean distance between the first feature data and the second feature data.
  • Step 3 If the difference between the first feature data and the second feature data is greater than a preset threshold, perform an alarm process.
  • the alarm processing performed in the step 3 includes: However, it is not limited to at least one of the following processes: (1) outputting alarm information; (2) blocking the operation of the user; (3) determining the user as an illegal user and alerting; (4) by registering the account The retained phone and/or email notifies the legitimate user to perform operation authentication for this login.
  • the specific manner of the alarm processing in the step is not limited in the present invention. In the specific implementation, the appropriate alarm mode can be adopted according to the security requirements of the account.
  • the identity authentication is performed throughout the process from the time the user logs in to the account, and even if the malicious user obtains the login information to bypass the login level authentication, the keystroke behavior and the legality are used during the use.
  • the user's keystroke behavior is recognized and the alarm is processed to avoid account security damage.
  • the inventors have also discovered that the user's keystroke habits may change slowly over time, and the current identity authentication system cannot learn the changes of the user's keystroke habits autonomously, which may also result in a higher error rate of the authentication result.
  • the identity authentication method provided by the present invention may further include the following steps:
  • Step 4 If the difference between the first feature data and the second feature data is less than or equal to the preset threshold, update the second feature data by using the first feature data.
  • the step 4 may include:
  • Step 41 Store the first feature data into a database corresponding to the account.
  • the database stores the first feature data calculated by the keystroke behavior when the legitimate user inputs the data each time the legitimate user inputs the data.
  • the user's keystroke behavior may change.
  • the calculated first feature data will also change.
  • Step 42 Update the second feature data by using all data included in the database.
  • the data stored in the database are the first feature data representing the keystroke behavior of the legitimate user, the data can be used to calculate the second feature data for characterizing the legal user keystroke behavior, and the calculated new second is obtained.
  • the feature data replaces the original second feature data for subsequent identity authentication.
  • the process of updating the second feature data using all the data contained in the database includes:
  • the identity authentication method can automatically learn the user's keystroke by continuously storing the first feature data representing the legitimate user keystroke behavior into the database and using the data to update the second feature data.
  • the change of behavior automatically adapts to the subtle changes of the same user's habits, ensuring that the second feature data always characterizes the latest keystroke behavior of legitimate users, overcomes the problem that the authentication fails due to changes in user habits, and improves the accuracy of identity authentication.
  • a data volume threshold can be set. When the total amount of data in the database exceeds the data threshold. All data in the database is sorted in order of storage time from morning to night, and one or more data in which the top is sorted is deleted.
  • the specific implementation process of the identity authentication method is as shown in FIG. 2, and includes the following steps:
  • Step S101 When the user logs in to the account, it is detected whether the second feature data of the keystroke behavior of the legitimate user of the account is stored in the system.
  • step S102 is performed.
  • step S103 is performed.
  • Step S102 prompting the user to input a series of preset data (for example, may include a piece of text), detecting a keystroke behavior when the user inputs the string of preset data, and calculating first feature data for characterizing the keystroke behavior of the user.
  • a series of preset data for example, may include a piece of text
  • first feature data for characterizing the keystroke behavior of the user.
  • Step S103 in the process of the user logging in the account until the user withdraws from the account, calculating the first feature data according to the keystroke behavior when the user inputs the data, and calculating the second feature data corresponding to the first feature data and the current account. The difference between them.
  • step S104 is performed.
  • step S105 is performed.
  • Step S104 The first feature data is stored in a database corresponding to the account, and a new second feature data is calculated by using all data included in the database to replace the original second feature data.
  • step S105 an alarm process is performed.
  • a method of blocking users may be adopted, and for a website account with lower security requirements, an alarm may be used.
  • the identity authentication method has higher accuracy.
  • the user On the one hand, from the time the user logs in to the account, the user always detects the keystroke behavior of the user, and performs identity authentication and detection throughout. The sample size is larger. Even if the malicious user obtains the login information to bypass the login level authentication, it will be identified during the use process because the keystroke behavior is different from the legal user's keystroke behavior, thus performing alarm processing to avoid account security. Loss; on the other hand, by continuously storing the first feature data representing the legitimate user keystroke behavior into the database, and using the data to update the second feature data, the user can learn the keystroke behavior of the user over time. The change ensures that the second feature data always characterizes the latest keystroke behavior of the legitimate user, and the identity authentication is more accurate.
  • calculating a difference between the first feature data and the second feature data currently corresponding to the account in step S103 may be calculating a Mahalanobis distance of the first feature data and the second feature data.
  • the Mahalanobis Distance is a statistic used to describe the distance between two data points.
  • the Mahalanobis distance is commonly used to measure the similarity between known and unknown samples.
  • any random variable R that follows a normal distribution can be defined by X, namely:
  • the Mahalanobis distance of the data set with covariance matrix S is defined as follows:
  • the Mahalanobis distance can be calculated using the following formula:
  • D M (x, ⁇ , S) represents the Mahalanobis distance
  • x represents the first feature data
  • represents the mean value of the second feature data currently corresponding to the account
  • S represents the second feature data currently corresponding to the account.
  • an embodiment of the present invention provides an identity authentication device, which can be used to implement the method described in the foregoing embodiments, as described in the following embodiments. Since the principle of the identity authentication device solving the problem is similar to the identity authentication method, the implementation of the device can be referred to the implementation of the identity authentication method, and the repeated description is not repeated.
  • the term "module" can be implemented A combination of software and/or hardware for a predetermined function. Although the systems described in the following embodiments are preferably implemented in software, hardware, or a combination of software and hardware, is also possible and contemplated.
  • the present disclosure provides an identity authentication apparatus
  • FIG. 3 is a structural block diagram of the identity authentication apparatus.
  • the identity authentication apparatus includes: a first feature calculation module 31, and a difference calculation module 32.
  • the alarm processing module 33 which will be specifically described below.
  • the first feature calculation module 31 is configured to calculate the first feature data according to the keystroke behavior when the user inputs the data in the process of logging in the account to the account.
  • the difference calculation module 32 is configured to calculate a difference between the first feature data and a second feature data; and the second feature data is used to represent a keystroke behavior of a legitimate user corresponding to the account.
  • the alarm processing module 33 is configured to perform an alarm process when the difference is greater than a preset threshold.
  • the difference calculation module 32 is configured to calculate a Mahalanobis distance of the first feature data and the second feature data.
  • the difference calculation module 32 is configured to calculate an Euclidean distance of the first feature data and the second feature data.
  • the identity authentication apparatus further includes:
  • the updating module 34 is configured to update the second feature data by using the first feature data when the difference is less than or equal to the preset threshold.
  • the update module 34 further includes:
  • a storage module 341, configured to store the first feature data in a database corresponding to the account
  • the operation module 342 is configured to update the second feature data by using all data included in the database.
  • the identity authentication apparatus further includes:
  • the prompting module 61 is configured to prompt the user to input a preset data before the first feature calculating module 31 calculates the first feature data according to the keystroke behavior when the user inputs data;
  • the first feature calculation module 31 calculates the first feature data according to the keystroke behavior when the user inputs the preset data.
  • the alert processing module 33 performs at least one of the following alerting processes:
  • the legitimate user is notified of the operation and authentication of the login by the phone and/or email that is retained when the account is registered.
  • the first feature data and the second feature data comprise at least one of: a frequency of keystrokes, a time interval of keystrokes, a duration of each keystroke.
  • the user's keystroke behavior is always detected during the process of logging in the account to the account, and the identity authentication is performed throughout the process, and the sample size detected is larger, even if the malicious user obtains the login information to bypass the login level authentication. It will also be identified during the use process because the keystroke behavior is different from the keystroke behavior of the legitimate user, so that the alarm processing can be performed to avoid the account security damage; in addition, the legitimate user keystroke is characterized by continuously depositing into the database.
  • the first feature data of the behavior, and using the data to update the second feature data can independently learn the change of the user's keystroke behavior over time, and ensure that the second feature data always characterizes the latest keystroke behavior of the legitimate user. Identity authentication is more accurate.
  • the above identity authentication device may be separately stored in the computer for use by multiple systems, or may be separately integrated in each system.
  • module division is only a schematic division, and the present invention is not limited thereto, and any module division that can achieve the object of the present invention should fall within the protection scope of the present invention.
  • an identity authentication device is also provided in the embodiment of the present invention, which can be used to implement the identity authentication method described in the foregoing embodiments, as described in the following embodiments. Since the principle of the identity authentication device is similar to the identity authentication method, the implementation of the device can refer to the implementation of the identity authentication method, and the repeated description is not repeated.
  • the present disclosure provides an identity authentication device
  • FIG. 7 is a structural block diagram of the identity authentication device.
  • the identity authentication device includes:
  • a memory 72 coupled to the processor 71 via a bus interface 73, and for storing programs and data used by the processor 71 in performing operations;
  • the processor 71 is configured to read a program in the memory 72 and perform the following process:
  • the user calculates the first feature data according to the keystroke behavior when the user inputs the data
  • the second feature data is used to represent a keystroke behavior of a legitimate user corresponding to the account
  • the user's keystroke behavior is always detected during the process of logging in the account to the account, and the identity authentication is performed throughout the process, and the detected sample size is larger, even if the malicious user obtains the login information to bypass the login level authentication. It will also be identified during the use process because the keystroke behavior is different from the keystroke behavior of the legitimate user, so that the alarm processing can be performed to avoid the account security damage; in addition, the legitimate user keystroke is characterized by continuously depositing into the database.
  • the first feature data of the behavior, and using the data to update the second feature data can independently learn the change of the user's keystroke behavior over time, and ensure that the second feature data always characterizes the latest keystroke behavior of the legitimate user. Identity authentication is more accurate.
  • the new user logs in to the system for the first time and detects that there is no behavior characteristic of the user in the system. It belongs to the new user and prompts the user to manually input a text or some commands. Record the keystroke behaviors of the user input (including the button frequency, the keystroke interval between the key and the key, the duration on a key, etc.). A covariance matrix for each input data is calculated, and the covariance matrix and the input data are saved as behavioral characteristics of the user. For example, a library of behavioral characteristics corresponding to the user can be established, wherein the input data and the corresponding covariance matrix are stored.
  • the user's are respectively the following three sets of data: P, Q, R.
  • the three sets of data (P, Q, R) are recorded, and the corresponding covariance matrix S is obtained through training, and the recorded data and the covariance matrix are stored as the behavior characteristic database of the user.
  • the system automatically records its keystroke behavior (including key frequency, keystroke interval, duration on a key, etc.) during user login, command operation, or text input throughout the process.
  • the Mahalanobis distance is calculated by the Mahalanobis distance model to input the data in the habit and feature database. If the obtained distance is lower than or equal to the preset threshold, it is a legal user, and continues to calculate the distance and compare with the preset threshold; if the obtained distance is higher than the preset threshold, it is an abnormal user, according to the system configuration, Alert or block user actions.
  • An approximate recognition model based on the Mahalanobis distance calculates a covariance matrix of the training data during the training phase, and saves the covariance matrix and all training data.
  • the approximate recognition model calculates the Mahalano between each time feature vector and the test vector (ie, the data currently input by the user) in the training data using the covariance matrix saved during training.
  • the distance is Bis, and returns the smallest Mahalanobis distance, and it is judged according to the preset threshold ⁇ whether the test vector and the training data are from the same user.
  • the approximate recognition model can be expressed in the following mathematical formula:
  • D M is a function of calculating the Mahalanobis distance between two vectors according to the covariance matrix
  • t is the feature vector of the user's current input data
  • x is the saved training data
  • COV is the covariance of the training data.
  • the matrix, ⁇ is a preset threshold, and n represents the number of saved training data.
  • y1 represents the pressing duration vector
  • P is the mean vector of the pressing time duration
  • y2 represents the key frequency vector
  • Q is the mean vector of the key frequency
  • y3 represents the interval time vector of two connected p
  • R is the two connected presses The mean vector of the interval time of the key p.
  • the formula for calculating the distance is: Where x is the currently input data y(y1, y2, y3), and ⁇ is the stored data (P, Q, R), that is, the pressing duration, the key frequency, and the initial interval of the two consecutive pressing keys p
  • P, Q, R the stored data
  • S the initial covariance matrix
  • the system After the user finishes using it, if there is no alarm, the system will exit normally. Record the behavior habits of the user during the current use, and input into the Mahalanobis distance model for training, dynamically learning and adjusting user behavior characteristics.
  • the maximum amount of sample data (for example, the last 100 use record data) can be set, and the overdue record data (for example, data before 100 times) can be deleted from the training data set.
  • the present invention provides an identity authentication method, apparatus, and device.
  • the user always detects the user's keystroke behavior during the process of logging in to the account, and performs identity authentication throughout the process.
  • the sample size is larger, even if malicious.
  • the user obtains the login information to bypass the login level authentication, and is also identified during the use process because the keystroke behavior is different from the legal user's keystroke behavior, thereby performing alarm processing to avoid account security damage;
  • the first feature data representing the legal user keystroke behavior is stored in the database, and the second feature data is updated by using the data, and the user's keystroke behavior is changed autonomously to ensure that the second feature data is always Characterizing the latest keystroke behavior of legitimate users, identity authentication is more accurate.
  • portions of the invention may be implemented in hardware, software, firmware or a combination thereof.
  • multiple steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system.
  • a suitable instruction execution system For example, if implemented in hardware, as in another embodiment, it can be implemented by any one or combination of the following techniques well known in the art: having logic gates for implementing logic functions on data signals. Discrete logic circuits, application specific integrated circuits with suitable combinational logic gates, programmable gate arrays (PGAs), field programmable gate arrays (FPGAs), etc.
  • each functional unit in each embodiment of the present invention may be integrated into one processing module, or each unit may exist physically separately, or two or more units may be integrated into one module.
  • the above integrated modules can be implemented in the form of hardware or in the form of software functional modules.
  • the integrated modules, if implemented in the form of software functional modules and sold or used as stand-alone products, may also be stored in a computer readable storage medium.
  • the above mentioned storage medium may be a read only memory, a magnetic disk or an optical disk or the like.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Debugging And Monitoring (AREA)
  • Collating Specific Patterns (AREA)

