WO2021248707A1

WO2021248707A1 - Operation verification method and apparatus

Info

Publication number: WO2021248707A1
Application number: PCT/CN2020/112684
Authority: WO
Inventors: 张伟望; 覃建策; 田本真; 陈邦忠
Original assignee: 完美世界(北京)软件科技发展有限公司
Priority date: 2020-06-12
Filing date: 2020-08-31
Publication date: 2021-12-16
Also published as: CN111783063A

Abstract

An operation verification method and apparatus. The method comprises: acquiring first data and second data generated by a target object on a displayed verification page within a target period of time (S202); verifying the target object according to the first data to obtain a first verification result, and verifying a target verification operation according to the second data to obtain a second verification result (S204); and determining a target verification result corresponding to the target verification operation according to the first verification result and the second verification result, the target verification result being used for indicating whether the target verification operation passes the verification (S206). The method solves the technical problem in the related art that the accuracy of verifying a verification operation executed on a verification page is low.

Description

Method and device for verifying operation

This disclosure claims the priority of a Chinese patent application filed with the Chinese Patent Office on June 12, 2020, the priority number is 202010538272.2, and the invention title is "a method and device for verifying an operation", the entire content of which is incorporated herein by reference In the open.

Technical field

The present disclosure relates to the field of computers, and in particular to an operation verification method and device.

Background technique

As an effective means of user authentication, verification codes have been widely adopted by the industry to resist the attacks of Internet black products. The main principle is that black production usually requires a large number of repetitive visits to obtain benefits, and the verification code can effectively increase the cost of each visit. However, with the rise of deep learning in recent years, it has become easier to use computers to automatically identify website verification codes. Many forms of verification codes can have corresponding mature deep learning model solutions, which greatly reduces the difficulty of cracking pictures or text verification codes by black producers, and also greatly reduces the accuracy of verification results.

In view of the above-mentioned problems, no effective solutions have yet been proposed.

Summary of the invention

The present disclosure provides an operation verification method and device to at least solve the technical problem of low accuracy in verifying verification operations performed on a verification page in the related art.

On the one hand, embodiments of the present disclosure provide an operation verification method, including:

Acquiring the first data and the second data generated by the target object on the displayed verification page within the target time period, wherein the verification page is used to verify the target verification operation performed by the target object on the verification page, The target time period includes the time from the display of the verification page to the end of the execution of the target verification operation, the first data is browsing behavior data generated by the target object before the target verification operation starts, and the The second data is verification behavior data generated by the target object performing the target verification operation;

Verifying the target object according to the first data to obtain a first verification result, and verifying the target verification operation according to the second data to obtain a second verification result;

The target verification result corresponding to the target verification operation is determined according to the first verification result and the second verification result, wherein the target verification result is used to indicate whether the target verification operation passes verification.

On the other hand, an embodiment of the present disclosure also provides an operation verification device, including:

The first obtaining module is configured to obtain the first data and the second data generated by the target object on the displayed verification page during the target time period, wherein the verification page is used to perform the execution on the verification page for the target object The target verification operation is verified by the target verification operation, the target time period includes the time from the display of the verification page to the end of the execution of the target verification operation, and the first data is generated by the target object before the target verification operation starts to be executed Browsing behavior data of, where the second data is verification behavior data generated by the target object performing the target verification operation;

A first verification module, configured to verify the target object according to the first data to obtain a first verification result, and to verify the target verification operation according to the second data to obtain a second verification result;

The first determining module is configured to determine a target verification result corresponding to the target verification operation according to the first verification result and the second verification result, wherein the target verification result is used to indicate whether the target verification operation passes verify.

On the other hand, the embodiments of the present disclosure also provide a storage medium, the storage medium includes a stored program, and the above-mentioned method is executed when the program is running.

On the other hand, the embodiments of the present disclosure also provide an electronic device, including a memory, a processor, and a computer program stored in the memory and capable of running on the processor, and the processor executes the above-mentioned method through the computer program.

The beneficial effects of the present disclosure include at least: first data and second data generated by the target object on the displayed verification page during the target time period are acquired, wherein the verification page is used for the target verification operation performed on the verification page by the target object For verification, the target time period includes the time from the display of the verification page to the end of the target verification operation. The first data is the browsing behavior data generated by the target object before the target verification operation is executed, and the second data is the target verification operation generated by the target object. Verification behavior data; verify the target object based on the first data to obtain the first verification result, and verify the target verification operation based on the second data to obtain the second verification result; determine the target verification based on the first verification result and the second verification result The target verification result corresponding to the operation, where the target verification result is used to indicate whether the target verification operation passed the verification method. The behavior data generated on the verification page is obtained from the display verification page, and the behavior data generated on the verification page is divided into browsing The two dimensions of behavior and verification behavior are verified separately to obtain their respective verification results, and then the verification results of the two dimensions are merged to obtain the final verification result of the target verification operation. The technical effect of the accuracy of the verification operation performed on the page, which in turn solves the technical problem of the low accuracy of the verification operation performed on the verification page in the related technology.

Description of the drawings

The drawings here are incorporated into the specification and constitute a part of the specification, show embodiments in accordance with the present invention, and together with the specification are used to explain the principle of the present invention.

In order to explain the embodiments of the present invention or the technical solutions in the prior art more clearly, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, for those of ordinary skill in the art, In other words, other drawings can be obtained based on these drawings without creative labor.

FIG. 1 is a schematic diagram of a hardware environment of an operation verification method according to an embodiment of the present disclosure;

Fig. 2 is a flowchart of an optional operation verification method according to an embodiment of the present disclosure;

Fig. 3 is a schematic diagram of a verification process of an operation according to an optional embodiment of the present disclosure;

Fig. 4 is a schematic diagram of a model training process according to an optional embodiment of the present disclosure;

FIG. 5 is a schematic diagram of a human-machine verification method based on user behavior according to an optional embodiment of the present disclosure;

Fig. 6 is a schematic diagram of an optional operation verification device according to an embodiment of the present disclosure;

Fig. 7 is a structural block diagram of a terminal according to an embodiment of the present disclosure.

detailed description

In order to enable those skilled in the art to better understand the solutions of the present disclosure, the technical solutions in the embodiments of the present disclosure will be described clearly and completely in conjunction with the accompanying drawings in the embodiments of the present disclosure. Obviously, the described embodiments are only These are a part of the embodiments of the present disclosure, but not all of the embodiments. Based on the embodiments in the present disclosure, all other embodiments obtained by those of ordinary skill in the art without creative work should fall within the protection scope of the present disclosure.

It should be noted that the terms “first” and “second” in the specification and claims of the present disclosure and the above-mentioned drawings are used to distinguish similar objects, and are not necessarily used to describe a specific sequence or sequence. It should be understood that the data used in this way can be interchanged under appropriate circumstances so that the embodiments of the present disclosure described herein can be implemented in an order other than those illustrated or described herein. In addition, the terms "including" and "having" and any variations of them are intended to cover non-exclusive inclusion. For example, a process, method, system, product, or device that includes a series of steps or units is not necessarily limited to those clearly listed. Those steps or units may include other steps or units that are not clearly listed or are inherent to these processes, methods, products, or equipment.

According to an aspect of the embodiments of the present disclosure, there is provided an embodiment of a method for verifying an operation.

Optionally, in this embodiment, the verification method of the above operation can be applied to the hardware environment formed by the terminal 101 and the server 103 as shown in FIG. 1. As shown in Figure 1, the server 103 is connected to the terminal 101 through the network, and can be used to provide services (such as game services, application services, etc.) for the terminal or the client installed on the terminal. The database can be set on the server or independently of the server. It is used to provide data storage services for the server 103. The aforementioned networks include, but are not limited to: wide area networks, metropolitan area networks, or local area networks. The terminal 101 is not limited to PCs, mobile phones, tablet computers, etc. The operation verification method of the embodiment of the present disclosure may be executed by the server 103, may also be executed by the terminal 101, or may be executed jointly by the server 103 and the terminal 101. Wherein, the verification method for the terminal 101 to perform the operation of the embodiment of the present disclosure may also be executed by the client installed on it.

Fig. 2 is a flowchart of an optional operation verification method according to an embodiment of the present disclosure. As shown in Fig. 2, the method may include the following steps:

Step S202: Obtain the first data and second data generated by the target object on the displayed verification page during the target time period, where the verification page is used for the target verification operation performed by the target object on the verification page Performing verification, the target time period includes the time from displaying the verification page to the end of performing the target verification operation, and the first data is browsing behavior data generated by the target object before starting to perform the target verification operation , The second data is verification behavior data generated by the target object performing the target verification operation;

Step S204, verifying the target object according to the first data to obtain a first verification result, and verifying the target verification operation according to the second data to obtain a second verification result;

Step S206: Determine a target verification result corresponding to the target verification operation according to the first verification result and the second verification result, where the target verification result is used to indicate whether the target verification operation passes verification.

Through the above steps S202 to S206, the behavior data generated on the verification page is obtained from the display verification page, and the behavior data generated on the verification page is divided into two dimensions, browsing behavior and verification behavior, and verification is performed to obtain respective verification results. Then the verification results of the two dimensions are merged to obtain the final verification result of the target verification operation, which achieves the purpose of increasing the difficulty of passing the verification, thereby achieving the technical effect of improving the accuracy of the verification operation performed on the verification page, and then It solves the technical problem of low accuracy in verifying the verification operation performed on the verification page in the related technology.

In the technical solution provided in step S202, the verification page is used to verify the target verification operation performed by the target object on the verification page. The verification page can be a page that displays a verification code. For example, if the verification code is displayed on the login or registration page of the application, the login or registration page can be called a verification page, or the user logs in on the login or registration page or After the registration operation, it jumps to a new page. The verification code is displayed on the page to verify the user's operation. The newly jumped page can also be called a verification page.

Optionally, in this embodiment, the target object may, but is not limited to, an object that performs operations on the verification page, such as a registered account used by a registered user, a temporary account used by a non-registered user, and so on.

Optionally, in this embodiment, the aforementioned verification code can include, but is not limited to: a slider verification code, a picture selection verification code, a text click verification code, a semantic understanding quiz verification code, etc., in any form for checking Operate the verification code for man-machine verification.