Abstract

Disclosed are an identity authentication method, device and apparatus. The identity authentication method comprises: in the process from a user logging into an account to logging out of the account, calculating first feature data according to a keystroke behaviour of the user when inputting data; calculating a difference between the first feature data and second feature data, wherein the second feature data is used to represent the keystroke behaviour of a legitimate user corresponding to the account; and if the difference is greater than a pre-set threshold value, executing warning processing. In the present invention, a keystroke behaviour of a user is detected all the time in the process from the user logging into an account to logging out of the account, and identity authentication is performed in the whole process, so that the quantity of detected samples is larger. Even if a malicious user obtains login information and bypasses the authentication of a login level, the malicious user can still be identified due to the difference between the keystroke behaviour and the keystroke behaviour of a legitimate user in the process of use, and accordingly, warning processing is carried out, so that account security is prevented from being impaired, and the degree of accuracy is higher.

Description

身份认证方法、装置及设备Identity authentication method, device and device
交叉引用cross reference
本申请主张申请日为2015年8月21日,申请号为201510519937.4,发明名称为“身份认证方法及装置”的中国发明专利的优先权。This application claims the priority of the Chinese invention patent whose application date is August 21, 2015, the application number is 201510519937.4, and the invention name is "identity authentication method and device".
技术领域Technical field
本发明涉及身份认证技术领域,尤其涉及一种身份认证方法、装置及设备。The present invention relates to the field of identity authentication technologies, and in particular, to an identity authentication method, apparatus, and device.
背景技术Background technique
现有的身份认证,一般用于登录时认证,恶意用户通过种种攻击手段得到正常用户的账户权限,可以伪装正常用户登入系统执行非法操作,造成用户损失。The existing identity authentication is generally used for authentication at login. A malicious user obtains the account rights of a normal user through various attack means, and can masquerade as a normal user to log in to the system to perform an illegal operation, resulting in user loss.
目前的基于击键行为的身份认证方案,是一次性的行为,仅在登录时认证,存在准确率低、不能自主学习等缺点。The current identity authentication scheme based on keystroke behavior is a one-time behavior, which is only authenticated at login, and has shortcomings such as low accuracy and inability to learn autonomously.
发明内容Summary of the invention
本发明提供了一种身份认证方法及装置,以至少解决现有的身份认证误识率较高的问题。The invention provides an identity authentication method and device, so as to at least solve the problem that the existing identity authentication misidentification rate is high.
根据本发明的一个方面,提供了一种身份认证方法,包括:According to an aspect of the present invention, an identity authentication method is provided, including:
用户登录账户至退出账户的过程中,根据该用户输入数据时的击键行为计算第一特征数据;During the process of logging in the account to the account, the user calculates the first feature data according to the keystroke behavior when the user inputs the data;
计算所述第一特征数据与一第二特征数据的差别;所述第二特征数据用于表征该账户对应的合法用户的击键行为;Calculating a difference between the first feature data and a second feature data; the second feature data is used to represent a keystroke behavior of a legitimate user corresponding to the account;
若所述差别大于一预设阈值,则执行告警处理。If the difference is greater than a predetermined threshold, an alarm process is performed.
根据本发明的另一个方面,提供了一种身份认证装置,包括:According to another aspect of the present invention, an identity authentication apparatus is provided, comprising:
第一特征计算模块,用于在用户登录账户至退出账户的过程中,根据该用户输入数据时的击键行为计算第一特征数据; a first feature calculation module, configured to calculate first feature data according to a keystroke behavior when the user inputs data in a process of logging in to the account by the user;
差别计算模块,用于计算所述第一特征数据与一第二特征数据的差别;所述第二特征数据用于表征该账户对应的合法用户的击键行为;a difference calculation module, configured to calculate a difference between the first feature data and a second feature data; the second feature data is used to represent a keystroke behavior of a legitimate user corresponding to the account;
告警处理模块,用于确定所述差别大于一预设阈值时,执行告警处理。The alarm processing module is configured to perform alarm processing when the difference is greater than a preset threshold.
根据本发明的再一个方面,提供了一种身份认证设备,包括:According to still another aspect of the present invention, an identity authentication device is provided, including:
处理器;processor;
存储器,通过总线接口与所述处理器相连接,并且用于存储所述处理器在执行操作时所使用的程序和数据;a memory coupled to the processor via a bus interface and configured to store programs and data used by the processor in performing operations;
所述处理器用于读取所述存储器中的程序,执行下列过程:The processor is configured to read a program in the memory and perform the following process:
用户登录账户至退出账户的过程中,根据该用户输入数据时的击键行为计算第一特征数据;During the process of logging in the account to the account, the user calculates the first feature data according to the keystroke behavior when the user inputs the data;
计算所述第一特征数据与一第二特征数据的差别;所述第二特征数据用于表征该账户对应的合法用户的击键行为;Calculating a difference between the first feature data and a second feature data; the second feature data is used to represent a keystroke behavior of a legitimate user corresponding to the account;
若所述差别大于一预设阈值,则执行告警处理。If the difference is greater than a predetermined threshold, an alarm process is performed.
通过本发明的身份认证方法、装置及设备,在用户登录账户到退出账户的过程中一直检测用户的击键行为,全程进行身份认证,检测的样本量更大,即使恶意用户获取登录信息绕过登录层面的认证,也会在使用过程中因击键行为与合法用户的击键行为不同而被识别出来,从而进行告警处理,避免账户安全受损;另外,通过不断向数据库中存入表征了合法用户击键行为的第一特征数据,并利用这些数据来更新第二特征数据,可自主学习用户的击键行为随着时间发生的变化,保证第二特征数据总是表征合法用户最新的击键行为的特点,身份认证的准确程度更高。Through the identity authentication method, device and device of the invention, the user's keystroke behavior is always detected during the process of logging in the account to the account, and the identity authentication is performed throughout the process, and the sample size detected is larger, even if the malicious user obtains the login information to bypass At the login level, the authentication is also recognized during the use process because the keystroke behavior is different from the legal user's keystroke behavior, so that the alarm processing is performed to avoid account security damage; in addition, by continuously storing the representation in the database The first feature data of the legal user keystroke behavior, and using the data to update the second feature data, can independently learn the change of the user's keystroke behavior over time, and ensure that the second feature data always represents the latest hit of the legitimate user. The characteristics of the key behavior, the accuracy of identity authentication is higher.
附图说明DRAWINGS
此处所说明的附图用来提供对本发明的进一步理解,构成本申请的一部分,本发明的示意性实施例及其说明用于解释本发明,并不构成对本发明的限定。在附图中:The drawings are intended to provide a further understanding of the invention, and are intended to be a part of the invention. In the drawing:
图1是根据本发明一实施例的身份认证方法的流程图; 1 is a flow chart of an identity authentication method according to an embodiment of the present invention;
图2是根据本发明一实施例的身份认证方法的流程图;2 is a flow chart of an identity authentication method according to an embodiment of the present invention;
图3是根据本发明一实施例的身份认证装置的结构框图;FIG. 3 is a structural block diagram of an identity authentication apparatus according to an embodiment of the present invention; FIG.
图4是根据本发明一实施例的身份认证装置的结构框图;4 is a block diagram showing the structure of an identity authentication apparatus according to an embodiment of the present invention;
图5是根据本发明一实施例的身份认证装置的结构框图;FIG. 5 is a structural block diagram of an identity authentication apparatus according to an embodiment of the present invention; FIG.
图6是根据本发明一实施例的身份认证装置的结构框图;FIG. 6 is a structural block diagram of an identity authentication apparatus according to an embodiment of the present invention; FIG.
图7是根据本发明一实施例的身份认证设备的结构框图;FIG. 7 is a structural block diagram of an identity authentication device according to an embodiment of the present invention; FIG.
图8是根据本发明一实施例的用户初次登录的流程图;FIG. 8 is a flowchart of a first login of a user according to an embodiment of the present invention; FIG.
图9是根据本发明一实施例的用户非初次登录的流程图。9 is a flow diagram of a user's non-initial login in accordance with an embodiment of the present invention.
具体实施方式detailed description
下面结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明的保护范围。The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
目前基于击键行为的身份认证仅在登录账户时执行,由于用户输入的信息较少,身份认证所用的样本也因此较少,经常会导致认证结果有误,错误率较高。At present, the identity authentication based on the keystroke behavior is only executed when the account is logged in. Since the information input by the user is small, the sample used for the identity authentication is also less, which often leads to an incorrect authentication result and a high error rate.
为了解决以上问题,在一些实施例中,本公开提供了一种身份认证方法,如图1所示,其过程包括:In order to solve the above problem, in some embodiments, the present disclosure provides an identity authentication method, as shown in FIG. 1, the process includes:
步骤1,用户登录账户至退出账户的过程中,根据该用户输入数据时的击键行为计算第一特征数据。Step 1. During the process of logging in the account to the account, the user calculates the first feature data according to the keystroke behavior when the user inputs the data.
具体的,第一特征数据是用于表征该用户的击键行为的数据,例如包括但不限于是该用户输入数据时击键的频率、击键的时间间隔、每次击键的持续时间其中的一项或多项。Specifically, the first feature data is data for characterizing the keystroke behavior of the user, and includes, for example, but not limited to, a frequency of a keystroke when the user inputs data, a time interval of the keystroke, and a duration of each keystroke. One or more.
本发明所称的“账户”包括但不限于是银行账户、网站账户等。 The "account" referred to in the present invention includes, but is not limited to, a bank account, a website account, and the like.
在一种实施例中,该身份认证方法还包括:提示该用户输入一预设数据(例如可以是一段包含文字和/或数字和/或字母的文本),则该步骤1具体是根据该用户输入该预设数据时的击键行为计算第一特征数据。In an embodiment, the identity authentication method further includes: prompting the user to input a preset data (for example, may be a text containing text and/or numbers and/or letters), and the step 1 is specifically based on the user. The first feature data is calculated by the keystroke behavior when the preset data is input.
步骤2,计算所述第一特征数据与一第二特征数据的差别。Step 2: Calculate a difference between the first feature data and a second feature data.
具体的,第二特征数据是用于表征该账户对应的合法用户的击键行为的数据,例如包括但不限于是合法用户输入数据时击键的频率、击键的时间间隔、每次击键的持续时间中的一项或多项。Specifically, the second feature data is data for characterizing the keystroke behavior of the legal user corresponding to the account, and includes, for example, but not limited to, the frequency of the keystroke when the legal user inputs the data, the time interval of the keystroke, and each keystroke. One or more of the durations.
在一种实施例中,该步骤2具体为计算第一特征数据与第二特征数据的马哈拉诺比斯距离。In an embodiment, the step 2 is specifically calculating a Mahalanobis distance of the first feature data and the second feature data.
在另一种实施例中,该步骤2具体为计算第一特征数据与第二特征数据的欧式距离。In another embodiment, the step 2 is specifically calculating the Euclidean distance between the first feature data and the second feature data.
步骤3,若第一特征数据与第二特征数据的差别大于一预设阈值,则执行告警处理。Step 3: If the difference between the first feature data and the second feature data is greater than a preset threshold, perform an alarm process.
具体的,当判断第一特征数据与第二特征数据的差别大于该预设阈值时,说明该用户很有可能是非法用户,为了确保银行账户的安全性,该步骤3中执行的告警处理包括但不限于是以下处理中的至少一种:(1)输出告警信息;(2)阻断该用户的操作;(3)将该用户确定为非法用户并报警;(4)通过注册该账户时留存的电话和/或邮箱通知合法用户对此次登录进行操作认证。本发明对该步骤中告警处理所采用的具体方式不做限定,具体实施时可以根据账户的安全性要求来才采取合适的告警方式。Specifically, when it is determined that the difference between the first feature data and the second feature data is greater than the preset threshold, the user is likely to be an illegal user. To ensure the security of the bank account, the alarm processing performed in the step 3 includes: However, it is not limited to at least one of the following processes: (1) outputting alarm information; (2) blocking the operation of the user; (3) determining the user as an illegal user and alerting; (4) by registering the account The retained phone and/or email notifies the legitimate user to perform operation authentication for this login. The specific manner of the alarm processing in the step is not limited in the present invention. In the specific implementation, the appropriate alarm mode can be adopted according to the security requirements of the account.
通过本发明提供的身份认证方法,从用户登录账户到退出账户的过程中,全程进行身份认证,即使恶意用户获取登录信息绕过登录层面的认证,也会在使用过程中因击键行为与合法用户的击键行为不同而被识别出来,从而进行告警处理,避免账户安全受损。 Through the identity authentication method provided by the present invention, the identity authentication is performed throughout the process from the time the user logs in to the account, and even if the malicious user obtains the login information to bypass the login level authentication, the keystroke behavior and the legality are used during the use. The user's keystroke behavior is recognized and the alarm is processed to avoid account security damage.
本发明人还发现,用户的击键习惯可能会随着时间的推移慢慢发生变化,而目前的身份认证系统不能自主学习用户击键习惯的变化,这也会导致认证结果错误率较高。The inventors have also discovered that the user's keystroke habits may change slowly over time, and the current identity authentication system cannot learn the changes of the user's keystroke habits autonomously, which may also result in a higher error rate of the authentication result.
为了解决这一问题,本发明提供的身份认证方法,还可以包括如下步骤:In order to solve this problem, the identity authentication method provided by the present invention may further include the following steps:
步骤4,若第一特征数据与第二特征数据的差别小于或等于所述预设阈值,则利用所述第一特征数据更新所述第二特征数据。Step 4: If the difference between the first feature data and the second feature data is less than or equal to the preset threshold, update the second feature data by using the first feature data.
在一种实施例中,该步骤4可以包括:In an embodiment, the step 4 may include:
步骤41,将所述第一特征数据存入所述账户对应的数据库中。Step 41: Store the first feature data into a database corresponding to the account.
该数据库中存储了合法用户每次登录该账户时,根据合法用户输入数据时的击键行为所计算出的第一特征数据。The database stores the first feature data calculated by the keystroke behavior when the legitimate user inputs the data each time the legitimate user inputs the data.
随着时间的推移,用户的击键行为可能会发生变化,相应的,所计算出的第一特征数据也会发生变化,通过自主学习这种变化,可以提高其身份认证准确程度。As time goes by, the user's keystroke behavior may change. Correspondingly, the calculated first feature data will also change. By self-learning this change, the accuracy of identity authentication can be improved.
步骤42,利用所述数据库中包含的全部数据更新所述第二特征数据。Step 42: Update the second feature data by using all data included in the database.
由于该数据库中存储的数据均为表征合法用户击键行为的第一特征数据,因此可以利用这些数据来计算用于表征合法用户击键行为的第二特征数据,利用计算得到的新的第二特征数据替换原有的第二特征数据,用于后续的身份认证。Since the data stored in the database are the first feature data representing the keystroke behavior of the legitimate user, the data can be used to calculate the second feature data for characterizing the legal user keystroke behavior, and the calculated new second is obtained. The feature data replaces the original second feature data for subsequent identity authentication.
在一种实施方式中,利用数据库中包含的全部数据更新第二特征数据的过程,包括:In one embodiment, the process of updating the second feature data using all the data contained in the database includes:
步骤421,计算训练数据库中每个维度第ι个元素的期望值μi=E(Xi)和各个维度的协方差cov(Xi,Xj)=E[(Xii)(Xjj)]。Step 421: Calculate an expected value μ i = E(X i ) of the ιth element of each dimension in the training database and a covariance cov(X i , X j )=E[(X ii ) of each dimension (X) jj )].
步骤422,形成新的协方差矩阵S=Cn×n=(Ci,j,Ci,j=cov(Xi,Xj))。In step 422, a new covariance matrix S = C n × n = (C i, j , C i, j = cov (X i , X j )) is formed.
该身份认证方法通过不断向数据库中存入表征了合法用户击键行为的第一特征数据,并利用这些数据来更新第二特征数据,可自主学习用户的击键 行为的变化,自动适应同一用户习惯的细微变化,保证第二特征数据总是表征合法用户最新的击键行为的特点,克服因用户习惯变化导致认证不通过的问题,提高身份认证的准确程度。The identity authentication method can automatically learn the user's keystroke by continuously storing the first feature data representing the legitimate user keystroke behavior into the database and using the data to update the second feature data. The change of behavior automatically adapts to the subtle changes of the same user's habits, ensuring that the second feature data always characterizes the latest keystroke behavior of legitimate users, overcomes the problem that the authentication fails due to changes in user habits, and improves the accuracy of identity authentication.
随着用户登录次数的增加,数据库中存储的数据量也会逐渐增多,考虑到数据的时效性以及数据库的存储能力,可以设置一数据量阈值,当数据库中的数据总量超过该数据量阈值时,将数据库中的全部数据按照存储时间由早到晚的顺序排序,并将其中排序靠前的一个或多个数据删除。As the number of user logins increases, the amount of data stored in the database will gradually increase. Considering the timeliness of the data and the storage capacity of the database, a data volume threshold can be set. When the total amount of data in the database exceeds the data threshold. All data in the database is sorted in order of storage time from morning to night, and one or more data in which the top is sorted is deleted.
在一些实施例中,身份认证方法的具体实施流程如图2所示,包括以下步骤:In some embodiments, the specific implementation process of the identity authentication method is as shown in FIG. 2, and includes the following steps:
步骤S101,用户登录账户时,检测系统中是否存储有用于表征该账户的合法用户的击键行为的第二特征数据。Step S101: When the user logs in to the account, it is detected whether the second feature data of the keystroke behavior of the legitimate user of the account is stored in the system.
如果账户对应的数据库中没有存储用于表征该账户的合法用户的击键行为的第二特征数据,判断此次登录为首次登录,则执行步骤S102。If the second feature data of the keystroke behavior of the legitimate user of the account is not stored in the database corresponding to the account, and it is determined that the login is the first login, step S102 is performed.
如果账户对应的数据库中已存储了用于表征该账户的合法用户的击键行为的第二特征数据,判断此次登录并非首次登录,则执行步骤S103。If the second feature data of the keystroke behavior of the legitimate user of the account is already stored in the database corresponding to the account, and it is determined that the login is not the first login, step S103 is performed.
步骤S102,提示用户输入一串预设数据(例如可以是一段包含文字),检测用户输入该串预设数据时的击键行为,并计算用于表征该用户的击键行为的第一特征数据(例如用户输入该串预设数据时击键的频率、击键的时间间隔、每次击键的持续时间等),由于此次登录为首次登录,默认该用户为合法用户,并将该第一特征数据确定为最初的第二特征数据存储于该账户对应的数据库中。Step S102, prompting the user to input a series of preset data (for example, may include a piece of text), detecting a keystroke behavior when the user inputs the string of preset data, and calculating first feature data for characterizing the keystroke behavior of the user. (For example, the frequency of keystrokes when the user inputs the string of preset data, the time interval of keystrokes, the duration of each keystroke, etc.), since this login is the first login, the default user is a legitimate user, and the first A feature data is determined to be the first second feature data stored in a database corresponding to the account.