Optionally, in this embodiment, the method for acquiring the first data and the second data may include, but is not limited to, one of the following:

Method 1: Collect all the behavior data generated by the target object on the displayed verification page during the target time period, and then divide the collected behavior data into the first data and the second data according to the time when the target verification operation is started.

The second method is to collect the behavior data of the operation performed on the verification page from the display of the verification page as the first data until it is detected that the target verification operation is started. From the detection that the target verification operation is performed, the behavior data of the operation performed on the verification page is collected as the second data, and the target verification operation is completed.

Optionally, in this embodiment, the first data is browsing behavior data generated by the target object before starting to perform the target verification operation, and the second data is verification behavior data generated by the target object performing the target verification operation. The behavior data can be, but is not limited to, data generated by the target object performing any type of operation on the verification page during the period from when the verification page is opened to when the verification is completed.

Optionally, in this embodiment, the operation types may include, but are not limited to: mouse movement, click, move out of boundary, move in boundary, page scroll, keyboard input, etc. The mobile terminal may also include gyroscope changes. The recorded behavior data can also include the time stamp of the time when the operation occurred. The behavior data also includes the time point when the target object starts to verify. The behavior data sequence can be cut according to the time and divided into two parts. One is the browsing behavior data used to represent the page browsing behavior as the first data, and the second is The verification behavior data used to represent the verification code operation behavior is used as the second data.

Optionally, in this embodiment, in order to increase the difficulty of front-end cracking, complex front-end code confusion may be added to the front-end code that collects the first data and the second data.

In the technical solution provided in step S204, the first data and the second data are respectively verified, the first data is used to verify the object type of the target object, and the second data is used to verify whether the target verification operation is passed.

Optionally, in this embodiment, the first data is behavioral data before the verification start stage, which has a relatively large randomness and does not easily affect the judgment of similarity between operations, and should not be used as data for verifying the target verification operation. , But the behavior data before the beginning stage can better reflect whether the target object is a real user or a robot intrusion, so it can be used as an object type verification. The actions when performing the verification operation, such as dragging the slider, clicking the text, etc., have a very clear paradigm structure, which is more suitable for judging the similarity between operations. The second data generated during the verification operation is used as the operation similarity. Sexual verification.

In the technical solution provided in step S206, the first verification result and the second verification result may be merged to obtain the target verification result.

Optionally, in this embodiment, the method of fusion of the verification results may include, but is not limited to: method one, the first verification result and the second verification result are standardized and then summed, the average is taken or the weighted sum is taken, etc. Operation, according to the operation result to determine whether the target verification operation passes the verification. The second method is to input the first verification result and the second verification result into the trained classification model and automatically merge the verification results to output the final result of whether the target verification operation passes the verification.

As an optional embodiment, verifying the target object according to the first data to obtain the first verification result includes:

S11: Perform feature extraction on the first data to obtain data features corresponding to the first data;

S12: Classify the data features, and obtain the target object type corresponding to the target object as the first verification result.

Optionally, in this embodiment, data features may be extracted from the first data to reflect the attribute features of the first data, and then the target object type to which the target object belongs is determined according to the obtained data features.

Optionally, in this embodiment, the divided object types may include, but are not limited to, normal users, attackers, and so on.

Optionally, in this embodiment, the method of classifying data features may include, but is not limited to: searching for features and object types that have a corresponding relationship to obtain the target object type corresponding to the data feature, and using the trained model to perform data feature analysis. Automatic classification and so on.

As an optional embodiment, performing feature extraction on the first data to obtain data features corresponding to the first data includes:

S21: Divide the first data into data of multiple data types according to a data generation manner;

S22: Perform feature extraction on data of each data type in the data of the multiple data types, respectively, to obtain data features corresponding to the data of each data type;

Classifying the data features and obtaining the target object type corresponding to the target object as the first verification result includes:

S23: Separately classify the data features corresponding to the data of each data type to obtain the object type corresponding to the data of each data type;

S24. Fusion of the object types corresponding to the data of each data type to obtain the target object type.

Optionally, in this embodiment, for the first data of different data types, feature extraction and classification may be performed, but not limited to, respectively, and then the obtained different classification results are merged to obtain the first verification result. Different data types can set different classification standards according to the characteristics of the data, thereby improving the accuracy of classification.

Optionally, in this embodiment, the first data can be divided into mouse trajectory data, keyboard input data, etc. according to the data generation manner, but is not limited to.

Optionally, in this embodiment, the method of fusing the object type corresponding to the data of each data type may include, but is not limited to, operations such as weighted summation, averaging, etc., and then based on the threshold value that the operation result falls into. The scope determines the target object type.

S31: Input the first data into a target feature classification model, where the target feature classification model is obtained by training an initial feature classification model using browsing behavior data samples labeled with object types;

S32. Obtain a target object type output by the target feature classification model as the first verification result, wherein the target object type is included in the object type marked by the behavior data sample.

Optionally, in this embodiment, the target feature classification model can be obtained through model training but is not limited to automatically detect the target object type corresponding to the first data.

Optionally, in this embodiment, the target feature classification model is obtained by training the initial feature classification model using browsing behavior data samples marked with object types. The target feature classification model can include, but is not limited to, structures such as deep neural network dnn, convolutional neural network cnn, and recurrent neural network rnn.

As an optional embodiment, acquiring the target object type output by the target feature classification model as the first verification result includes:

S41: Perform feature extraction on the first data through a feature extraction layer to obtain data features, wherein the target feature classification model includes a first input layer, the feature extraction layer, a classification layer, and a first output layer that are sequentially connected , The first input layer is used to receive the first data;

S42: Classify the data feature through the classification layer to obtain the probability that the data feature belongs to each object type among multiple object types;

S43: Determine the target object type from the multiple object types by the first output layer according to the probability that the data feature belongs to each of the multiple object types, and output the target object type.

Optionally, in this embodiment, the target feature classification model may include, but is not limited to, a first input layer, a feature extraction layer, a classification layer, and a first output layer that are sequentially connected, wherein the first input layer is used to receive the first Data, the feature extraction layer is used to perform feature extraction on the first data to obtain data features, the classification layer is used to classify data features to obtain classification results, and the first output layer is used to output the target object type according to the classification results obtained by the classification layer.

Optionally, in this embodiment, the classification result obtained by the classification layer may, but is not limited to, the probability that the data feature corresponds to each object type among multiple object types. The first output layer judges the target object type according to the probability of each object type. For example, a probability threshold can be set, and the object type corresponding to the highest probability higher than the probability threshold can be used as the target object type.

Optionally, in this embodiment, different target feature classification models can be trained for different target verification operation types.

Optionally, in this embodiment, the above-mentioned feature extraction layer may, but is not limited to, adopt a Long Short-Term Memory (LSTM) model structure, and the hyperparameters to be tuned for LSTM may include, but are not limited to: LSTM's cell state size, output length, L1 and L2 regularization coefficients, optimization algorithm, learning rate, etc.

Optionally, in this embodiment, the above-mentioned classification layer may, but is not limited to, adopt a logistic regression (LR) model network.

In an optional implementation manner, the process of verifying the target object based on the first data to obtain the first verification result may include, but is not limited to, the following steps:

Step A, the first data is sampled, where the continuous mouse movement track and continuous page scrolling can be sampled at a fixed time interval (for example, the fixed sampling interval of the mouse track can be set to 100ms). The keyboard input selects the longest continuous input segment as the representative. If the maximum length is exceeded, the continuous segment of the input is randomly intercepted (for example, the maximum input length of the keyboard input sequence can be set to 64).

Step B: Input the mouse trajectory data and the keyboard input behavior sequence data into two different depth models respectively to perform automatic feature extraction. Among them, the mouse track data and keyboard input behavior sequence data can be standardized and then input into the model. Each frame of the mouse track data is represented as a feature vector. The vector can include but is not limited to four bits. One bit indicates the type of operation, which can be: click, press, lift, move, move out of boundary, move in boundary, scroll, etc. The second and third digits are the x and y axis coordinates where the mouse is located. The fourth digit is the time when the operation occurred. Each frame of the keyboard input behavior sequence data can also be represented as a feature vector, which can include but is not limited to two bits, the first bit represents the ascii code corresponding to the letter or symbol input by the keyboard. The second digit indicates the time corresponding to the keyboard input.

Step C: Perform a weighted summation of the output results of the two feature extraction models to obtain the probability that the operation may come from the attacker. You can use 1 to represent the attacker, 0 to represent the ordinary user, and 0.5 as the intermediate threshold, and classify the probability greater than 0.5 as Attackers are classified as ordinary users with probability less than 0.5.

As an optional embodiment, verifying the target verification operation according to the second data to obtain a second verification result includes:

S51: Determine whether the second data meets the verification condition corresponding to the verification page;

S52: In a case where it is determined that the second data does not meet the verification condition, determine that the second verification result is used to indicate that the target verification operation fails verification;

S53: In a case where it is determined that the second data meets the verification condition, determine whether the target verification operation passes verification according to the similarity between the second data and the target data, and obtain the second verification result, Wherein, the target data is data extracted from verification operations that have passed verification.

Optionally, in this embodiment, the second data is first verified by rules, that is, whether the second data meets the verification conditions. For example, the drag track of the slider should be related to the position of the slider, and the position of the text click should be related to the position of the slider. Match the relative position of the text in the picture. If the rule verification fails, the target verification operation is directly determined as the attacker's attack behavior.

Optionally, in this embodiment, a certain error tolerance threshold can be added to the verification of whether the second data meets the verification conditions, so as to deal with data collection errors that may occur in the actual production environment, thereby improving the accuracy of the verification results.

Optionally, in this embodiment, for the second data determined to meet the verification conditions, it is determined whether the target verification operation passes the verification based on the similarity between the target data and the target data extracted from the verification operation that has passed the verification. , Thereby obtaining the second verification result.

As an optional embodiment, determining whether the target verification operation passes verification according to the similarity between the second data and target data, and obtaining the second verification result includes:

S61: Encode the second data to obtain encoded data;

S62: Input the encoded data into a target single classification model, where the target single classification model is obtained by training an initial single classification model using the target data;

S63. Obtain a verification identifier output by the target single classification model as the second verification result, where the verification identifier is used to indicate whether the encoded data passes verification.