步骤S103,在该用户登录账户直到用户退出账户的过程中,根据该用户输入数据时的击键行为计算第一特征数据,并计算该第一特征数据与该账户当前对应的第二特征数据之间的差别。 Step S103, in the process of the user logging in the account until the user withdraws from the account, calculating the first feature data according to the keystroke behavior when the user inputs the data, and calculating the second feature data corresponding to the first feature data and the current account. The difference between them.
判断计算得到的差别小于或等于一预设阈值时,确定该用户为合法用户,并执行步骤S104。When it is determined that the calculated difference is less than or equal to a preset threshold, the user is determined to be a legitimate user, and step S104 is performed.
判断计算得到的差别大于该预设阈值时,确定该用户为异常用户,并执行步骤S105。When it is determined that the calculated difference is greater than the preset threshold, the user is determined to be an abnormal user, and step S105 is performed.
步骤S104,将该第一特征数据存入该账户对应的数据库中,利用该数据库中包含的全部数据计算一个新的第二特征数据以替代原有的第二特征数据。Step S104: The first feature data is stored in a database corresponding to the account, and a new second feature data is calculated by using all data included in the database to replace the original second feature data.
步骤S105,执行告警处理。例如,对于安全性要求较高的银行账户,可采取阻断用户的方式,对于安全性要求较低的网站账户,可采用告警的方式。In step S105, an alarm process is performed. For example, for a bank account with higher security requirements, a method of blocking users may be adopted, and for a website account with lower security requirements, an alarm may be used.
相比于现有的身份认证方法,该身份认证方法具有更高的准确率,一方面,从用户登录账户到退出账户的过程中,一直检测用户的击键行为,全程进行身份认证,检测的样本量更大,即使恶意用户获取登录信息绕过登录层面的认证,也会在使用过程中因击键行为与合法用户的击键行为不同而被识别出来,从而进行告警处理,避免账户安全受损;另一方面,通过不断向数据库中存入表征了合法用户击键行为的第一特征数据,并利用这些数据来更新第二特征数据,可自主学习用户的击键行为随着时间发生的变化,保证第二特征数据总是表征合法用户最新的击键行为的特点,身份认证的准确程度更高。Compared with the existing identity authentication method, the identity authentication method has higher accuracy. On the one hand, from the time the user logs in to the account, the user always detects the keystroke behavior of the user, and performs identity authentication and detection throughout. The sample size is larger. Even if the malicious user obtains the login information to bypass the login level authentication, it will be identified during the use process because the keystroke behavior is different from the legal user's keystroke behavior, thus performing alarm processing to avoid account security. Loss; on the other hand, by continuously storing the first feature data representing the legitimate user keystroke behavior into the database, and using the data to update the second feature data, the user can learn the keystroke behavior of the user over time. The change ensures that the second feature data always characterizes the latest keystroke behavior of the legitimate user, and the identity authentication is more accurate.
在一些实施例中,步骤S103中计算第一特征数据与该账户当前对应的第二特征数据之间的差别,可以是计算第一特征数据与第二特征数据的马哈拉诺比斯距离。In some embodiments, calculating a difference between the first feature data and the second feature data currently corresponding to the account in step S103 may be calculating a Mahalanobis distance of the first feature data and the second feature data.
马哈拉诺比斯距离(Mahalanobis Distance)是一种用来描述两个数据点间距离的统计量,马哈拉诺比斯距离常用做度量已知样本和未知样本间的相似性。 The Mahalanobis Distance is a statistic used to describe the distance between two data points. The Mahalanobis distance is commonly used to measure the similarity between known and unknown samples.
通常,如果有一个随机变量X服从(0,1)正态分布,那么任何服从正态分布的随机变量R都可以用X来定义,即:In general, if a random variable X obeys a (0,1) normal distribution, then any random variable R that follows a normal distribution can be defined by X, namely:
Figure PCTCN2016095801-appb-000001
Figure PCTCN2016095801-appb-000001
其中,S为协方差矩阵,μ为均值。Where S is the covariance matrix and μ is the mean.
如果要由一个服从正态分布的随机变量来定义(0,1)正态分布,解式(1)可得:If a (0,1) normal distribution is to be defined by a random variable subject to a normal distribution, the solution (1) can be obtained:
Figure PCTCN2016095801-appb-000002
Figure PCTCN2016095801-appb-000002
对式(2)的两边取平方开根,可得两个变量(X与R)之间的距离D:Taking the square roots on both sides of equation (2), we can get the distance D between two variables (X and R):
Figure PCTCN2016095801-appb-000003
Figure PCTCN2016095801-appb-000003
类似的,对于多变量向量x=(x1,x2,x3…,xN)T和一组均值为μ,协方差矩阵为S的数据集的马哈拉诺比斯距离定义如下:Similarly, for a multivariate vector x = (x 1 , x 2 , x 3 ..., x N ) T and a set of mean values of μ, the Mahalanobis distance of the data set with covariance matrix S is defined as follows:
Figure PCTCN2016095801-appb-000004
Figure PCTCN2016095801-appb-000004
具体地,对于本实施例,可以采用以下公式计算马哈拉诺比斯距离:Specifically, for the present embodiment, the Mahalanobis distance can be calculated using the following formula:
Figure PCTCN2016095801-appb-000005
Figure PCTCN2016095801-appb-000005
其中,DM(x,μ,S)表示马哈拉诺比斯距离,x表示第一特征数据,μ表示账户当前对应的第二特征数据的均值,S表示账户当前对应的第二特征数据的协方差矩阵。Where D M (x, μ, S) represents the Mahalanobis distance, x represents the first feature data, μ represents the mean value of the second feature data currently corresponding to the account, and S represents the second feature data currently corresponding to the account. Covariance matrix.
通过计算第一特征数据与第二特征数据的马哈拉诺比斯距离,来判断该用户是否为合法用户,简单可靠。By calculating the Mahalanobis distance of the first feature data and the second feature data, it is simple and reliable to determine whether the user is a legitimate user.
基于同一发明构思,本发明实施例中还提供了一种身份认证装置,可以用于实现上述实施例所描述的方法,如下面的实施例所述。由于身份认证装置解决问题的原理与身份认证方法相似,因此该装置的实施可以参见身份认证方法的实施,重复之处不再赘述。以下所使用的,术语“模块”可以实现 为预定功能的软件和/或硬件的组合。尽管以下实施例所描述的系统较佳地以软件来实现,但是硬件,或者软件和硬件的组合的实现也是可能并被构想的。Based on the same inventive concept, an embodiment of the present invention provides an identity authentication device, which can be used to implement the method described in the foregoing embodiments, as described in the following embodiments. Since the principle of the identity authentication device solving the problem is similar to the identity authentication method, the implementation of the device can be referred to the implementation of the identity authentication method, and the repeated description is not repeated. As used below, the term "module" can be implemented A combination of software and/or hardware for a predetermined function. Although the systems described in the following embodiments are preferably implemented in software, hardware, or a combination of software and hardware, is also possible and contemplated.
在一些实施例中,本公开提供了一种身份认证装置,图3是该身份认证装置的结构框图,如图3所示,该身份认证装置包括:第一特征计算模块31、差别计算模块32、告警处理模块33,下面对该身份认证装置进行具体说明。In some embodiments, the present disclosure provides an identity authentication apparatus, and FIG. 3 is a structural block diagram of the identity authentication apparatus. As shown in FIG. 3, the identity authentication apparatus includes: a first feature calculation module 31, and a difference calculation module 32. The alarm processing module 33, which will be specifically described below.
第一特征计算模块31,用于在用户登录账户至退出账户的过程中,根据该用户输入数据时的击键行为计算第一特征数据。The first feature calculation module 31 is configured to calculate the first feature data according to the keystroke behavior when the user inputs the data in the process of logging in the account to the account.
差别计算模块32,用于计算所述第一特征数据与一第二特征数据的差别;所述第二特征数据用于表征该账户对应的合法用户的击键行为。The difference calculation module 32 is configured to calculate a difference between the first feature data and a second feature data; and the second feature data is used to represent a keystroke behavior of a legitimate user corresponding to the account.
告警处理模块33,用于确定所述差别大于一预设阈值时,执行告警处理。The alarm processing module 33 is configured to perform an alarm process when the difference is greater than a preset threshold.
在一些实施例中,差别计算模块32用于计算所述第一特征数据与所述第二特征数据的马哈拉诺比斯距离。In some embodiments, the difference calculation module 32 is configured to calculate a Mahalanobis distance of the first feature data and the second feature data.
在一些实施例中,差别计算模块32用于计算所述第一特征数据与所述第二特征数据的欧氏距离。In some embodiments, the difference calculation module 32 is configured to calculate an Euclidean distance of the first feature data and the second feature data.
在一些实施例中,如图4所示,该身份认证装置,还包括:In some embodiments, as shown in FIG. 4, the identity authentication apparatus further includes:
更新模块34,用于确定所述差别小于或等于所述预设阈值时,利用所述第一特征数据更新所述第二特征数据。The updating module 34 is configured to update the second feature data by using the first feature data when the difference is less than or equal to the preset threshold.
在一些实施例中,如图5所示,更新模块34进一步包括:In some embodiments, as shown in FIG. 5, the update module 34 further includes:
存储模块341,用于将所述第一特征数据存入所述账户对应的数据库中;a storage module 341, configured to store the first feature data in a database corresponding to the account;
操作模块342,用于利用所述数据库中包含的全部数据更新所述第二特征数据。The operation module 342 is configured to update the second feature data by using all data included in the database.