Optionally, in this embodiment, the similarity between the second data and the historical target data can be automatically detected through the trained target single classification model, so as to automatically determine whether the second data passes the verification.

Optionally, in this embodiment, a self-encoder can be used to encode the second data, but is not limited to. For example: a 4-layer self-encoder, where the self-encoder includes three hidden layers of 128, 64, and 128, respectively. Where 64 is the representation length of the final encoding. Here, the depth of the self-encoder and the size of the hidden layer are hyperparameters that can be tuned. What is given here is an example of actual use, which is not limited in the present disclosure.

Optionally, in this embodiment, the second data may be preprocessed before the second data is encoded. For example: first remove the data that is not the mouse operation type in the second data, and then remove the field indicating the operation type in the data, leaving only the mouse coordinates and time fields. The above sequence is sampled to 100 coordinate time pairs at uniform time intervals, and a vector with a length of 300 is obtained as the preprocessed second data for encoding.

Optionally, in this embodiment, the foregoing target single classification model may, but is not limited to, use the model structure of the SVDD (Support vector domain description, support vector data description) model.

Optionally, in this embodiment, the training data (ie target data) of the above-mentioned SVDD model can all come from normal user data (ie, verified verification operations), the data is easy to obtain, and the data labels are highly accurate and can be directly Perform online data set expansion and model iteration.

Optionally, in this embodiment, the above-mentioned target data may include, but is not limited to, the following sources: data generated by the intranet IP segment, data generated by the IP whitelist and user whitelist, or by analyzing the daily traffic of the website Find the natural day when the traffic is normal, and treat all data as normal user data. The aforementioned normal flow means that there is no sudden flow peak, and the flow conforms to long-term regularity, such as peaks in the morning and evening, and troughs in the middle of the night.

Optionally, in this embodiment, the hyperparameters to be trained for the above-mentioned SVDD model may include, but are not limited to, the selection of the kernel function, the soft interval coefficient, and the like. The aforementioned kernel function may also include secondary hyperparameters, such as coefficients, exponents, and so on.

Through the above process, the anomaly detection model is used to verify the user verification code behavior. The anomaly detection model is a single classification model, so only one type of data is needed for training. Because normal user data is very easy to obtain, and the attacker’s data is difficult to label, there are no data collection problems in using this model to classify, thereby reducing the difficulty of model training, using more accurate training data and improving the accuracy of model training .

As an optional embodiment, obtaining the verification identifier output by the target single classification model as the second verification result includes:

S71. Determine the similarity between the encoded data and the target data through a single classification layer, where the target single classification model includes a second input layer, the single classification layer and a second output layer connected in sequence, The second input layer is used to receive the encoded data;

S72. Determine the relationship between the similarity and the target similarity through the second output layer;

S73: When the similarity is higher than the target similarity, output a first verification identifier through the second output layer, where the first verification identifier is used to indicate that the encoded data passes verification;

S74: In a case where the similarity is not higher than the target similarity, output a second verification identifier through the second output layer, where the second verification identifier is used to indicate that the encoded data has not passed verification .

Optionally, in this embodiment, the target single classification model includes a second input layer, a single classification layer, and a second output layer that are sequentially connected. The second input layer is used to receive encoded data, and the single classification layer is used to determine encoded data. The relationship with the target data can be based on the similarity between the encoded data and the target data to determine a score for the encoded data. The higher the score, the higher the similarity, or the lower the score, the higher the similarity. high. The second output layer is used to determine whether the encoded data has passed the verification based on the output of the single classification layer, determine whether the similarity is higher than the target similarity according to the score, and determine whether the encoded data is higher than the target similarity to pass the verification. The coded data of similarity determines that it has not passed the verification.

For example, the normal user behavior classification label is 0, which corresponds to the unique classification of the model. The score threshold is selected to be 1, and a score greater than 1 means that the similarity between the encoded data and the target data is not higher than the target similarity, and it is judged as not a normal user behavior, that is, it is judged that the attacker is forging the data, and the score is less than 1. It means that the similarity between the coded data and the target data is higher than the target similarity, and it is judged to be ordinary user data.

In an optional implementation manner, a way of verifying the user's operation on the verification page is provided. FIG. 3 is a schematic diagram of an operation verification process according to an optional implementation manner of the present disclosure, as shown in FIG. 3. As shown, the process can, but is not limited to, include the following steps:

Step S302: Obtain user behavior data generated by the user's operation on the verification page.

Step S304: Divide the acquired data into page browsing behavior as the first data and verification code operation behavior as the second data.

Step S306: Use the LSTM+LR model to classify the page browsing behavior to obtain the classification result.

Step S308: Use the self-encoder + SVDD single classification model to process the verification code operation behavior to obtain the classification result.

In step S310, the above two results are merged to obtain a final judgment.

In the above process, for the verification behavior data submitted by the user or the attacker, the behavior data features are automatically extracted based on the depth model, which improves the efficiency of feature extraction and the accuracy of verification.

As an optional embodiment, after encoding the second data to obtain the encoded data, the method further includes:

S81: Determine the target data type corresponding to the multiple data types of the encoded data, where the multiple data types are obtained by clustering historical encoded data;

S82: Obtain the access frequency of the object corresponding to the data generated belonging to the target data type, where the access frequency is used to indicate the frequency of access to the verification page by the object corresponding to the data generated belonging to the target data type;

S83: When the access frequency is higher than the target frequency, determine the object identifier of the target object as a suspicious identifier;

S84: In the case where the number of times the object identifier is determined to be the suspicious identifier is higher than the target number of times, increase the target similarity when the target single classification model is used to process the data from the object identifier.

Optionally, in this embodiment, multiple data types are obtained by clustering historical coded data. For example: you can collect user data for a certain period of time, and then use the mean-shift algorithm to cluster the data to obtain n cluster centers, where n depends on the window size of the mean-shift algorithm, and the window size can be based on the specific verification code The characteristics of the data and the desired effect are adjusted.

Optionally, in this embodiment, the method for determining the target data type corresponding to the encoded data among the multiple data types may be, but is not limited to, calculating the distance between the encoded data and each of the aforementioned cluster centers, and finding the closest cluster. Class center. If the distance between the encoded data and the cluster center is less than the set threshold, the encoded data is considered to belong to the cluster cluster represented by the cluster center, and the cluster cluster is determined as the target data type.

Optionally, in this embodiment, the object identifier of the target object may include but is not limited to: user id, user ip address, and so on. For example: bind the user ip address corresponding to the aforementioned encoded data with the user ip corresponding to other behaviors in the determined cluster, and the bound ip will be combined to calculate its access frequency. If the merging frequency exceeds a certain threshold, the newly accessed ip is set as a suspicious flag, and if the same ip is set as a suspicious flag multiple times, it is added to the ip blacklist.

Optionally, in this embodiment, for ips added to the blacklist, on the one hand, some non-user-friendly verification codes can be replaced at the front end to test them. On the other hand, the score threshold of the target single classification model can be lowered, that is, the target similarity can be raised, so that the behavior data generated by the user ip has a greater probability of being classified as an attacker. Or you can use some specific pages to change the verification code verification to require the user to verify with a mobile phone, or to require the user to answer the secret security question, which greatly increases the cost of the attacker's violent visit.

Optionally, in this embodiment, for the case where the number of times the object identifier is determined to be a suspicious identifier is higher than the target number of times, the model threshold of the target feature classification model can also be adjusted, thereby improving the behavior data generated by the user ip. Possibility to classify as an attacker.

When attackers use real user data to attack, they often have limited access to this type of data, not very many, unlike the endless random trajectories generated by software. Attackers often make some minor modifications based on one or a group of real-person operating data as a new forgery. However, new behaviors generated in this way often have similarities that can be found by machine learning models, so that they can be effectively classified into one category. Through the above steps, the similarity between forgery behaviors is used for cluster analysis. Although the attacker can use thousands of ips for access, making the website unable to locate their existence, they can be bundled and determined by constructing similarities in behavior. In this way, although the attacker uses real user behavior (such as the operation of himself or other users), the classification model cannot intercept it, but their existence can still be found through similarity clustering, thereby improving the accuracy of verification.

As an optional embodiment, before verifying the target object based on the first data to obtain a first verification result, and verifying the target verification operation based on the second data to obtain a second verification result ,Also includes:

S91: Obtain target data from the collected data set, where the target data is data extracted from a verification operation that has passed verification;

S92. Use the target data to train the initial single classification model to obtain a target single classification model, where the target single classification model is used to verify the target verification operation according to the second data to obtain a second verification result ；

S93: Use the target single classification model to verify the data in the data set, and obtain the data that fails the verification as a result of the verification;

S94: Obtain, from the data set, first browsing behavior data corresponding to the target data and second browsing behavior data corresponding to data whose verification result is that the verification fails;

S95: Mark the object type corresponding to the first browsing behavior data as a first object type, and mark the object type corresponding to the second browsing behavior data as a second object type, to obtain browsing behavior data marked with the object type sample;

S96. Use the browsing behavior data sample labeled with the object type to train an initial feature classification model to obtain a target feature classification model, wherein the target feature classification model is used to perform a classification on the target object according to the first data. The verification obtains the first verification result.

Optionally, in this embodiment, you can first collect target data to train the initial single classification model to obtain the target single classification model, and then use the target single classification model to generate training data for the target feature classification model to train the initial feature classification model , Get the target feature classification model.

Optionally, in this embodiment, the aforementioned data set may, but is not limited to, include user behavior logs and the like.

In an optional implementation manner, a training module is provided to execute the training process of the model, and the training module can be used to update the online model daily to deal with new forgery behaviors generated by the attacker. Fig. 4 is a schematic diagram of a model training process according to an optional embodiment of the present disclosure. As shown in Fig. 4, the training process may but is not limited to include the following steps:

Step S402, training is based on the verification behavior data log recorded every day. First, the user behavior log of the day is collected. Based on the intranet IP (Internet Protocol) segment, as well as the user whitelist, IP whitelist, etc., the user must be filtered out to be ordinary users Behavioral data, that is, target data.

Step S404: Use the filtered user behavior data to update the original user data set, and use the updated data set to train the SVDD single classification model.

Step S406: Use the pre-segmented test data set for verification. The verification data set contains both user tag data and attacker tag data. The recall rate and accuracy rate of the model are verified, and the online model is updated if the standards are met.