在一些实施例中,如图6所示,该身份认证装置,还包括: In some embodiments, as shown in FIG. 6, the identity authentication apparatus further includes:
提示模块61,用于在所述第一特征计算模块31根据该用户输入数据时的击键行为计算第一特征数据之前,提示该用户输入一预设数据;The prompting module 61 is configured to prompt the user to input a preset data before the first feature calculating module 31 calculates the first feature data according to the keystroke behavior when the user inputs data;
则所述第一特征计算模块31根据该用户输入所述预设数据时的击键行为计算第一特征数据。Then, the first feature calculation module 31 calculates the first feature data according to the keystroke behavior when the user inputs the preset data.
在一些实施例中,告警处理模块33执行以下各项告警处理中的至少一项:In some embodiments, the alert processing module 33 performs at least one of the following alerting processes:
输出告警信息;Output alarm information;
阻断该用户的操作;Block the user's operation;
将该用户确定为非法用户并报警;Identify the user as an illegal user and alert the user;
通过注册该账户时留存的电话和/或邮箱通知合法用户对此次登录进行操作认证。The legitimate user is notified of the operation and authentication of the login by the phone and/or email that is retained when the account is registered.
在一些实施例中,第一特征数据和第二特征数据包括以下各项中的至少一项:击键的频率、击键的时间间隔、每次击键的持续时间。In some embodiments, the first feature data and the second feature data comprise at least one of: a frequency of keystrokes, a time interval of keystrokes, a duration of each keystroke.
通过本发明的身份认证装置,在用户登录账户到退出账户的过程中一直检测用户的击键行为,全程进行身份认证,检测的样本量更大,即使恶意用户获取登录信息绕过登录层面的认证,也会在使用过程中因击键行为与合法用户的击键行为不同而被识别出来,从而进行告警处理,避免账户安全受损;另外,通过不断向数据库中存入表征了合法用户击键行为的第一特征数据,并利用这些数据来更新第二特征数据,可自主学习用户的击键行为随着时间发生的变化,保证第二特征数据总是表征合法用户最新的击键行为的特点,身份认证的准确程度更高。Through the identity authentication device of the present invention, the user's keystroke behavior is always detected during the process of logging in the account to the account, and the identity authentication is performed throughout the process, and the sample size detected is larger, even if the malicious user obtains the login information to bypass the login level authentication. It will also be identified during the use process because the keystroke behavior is different from the keystroke behavior of the legitimate user, so that the alarm processing can be performed to avoid the account security damage; in addition, the legitimate user keystroke is characterized by continuously depositing into the database. The first feature data of the behavior, and using the data to update the second feature data, can independently learn the change of the user's keystroke behavior over time, and ensure that the second feature data always characterizes the latest keystroke behavior of the legitimate user. Identity authentication is more accurate.
上述身份认证装置可以是单独存在于计算机中,供多个系统共同使用,也可以是分别集成在各个系统中。当然,上述模块划分只是一种示意划分,本发明并不局限于此,只要能实现本发明的目的的模块划分,均应属于本发明的保护范围。 The above identity authentication device may be separately stored in the computer for use by multiple systems, or may be separately integrated in each system. Of course, the above module division is only a schematic division, and the present invention is not limited thereto, and any module division that can achieve the object of the present invention should fall within the protection scope of the present invention.
基于同一发明构思,本发明实施例中还提供了一种身份认证设备,可以用于实现上述实施例所描述的身份认证方法,如下面的实施例所述。由于身份认证设备解决问题的原理与身份认证方法相似,因此该设备的实施可以参见身份认证方法的实施,重复之处不再赘述。Based on the same inventive concept, an identity authentication device is also provided in the embodiment of the present invention, which can be used to implement the identity authentication method described in the foregoing embodiments, as described in the following embodiments. Since the principle of the identity authentication device is similar to the identity authentication method, the implementation of the device can refer to the implementation of the identity authentication method, and the repeated description is not repeated.
在一些实施例中,本公开提供了一种身份认证设备,图7是该身份认证设备的结构框图,如图7所示,该身份认证设备包括:In some embodiments, the present disclosure provides an identity authentication device, and FIG. 7 is a structural block diagram of the identity authentication device. As shown in FIG. 7, the identity authentication device includes:
处理器71; Processor 71;
存储器72,通过总线接口73与所述处理器71相连接,并且用于存储所述处理器71在执行操作时所使用的程序和数据;a memory 72, coupled to the processor 71 via a bus interface 73, and for storing programs and data used by the processor 71 in performing operations;
所述处理器71用于读取所述存储器72中的程序,执行下列过程:The processor 71 is configured to read a program in the memory 72 and perform the following process:
用户登录账户至退出账户的过程中,根据该用户输入数据时的击键行为计算第一特征数据;During the process of logging in the account to the account, the user calculates the first feature data according to the keystroke behavior when the user inputs the data;
计算所述第一特征数据与一第二特征数据的差别;所述第二特征数据用于表征该账户对应的合法用户的击键行为;Calculating a difference between the first feature data and a second feature data; the second feature data is used to represent a keystroke behavior of a legitimate user corresponding to the account;
若所述差别大于一预设阈值,则执行告警处理。If the difference is greater than a predetermined threshold, an alarm process is performed.
通过本发明的身份认证设备,在用户登录账户到退出账户的过程中一直检测用户的击键行为,全程进行身份认证,检测的样本量更大,即使恶意用户获取登录信息绕过登录层面的认证,也会在使用过程中因击键行为与合法用户的击键行为不同而被识别出来,从而进行告警处理,避免账户安全受损;另外,通过不断向数据库中存入表征了合法用户击键行为的第一特征数据,并利用这些数据来更新第二特征数据,可自主学习用户的击键行为随着时间发生的变化,保证第二特征数据总是表征合法用户最新的击键行为的特点,身份认证的准确程度更高。 Through the identity authentication device of the present invention, the user's keystroke behavior is always detected during the process of logging in the account to the account, and the identity authentication is performed throughout the process, and the detected sample size is larger, even if the malicious user obtains the login information to bypass the login level authentication. It will also be identified during the use process because the keystroke behavior is different from the keystroke behavior of the legitimate user, so that the alarm processing can be performed to avoid the account security damage; in addition, the legitimate user keystroke is characterized by continuously depositing into the database. The first feature data of the behavior, and using the data to update the second feature data, can independently learn the change of the user's keystroke behavior over time, and ensure that the second feature data always characterizes the latest keystroke behavior of the legitimate user. Identity authentication is more accurate.
为了对上述身份认证方法、装置及设备进行更为清楚的解释,下面结合具体的实施例来进行说明,然而值得注意的是该实施例仅是为了更好地说明本发明,并不构成对本发明不当的限定。In order to explain the above-mentioned identity authentication method, device and device, the following description is made in conjunction with the specific embodiments, but it is noted that this embodiment is only for better illustration of the present invention and does not constitute the present invention. Improper restrictions.
(1)用户初次登录系统(即数据初始训练阶段)(1) The user logs in to the system for the first time (that is, the initial training phase of the data)
如图8所示,新用户初次登录系统,检测到系统中无此用户的行为特征,属于新用户,提示用户手动输入一段文字或一些命令。记录用户输入时的击键行为习惯(包括按键频率、键与键的击键间隔时间、某个键上的持续时间等)。计算每次输入数据的协方差矩阵,并将协方差矩阵及输入的数据保存为该用户的行为特征。例如,可以建立对应于该用户的行为特征库,其中,存储有输入的数据以及对应的协方差矩阵。As shown in Figure 8, the new user logs in to the system for the first time and detects that there is no behavior characteristic of the user in the system. It belongs to the new user and prompts the user to manually input a text or some commands. Record the keystroke behaviors of the user input (including the button frequency, the keystroke interval between the key and the key, the duration on a key, etc.). A covariance matrix for each input data is calculated, and the covariance matrix and the input data are saved as behavioral characteristics of the user. For example, a library of behavioral characteristics corresponding to the user can be established, wherein the input data and the corresponding covariance matrix are stored.
例如,对于键值p的输入,在初始输入训练阶段,用户的(按压持续时间,按键频率,两个相连p的间隔时间)分别为以下三组数据:P,Q,R。记录这三组数据(P,Q,R),并通过训练后得到相应的协方差矩阵S,将记录的数据和协方差矩阵存储为该用户的行为特征库。For example, for the input of the key value p, in the initial input training phase, the user's (press duration, button frequency, interval between two connected p) are respectively the following three sets of data: P, Q, R. The three sets of data (P, Q, R) are recorded, and the corresponding covariance matrix S is obtained through training, and the recorded data and the covariance matrix are stored as the behavior characteristic database of the user.
(2)用户非初次登录系统(即识别与持续训练阶段)(2) The user is not the first time to log in to the system (ie identification and continuous training phase)
如图9所示,在整个过程中,用户登录、命令操作或文本输入时,系统都将自动记录其击键行为习惯(包括按键频率、击键间隔、某个键上的持续时间等)。对于每个阶段的用户输入习惯,通过马哈拉诺比斯距离模型计算输入习惯与特征库中数据的马哈拉诺比斯距离。若得出的距离低于或等于预设阈值,则为合法用户,并继续计算距离并与预设阈值进行比较;若得出的距离高于预设阈值,则为异常用户,根据系统配置,告警或阻断用户操作。As shown in Figure 9, the system automatically records its keystroke behavior (including key frequency, keystroke interval, duration on a key, etc.) during user login, command operation, or text input throughout the process. For each stage of user input habits, the Mahalanobis distance is calculated by the Mahalanobis distance model to input the data in the habit and feature database. If the obtained distance is lower than or equal to the preset threshold, it is a legal user, and continues to calculate the distance and compare with the preset threshold; if the obtained distance is higher than the preset threshold, it is an abnormal user, according to the system configuration, Alert or block user actions.