Step S408: Use the updated SVDD model to detect all the behavior data of the day, extract all the behavior data classified as attacker data, and add it to the attacker data set.

Step S410: Use the updated user data set and the attacker data set to train the LSTM+LR model at the same time, and use the pre-segmented test set for verification to verify the recall rate and accuracy of the model, and update the online model if it meets the standard.

As an optional embodiment, before acquiring the first data and the second data generated by the target object on the displayed verification page within the target time period, the method further includes:

S101: In a case where a target operation performed on a displayed operation page is detected, obtain a first page address of the operation page and a second page address of the verification page;

S102, searching for the first page address and the second page address having the corresponding relationship from the pre-stored operation page address and the verification page address having the corresponding relationship;

S103, in a case where the first page address and the second page address that have a corresponding relationship are found, display the verification page;

S104, in the case that the first page address and the second page address that have a corresponding relationship are not found, perform a preset operation on the verification page, where the preset operation is used to instruct the verification There is a security risk on the page.

Optionally, in this embodiment, before the verification page is displayed, the security of the verification page may be confirmed, but not limited to, the confirmation method may be to store the correspondence between the operation page address and the verification page address in advance , In order to identify the legal verification page corresponding to each operation page, before the user's operation is verified by man-machine, the page page is first verified, and the first page address of the operation page and the second page address of the verification page are obtained, thereby The first page address and the second page address that have a corresponding relationship are searched in the pre-stored operation page addresses and verification page addresses that have a corresponding relationship. If found, the verification page is considered to be safe, if not found If the verification page is reached, it is deemed that the verification page is illegal, and a preset operation is performed on it to indicate that the verification page has a security risk.

Optionally, in this embodiment, the target operation performed on the operation page triggers the display of the verification page. The operation page can, but is not limited to, include a game login page, a game registration page, a game transaction page, and other pages that require verification of the target object category (real human user or invading robot).

Optionally, in this embodiment, the preset operation is used to indicate that the verification page has a security risk. For example, the preset operations can include, but are not limited to: interception operations, reporting operations, risk warnings, blocking operations, and so on.

Through the above process, if it is detected that the target object has performed the target operation on the operation page, the correspondence between the operation page and the page address of the verification page is verified to determine whether the corresponding relationship has been stored in advance, and if so, the verification is displayed Page, if not, confirm that the verification page is a security risk. This prevents the verification page from being hijacked by an intruder, causing the user to perform operations on the verification page, causing risks and losses to the user, thereby improving the security of the verification page, thereby improving the security of user operations, and providing users with a safe Operating environment.

As an optional embodiment, obtaining the first page address of the operation page and the second page address of the verification page includes:

S111: Obtain encrypted data reported by the client, where the client is used to display the operation page and the verification page;

S112: Acquire secret key information corresponding to the client;

S113: Use the secret key information to decrypt the encrypted data to obtain the first page address and the second page address.

Optionally, in this embodiment, the verification process for the security of the page URL can be, but not limited to, performed by the server, and the client side reports information such as the page address in an encrypted manner.

Optionally, in this embodiment, different clients may, but are not limited to, correspond to different secret key information, and may also agree on the same secret key information with all clients.

Through the above process, the client uses encrypted transmission to report information to the server, which can further improve security.

As an optional embodiment, after obtaining the first page address of the operation page and the second page address of the verification page, the method further includes:

S121: Perform a security test on the operation page and the verification page to obtain target risk information corresponding to the operation page and the verification page, where the target risk information is used to indicate that the operation page and the verification page are Describe the risks of operations on the verification page;

S122: Display the target risk information to the target object.

Optionally, in this embodiment, the security test process can be, but is not limited to, used to test the security risks on the page, such as: testing the operation page and verifying whether there are malicious websites, malicious downloads, and phishing links on the page. , Trojan horse virus and other risks, as well as whether the operating environment on the operating page and verification page is safe, whether the operating behavior is guaranteed, and so on.

Optionally, in this embodiment, the target risk information may include but is not limited to information including at least one of the risk value and the risk type. For example, the security risk of the page may be scored according to the result of the security test to obtain the risk value. , For the operation page and the verification page, the respective risk values can be scored separately, and the results of the safety inspection can also be merged into a risk value. The target risk information displayed to the target object can be, but is not limited to, the obtained risk value. For example, the risk value is 90 points, which means that there is almost no risk in the operation on the page. The risk value is 45 points, which means that the risk of performing operations on the page is higher. The target risk information can also be used to show the risk type to the target object. For example, the risk value is 45 points, and the risk type is: Trojan horse, malicious website and malicious download.

Optionally, in this embodiment, the risk type can also be recorded in a list. While obtaining the risk value, check the existing risk type in the list, and display the risk value and the checked list to target.

Through the above process, the security test is performed on the operation page and the verification page, and the obtained target risk information is displayed to the target object, thereby prompting the target object about the possible security risks of the operation. The safety of user operations is improved, and a safe operating environment is provided for users.