基于马哈拉诺比斯距离的近似识别模型在训练阶段计算训练数据的协方差矩阵,并将该协方差矩阵和所有训练数据都保存起来。An approximate recognition model based on the Mahalanobis distance calculates a covariance matrix of the training data during the training phase, and saves the covariance matrix and all training data.
在识别阶段,该近似识别模型使用训练时保存的协方差矩阵计算训练数据中每个时间特征向量和测试向量(即用户当前输入的数据)间的马哈拉诺 比斯距离,并返回其中最小的马哈拉诺比斯距离,根据预设的阈值α判断测试向量是否和训练数据来自同一用户。In the recognition phase, the approximate recognition model calculates the Mahalano between each time feature vector and the test vector (ie, the data currently input by the user) in the training data using the covariance matrix saved during training. The distance is Bis, and returns the smallest Mahalanobis distance, and it is judged according to the preset threshold α whether the test vector and the training data are from the same user.
该近似识别模型可以用如下数学式表达:The approximate recognition model can be expressed in the following mathematical formula:
Figure PCTCN2016095801-appb-000006
Figure PCTCN2016095801-appb-000006
其中,DM是根据协方差矩阵计算两个向量间的马哈拉诺比斯距离的函数,t是用户当前输入数据的特征向量,x是已保存的训练数据,COV是训练数据的协方差矩阵,α是预设阈值,n表示已保存的训练数据的个数。Where D M is a function of calculating the Mahalanobis distance between two vectors according to the covariance matrix, t is the feature vector of the user's current input data, x is the saved training data, and COV is the covariance of the training data. The matrix, α is a preset threshold, and n represents the number of saved training data.
例如,在识别阶段,用户按压键p的(按压持续时间,按键频率,两个相连p的间隔时间)为y(y1,y2,y3),则使用(y1,P),(y2,Q),(y3,R)分别代入(DM(t,x[i],COV))计算得到三个马哈拉诺比斯距离d1,d2,d3,比较确定其中的最小值d。其中,y1表示按压持续时间向量,P为按压时间持续时间的均值向量,y2表示按键频率向量,Q为按键频率的均值向量,y3表示两个相连p的间隔时间向量,R为两个相连按压键p的间隔时间的均值向量。For example, in the recognition phase, when the user presses the key p (press duration, key frequency, interval between two connected p) is y (y1, y2, y3), then (y1, P), (y2, Q) is used. (y3, R) are substituted into (D M (t, x[i], COV)) to obtain three Mahalanobis distances d1, d2, d3, and the minimum value d is determined. Where y1 represents the pressing duration vector, P is the mean vector of the pressing time duration, y2 represents the key frequency vector, Q is the mean vector of the key frequency, y3 represents the interval time vector of two connected p, and R is the two connected presses The mean vector of the interval time of the key p.
其中,计算距离的公式为:
Figure PCTCN2016095801-appb-000007
式中,x为当前输入的数据y(y1,y2,y3),μ是已存数据(P,Q,R),即按压持续时间,按键频率,两个相连按压键p的间隔时间的初始值向量或持续训练后的均值向量,S是初始的协方差矩阵。Among them, the formula for calculating the distance is:
Figure PCTCN2016095801-appb-000007
Where x is the currently input data y(y1, y2, y3), and μ is the stored data (P, Q, R), that is, the pressing duration, the key frequency, and the initial interval of the two consecutive pressing keys p The value vector or the mean vector after continuous training, S is the initial covariance matrix.
用户使用完毕后,如无告警,正常退出系统。记录用户本次使用过程中的行为习惯,并输入到马哈拉诺比斯距离模型中进行训练,动态地学习与调整用户行为特征。After the user finishes using it, if there is no alarm, the system will exit normally. Record the behavior habits of the user during the current use, and input into the Mahalanobis distance model for training, dynamically learning and adjusting user behavior characteristics.
另外,可以设定样本数据最大量(例如,最近100次使用记录数据),将超期的记录数据(例如,100次之前的数据)从训练数据集中删除。 In addition, the maximum amount of sample data (for example, the last 100 use record data) can be set, and the overdue record data (for example, data before 100 times) can be deleted from the training data set.
综上所述,本发明提出一种身份认证方法、装置及设备,在用户登录账户到退出账户的过程中一直检测用户的击键行为,全程进行身份认证,检测的样本量更大,即使恶意用户获取登录信息绕过登录层面的认证,也会在使用过程中因击键行为与合法用户的击键行为不同而被识别出来,从而进行告警处理,避免账户安全受损;另外,通过不断向数据库中存入表征了合法用户击键行为的第一特征数据,并利用这些数据来更新第二特征数据,可自主学习用户的击键行为随着时间发生的变化,保证第二特征数据总是表征合法用户最新的击键行为的特点,身份认证的准确程度更高。In summary, the present invention provides an identity authentication method, apparatus, and device. The user always detects the user's keystroke behavior during the process of logging in to the account, and performs identity authentication throughout the process. The sample size is larger, even if malicious. The user obtains the login information to bypass the login level authentication, and is also identified during the use process because the keystroke behavior is different from the legal user's keystroke behavior, thereby performing alarm processing to avoid account security damage; The first feature data representing the legal user keystroke behavior is stored in the database, and the second feature data is updated by using the data, and the user's keystroke behavior is changed autonomously to ensure that the second feature data is always Characterizing the latest keystroke behavior of legitimate users, identity authentication is more accurate.
流程图中或在此以其他方式描述的任何过程或方法描述可以被理解为,表示包括一个或更多个用于实现特定逻辑功能或过程的步骤的可执行指令的代码的模块、片段或部分,并且本发明的优选实施方式的范围包括另外的实现,其中可以不按所示出或讨论的顺序,包括根据所涉及的功能按基本同时的方式或按相反的顺序,来执行功能,这应被本发明的实施例所属技术领域的技术人员所理解。Any process or method description in the flowcharts or otherwise described herein may be understood to represent a module, segment or portion of code that includes one or more executable instructions for implementing the steps of a particular logical function or process. And the scope of the preferred embodiments of the invention includes additional implementations, in which the functions may be performed in a substantially simultaneous manner or in an opposite order depending on the functions involved, in the order shown or discussed. It will be understood by those skilled in the art to which the embodiments of the present invention pertain.
应当理解,本发明的各部分可以用硬件、软件、固件或它们的组合来实现。在上述实施方式中,多个步骤或方法可以用存储在存储器中且由合适的指令执行系统执行的软件或固件来实现。例如,如果用硬件来实现,和在另一实施方式中一样,可用本领域公知的下列技术中的任一项或他们的组合来实现:具有用于对数据信号实现逻辑功能的逻辑门电路的离散逻辑电路,具有合适的组合逻辑门电路的专用集成电路,可编程门阵列(PGA),现场可编程门阵列(FPGA)等。It should be understood that portions of the invention may be implemented in hardware, software, firmware or a combination thereof. In the above-described embodiments, multiple steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, it can be implemented by any one or combination of the following techniques well known in the art: having logic gates for implementing logic functions on data signals. Discrete logic circuits, application specific integrated circuits with suitable combinational logic gates, programmable gate arrays (PGAs), field programmable gate arrays (FPGAs), etc.
本技术领域的普通技术人员可以理解实现上述实施例方法携带的全部或部分步骤是可以通过程序来指令相关的硬件完成,所述的程序可以存储于一种计算机可读存储介质中,该程序在执行时,包括方法实施例的步骤之一或其组合。 One of ordinary skill in the art can understand that all or part of the steps carried by the method of implementing the above embodiments can be completed by a program to instruct related hardware, and the program can be stored in a computer readable storage medium. When executed, one or a combination of the steps of the method embodiments is included.
此外,在本发明各个实施例中的各功能单元可以集成在一个处理模块中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个模块中。上述集成的模块既可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。所述集成的模块如果以软件功能模块的形式实现并作为独立的产品销售或使用时,也可以存储在一个计算机可读取存储介质中。In addition, each functional unit in each embodiment of the present invention may be integrated into one processing module, or each unit may exist physically separately, or two or more units may be integrated into one module. The above integrated modules can be implemented in the form of hardware or in the form of software functional modules. The integrated modules, if implemented in the form of software functional modules and sold or used as stand-alone products, may also be stored in a computer readable storage medium.
上述提到的存储介质可以是只读存储器,磁盘或光盘等。The above mentioned storage medium may be a read only memory, a magnetic disk or an optical disk or the like.
在本说明书的描述中,参考术语“一个实施例”、“一些实施例”、“示例”、“具体示例”、或“一些示例”等的描述意指结合该实施例或示例描述的具体特征、结构、材料或者特点包含于本发明的至少一个实施例或示例中。在本说明书中,对上述术语的示意性表述不一定指的是相同的实施例或示例。而且,描述的具体特征、结构、材料或者特点可以在任何的一个或多个实施例或示例中以合适的方式结合。In the description of the present specification, the description with reference to the terms "one embodiment", "some embodiments", "example", "specific example", or "some examples" and the like means a specific feature described in connection with the embodiment or example. A structure, material or feature is included in at least one embodiment or example of the invention. In the present specification, the schematic representation of the above terms does not necessarily mean the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in a suitable manner in any one or more embodiments or examples.
以上所述的具体实施例,对本发明的目的、技术方案和有益效果进行了进一步详细说明,所应理解的是,以上所述仅为本发明的具体实施例而已,并不用于限定本发明的保护范围,凡在本发明的精神和原则之内,所做的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。 The above described specific embodiments of the present invention are further described in detail, and are intended to be illustrative of the embodiments of the present invention. All modifications, equivalent substitutions, improvements, etc., made within the spirit and scope of the invention are intended to be included within the scope of the invention.

Claims (17)

  1. 一种身份认证方法,包括:An authentication method includes:
    用户登录账户至退出账户的过程中,根据该用户输入数据时的击键行为计算第一特征数据;During the process of logging in the account to the account, the user calculates the first feature data according to the keystroke behavior when the user inputs the data;
    计算所述第一特征数据与一第二特征数据的差别;所述第二特征数据用于表征该账户对应的合法用户的击键行为;Calculating a difference between the first feature data and a second feature data; the second feature data is used to represent a keystroke behavior of a legitimate user corresponding to the account;
    若所述差别大于一预设阈值,则执行告警处理。If the difference is greater than a predetermined threshold, an alarm process is performed.
  2. 根据权利要求1所述的身份认证方法,其中,所述计算所述第一特征数据与一第二特征数据的差别,包括:The identity authentication method according to claim 1, wherein the calculating the difference between the first feature data and a second feature data comprises:
    计算所述第一特征数据与所述第二特征数据的马哈拉诺比斯距离。Calculating a Mahalanobis distance of the first feature data and the second feature data.
  3. 根据权利要求1所述的身份认证方法,其中,所述计算所述第一特征数据与一第二特征数据的差别,包括:The identity authentication method according to claim 1, wherein the calculating the difference between the first feature data and a second feature data comprises:
    计算所述第一特征数据与所述第二特征数据的欧氏距离。Calculating an Euclidean distance of the first feature data and the second feature data.
  4. 根据权利要求1所述的身份认证方法,还包括:The identity authentication method according to claim 1, further comprising:
    若所述差别小于或等于所述预设阈值,则利用所述第一特征数据更新所述第二特征数据。And if the difference is less than or equal to the preset threshold, updating the second feature data by using the first feature data.
  5. 根据权利要求4所述的身份认证方法,其中,所述的利用所述第一特征数据更新所述第二特征数据,包括:The identity authentication method according to claim 4, wherein the updating the second feature data by using the first feature data comprises:
    将所述第一特征数据存入所述账户对应的数据库中;Depositing the first feature data into a database corresponding to the account;
    利用所述数据库中包含的全部数据更新所述第二特征数据。The second feature data is updated with all of the data contained in the database.
  6. 根据权利要求1所述的身份认证方法,其中,所述根据该用户输入数据时的击键行为计算第一特征数据之前,还包括:提示该用户输入一预设数据;The identity authentication method according to claim 1, wherein the calculating the first feature data according to the keystroke behavior when the user inputs the data further comprises: prompting the user to input a preset data;
    则所述根据该用户输入数据时的击键行为计算第一特征数据,包括:Then calculating the first feature data according to the keystroke behavior when the user inputs data, including:
    根据该用户输入所述预设数据时的击键行为计算第一特征数据。 The first feature data is calculated according to a keystroke behavior when the user inputs the preset data.
  7. 根据权利要求1所述的身份认证方法,其中,所述执行告警处理,包括以下各项中的至少一项:The identity authentication method according to claim 1, wherein the performing alarm processing includes at least one of the following:
    输出告警信息;Output alarm information;
    阻断该用户的操作;Block the user's operation;
    将该用户确定为非法用户并报警;Identify the user as an illegal user and alert the user;
    通过注册该账户时留存的电话和/或邮箱通知合法用户对此次登录进行操作认证。The legitimate user is notified of the operation and authentication of the login by the phone and/or email that is retained when the account is registered.
  8. 根据权利要求1所述的身份认证方法,其中,所述第一特征数据和所述第二特征数据包括以下各项中的至少一项:击键的频率、击键的时间间隔、每次击键的持续时间。The identity authentication method according to claim 1, wherein the first feature data and the second feature data comprise at least one of: a frequency of a keystroke, a time interval of a keystroke, and each hit The duration of the key.
  9. 一种身份认证装置,包括:An identity authentication device comprising:
    第一特征计算模块,用于在用户登录账户至退出账户的过程中,根据该用户输入数据时的击键行为计算第一特征数据;a first feature calculation module, configured to calculate first feature data according to a keystroke behavior when the user inputs data in a process of logging in to the account by the user;
    差别计算模块,用于计算所述第一特征数据与一第二特征数据的差别;所述第二特征数据用于表征该账户对应的合法用户的击键行为;a difference calculation module, configured to calculate a difference between the first feature data and a second feature data; the second feature data is used to represent a keystroke behavior of a legitimate user corresponding to the account;
    告警处理模块,用于确定所述差别大于一预设阈值时,执行告警处理。The alarm processing module is configured to perform alarm processing when the difference is greater than a preset threshold.
  10. 根据权利要求9所述的身份认证装置,其中,所述差别计算模块用于计算所述第一特征数据与所述第二特征数据的马哈拉诺比斯距离。The identity authentication device of claim 9, wherein the difference calculation module is configured to calculate a Mahalanobis distance of the first feature data and the second feature data.
  11. 根据权利要求9所述的身份认证装置,其中,所述差别计算模块用于计算所述第一特征数据与所述第二特征数据的欧氏距离。The identity authentication device according to claim 9, wherein said difference calculation module is configured to calculate an Euclidean distance of said first feature data and said second feature data.
  12. 根据权利要求9所述的身份认证装置,还包括:The identity authentication device of claim 9, further comprising:
    更新模块,用于确定所述差别小于或等于所述预设阈值时,利用所述第一特征数据更新所述第二特征数据。And an update module, configured to update the second feature data by using the first feature data when the difference is less than or equal to the preset threshold.
  13. 根据权利要求12所述的身份认证装置,其中,所述更新模块包括:The identity authentication device of claim 12, wherein the update module comprises:
    存储模块,用于将所述第一特征数据存入所述账户对应的数据库中; a storage module, configured to store the first feature data into a database corresponding to the account;
    操作模块,用于利用所述数据库中包含的全部数据更新所述第二特征数据。An operation module, configured to update the second feature data by using all data included in the database.
  14. 根据权利要求9所述的身份认证装置,还包括:The identity authentication device of claim 9, further comprising:
    提示模块,用于在所述第一特征计算模块根据该用户输入数据时的击键行为计算第一特征数据之前,提示该用户输入一预设数据;a prompting module, configured to prompt the user to input a preset data before the first feature calculating module calculates the first feature data according to the keystroke behavior when the user inputs data;
    则所述第一特征计算模块根据该用户输入所述预设数据时的击键行为计算第一特征数据。Then, the first feature calculation module calculates the first feature data according to the keystroke behavior when the user inputs the preset data.
  15. 根据权利要求9所述的身份认证装置,其中,所述告警处理模块执行以下各项告警处理中的至少一项:The identity authentication device according to claim 9, wherein the alarm processing module performs at least one of the following alarm processes:
    输出告警信息;Output alarm information;
    阻断该用户的操作;Block the user's operation;
    将该用户确定为非法用户并报警;Identify the user as an illegal user and alert the user;
    通过注册该账户时留存的电话和/或邮箱通知合法用户对此次登录进行操作认证。The legitimate user is notified of the operation and authentication of the login by the phone and/or email that is retained when the account is registered.
  16. 根据权利要求9所述的身份认证装置,其中,所述第一特征数据和所述第二特征数据包括以下各项中的至少一项:击键的频率、击键的时间间隔、每次击键的持续时间。The identity authentication device according to claim 9, wherein said first feature data and said second feature data comprise at least one of: a frequency of keystrokes, a time interval of keystrokes, each hit The duration of the key.
  17. 一种身份认证设备,包括:An identity authentication device, including:
    处理器;processor;
    存储器,通过总线接口与所述处理器相连接,并且用于存储所述处理器在执行操作时所使用的程序和数据;a memory coupled to the processor via a bus interface and configured to store programs and data used by the processor in performing operations;
    所述处理器用于读取所述存储器中的程序,执行下列过程:The processor is configured to read a program in the memory and perform the following process:
    用户登录账户至退出账户的过程中,根据该用户输入数据时的击键行为计算第一特征数据;During the process of logging in the account to the account, the user calculates the first feature data according to the keystroke behavior when the user inputs the data;
    计算所述第一特征数据与一第二特征数据的差别;所述第二特征数据用于表征该账户对应的合法用户的击键行为; Calculating a difference between the first feature data and a second feature data; the second feature data is used to represent a keystroke behavior of a legitimate user corresponding to the account;
    若所述差别大于一预设阈值,则执行告警处理。 If the difference is greater than a predetermined threshold, an alarm process is performed.
PCT/CN2016/095801 2015-08-21 2016-08-18 Identity authentication method, device and apparatus WO2017032261A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510519937.4 2015-08-21
CN201510519937.4A CN105933267A (en) 2015-08-21 2015-08-21 Identity authentication method and device

Publications (1)

Publication Number Publication Date
WO2017032261A1 true WO2017032261A1 (en) 2017-03-02

Family

ID=56839904

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/095801 WO2017032261A1 (en) 2015-08-21 2016-08-18 Identity authentication method, device and apparatus

Country Status (2)

Country Link
CN (1) CN105933267A (en)
WO (1) WO2017032261A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109784015A (en) * 2018-12-27 2019-05-21 腾讯科技(深圳)有限公司 A kind of authentication identifying method and device
CN111031541A (en) * 2019-11-25 2020-04-17 网络通信与安全紫金山实验室 Wireless communication security authentication method based on received signal strength

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107124395B (en) * 2017-03-16 2020-08-07 华北电力大学 Identification method of user identity identification system based on keystroke rhythm
CN110046481A (en) * 2018-01-15 2019-07-23 上海聚虹光电科技有限公司 It is accustomed to the identity identifying method of feature based on user
CN108959866B (en) * 2018-04-24 2020-10-23 西北大学 Continuous identity authentication method based on high-frequency sound wave frequency
CN109101793A (en) * 2018-07-12 2018-12-28 方书田 A kind of personal identification method and system based on static text keystroke characteristic
CN109583161B (en) * 2018-11-27 2021-08-06 咪咕文化科技有限公司 Information processing method and device and storage medium
CN109918891B (en) * 2019-01-24 2023-11-21 平安科技(深圳)有限公司 User authentication method, device, computer equipment and storage medium
CN110570199B (en) * 2019-07-24 2022-10-11 中国科学院信息工程研究所 User identity detection method and system based on user input behaviors
CN110502883B (en) * 2019-08-23 2022-08-19 四川长虹电器股份有限公司 PCA-based keystroke behavior anomaly detection method
CN112507299B (en) * 2020-12-04 2022-05-03 重庆邮电大学 Self-adaptive keystroke behavior authentication method and device in continuous identity authentication system
CN113032751B (en) * 2021-03-25 2022-07-01 中南大学 Identity recognition method, device, equipment and medium based on keystroke characteristics of mobile equipment
CN113609465B (en) * 2021-10-11 2023-06-20 江苏翔晟信息技术股份有限公司 OFD document authority control system and method based on face recognition
CN114389901B (en) * 2022-03-24 2022-08-23 湖南三湘银行股份有限公司 Client authentication system based on online

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101833619A (en) * 2010-04-29 2010-09-15 西安交通大学 Method for judging identity based on keyboard-mouse crossed certification
US20130343616A1 (en) * 2012-06-24 2013-12-26 Neurologix Security Inc. Biometrics based methods and systems for user authentication
CN104809377A (en) * 2015-04-29 2015-07-29 西安交通大学 Method for monitoring network user identity based on webpage input behavior characteristics

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101557287A (en) * 2008-04-07 2009-10-14 冀连有 Method for identity identification according to characteristics of user keystroke

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101833619A (en) * 2010-04-29 2010-09-15 西安交通大学 Method for judging identity based on keyboard-mouse crossed certification
US20130343616A1 (en) * 2012-06-24 2013-12-26 Neurologix Security Inc. Biometrics based methods and systems for user authentication
CN104809377A (en) * 2015-04-29 2015-07-29 西安交通大学 Method for monitoring network user identity based on webpage input behavior characteristics

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109784015A (en) * 2018-12-27 2019-05-21 腾讯科技(深圳)有限公司 A kind of authentication identifying method and device
CN109784015B (en) * 2018-12-27 2023-05-12 腾讯科技(深圳)有限公司 Identity authentication method and device
CN111031541A (en) * 2019-11-25 2020-04-17 网络通信与安全紫金山实验室 Wireless communication security authentication method based on received signal strength
CN111031541B (en) * 2019-11-25 2022-09-06 网络通信与安全紫金山实验室 Wireless communication security authentication method based on received signal strength

Also Published As

Publication number Publication date
CN105933267A (en) 2016-09-07

Similar Documents

Publication Publication Date Title
WO2017032261A1 (en) Identity authentication method, device and apparatus
US10785241B2 (en) URL attack detection method and apparatus, and electronic device
US20220327409A1 (en) Real Time Detection of Cyber Threats Using Self-Referential Entity Data
CN107276982B (en) Abnormal login detection method and device
EP2960823B1 (en) Method, device and system for managing authority
Zarni Aung Permission-based android malware detection
US20180115568A1 (en) Method and device for detecting network intrusion
US20190318089A1 (en) System security method and apparatus
CN107888554B (en) Method and device for detecting server attack
US10282546B1 (en) Systems and methods for detecting malware based on event dependencies
CN110933104B (en) Malicious command detection method, device, equipment and medium
TW201816678A (en) Illegal transaction detection method and illegal transaction detection device
WO2017036154A1 (en) Information processing method, server and computer storage medium
CN104991643B (en) A kind of control method and user terminal of user terminal
CN109801409B (en) Voice unlocking method and electronic equipment
GB2582726A (en) Communication model for cognitive systems
CN110717509A (en) Data sample analysis method and device based on tree splitting algorithm
KR102131029B1 (en) System and method for clustering IoT device
CN112437053A (en) Intrusion detection method and device
US20210075812A1 (en) A system and a method for sequential anomaly revealing in a computer network
US10984105B2 (en) Using a machine learning model in quantized steps for malware detection
WO2020063349A1 (en) Data protection method and device, apparatus, computer storage medium
CN109446780B (en) Identity authentication method, device and storage medium thereof
US10885160B1 (en) User classification
CN111753293B (en) Operation behavior monitoring method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16838520

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16838520

Country of ref document: EP

Kind code of ref document: A1