As an optional embodiment, performing a security test on the operation page and the verification page to obtain target risk information corresponding to the operation page and the verification page includes:

S131: Perform a security test on the operation page to obtain first risk information, where the first risk information is used to indicate the risks of operations on the operation page;

S132: Perform a security test on the verification page to obtain second risk information, where the second risk information is used to indicate the risks of operations on the verification page;

S133: Determine the target risk information according to the first risk information, the second risk information, and the target search result, where the target search result is used to indicate the address and verification of the corresponding operation page from the pre-stored The result of searching for the first page address and the second page address that have a corresponding relationship in the page address.

Optionally, in this embodiment, it is possible, but not limited to, to perform security tests on the operation page and the verification page respectively to obtain respective corresponding risk information, and then combine the verification results obtained by verifying the page address correspondence relationship to determine the target risk information.

Optionally, in this embodiment, the target search result also affects the security of the operation page and the verification page. For example, if the target search result is that no correspondence is found, the security of the confirmation operation page and the verification page will be reduced. , If the target search result is that the corresponding relationship is found, the security of the confirmation operation page and the verification page will be improved accordingly.

The present disclosure also provides an optional embodiment, which provides a human-machine verification method based on user behavior. Fig. 5 is a schematic diagram of a human-machine verification method based on user behavior according to an optional embodiment of the present disclosure. As shown in Fig. 5, the method may but is not limited to include the following steps:

Step S502: Obtain user behavior data and divide it into user page browsing behavior and user verification code operation behavior.

In step S504, the user page browsing behavior is sampled at a fixed time interval of the mouse, scroll wheel and other behaviors, and the keyboard data is intercepted by the maximum fixed length to obtain the browsing behavior data. The LSTM+LR model is used to classify the browsing behavior data, and the classification result is obtained.

Step S506: Regarding the user verification code operation behavior, use it as the verification behavior data and use the self-encoder to encode, and obtain the behavior code as the encoded data. Use the SVDD single classification model to classify it, and get the classification result.

In step S508, the above two classification results are merged to obtain the final judgment result.

Optionally, in this optional embodiment, after using a self-encoder to perform encoding to obtain behavioral encoding, the foregoing method may also include but is not limited to the following steps:

Step S510: Use a mean-shift (mean shift) algorithm to cluster the behavior codes, and bind related ips according to the clustering results.

In step S512, the access frequency of the bound ip is jointly counted.

In step S514, if the joint access frequency exceeds the specified threshold, the newly accessed ip is marked as suspicious, and if the ip is marked as suspicious multiple times, it is added to the blacklist.

Step S516: For the blacklist ip, it is fed back to the front end to increase the difficulty of verification, and at the same time, fed back to the classification model to increase the difficulty of classifying it as a normal user.

Through the above process, data features are automatically extracted based on the deep network, which avoids the limitations of manually extracting features, and also improves the efficiency and accuracy of feature extraction. The collected user behavior is not limited to the verification process, and the user behavior is divided into two sequences with relatively different characteristics of page browsing behavior and verification code operation behavior, and different models are used to classify the two sequences, which enriches the dimension of the verification process And the amount of information, thereby improving the accuracy of verification. Use a single classification model to classify user data, avoiding the difficulty of collecting attacker data. The clustering model is used to analyze the similarity of the attacker's forged behavior, which prevents the attacker from directly using real user behavior for false verification after cracking the front-end code. Thereby, the accuracy of the verification of the verification operation is improved.

It should be noted that for the foregoing method embodiments, for the sake of simple description, they are all expressed as a series of action combinations, but those skilled in the art should know that the present disclosure is not limited by the described sequence of actions. Because according to the present disclosure, certain steps can be performed in other order or at the same time. Secondly, those skilled in the art should also know that the embodiments described in the specification are all optional embodiments, and the involved actions and modules are not necessarily required by the present disclosure.

Through the description of the above embodiments, those skilled in the art can clearly understand that the method according to the above embodiment can be implemented by means of software plus the necessary general hardware platform, of course, it can also be implemented by hardware, but in many cases the former is Better implementation. Based on this understanding, the technical solution of the present disclosure essentially or the part that contributes to the existing technology can be embodied in the form of a software product, and the computer software product is stored in a storage medium (such as ROM/RAM, magnetic disk, The optical disc) includes several instructions to make a terminal device (which can be a mobile phone, a computer, a server, or a network device, etc.) execute the methods described in the various embodiments of the present disclosure.

According to another aspect of the embodiments of the present disclosure, there is also provided a verification device for implementing the operation of the verification method of the above operation. Fig. 6 is a schematic diagram of an optional operation verification device according to an embodiment of the present disclosure. As shown in Fig. 6, the device may include:

The first obtaining module 62 is configured to obtain the first data and the second data generated by the target object on the displayed verification page within the target time period, wherein the verification page is used to verify that the target object is on the verification page The target verification operation performed is verified, the target time period includes the time from displaying the verification page to the end of performing the target verification operation, and the first data is that the target object is before the target verification operation starts to perform the target verification operation. Generated browsing behavior data, where the second data is verification behavior data generated by the target object performing the target verification operation;

The first verification module 64 is configured to verify the target object according to the first data to obtain a first verification result, and to verify the target verification operation according to the second data to obtain a second verification result;

The first determining module 66 is configured to determine a target verification result corresponding to the target verification operation according to the first verification result and the second verification result, wherein the target verification result is used to indicate whether the target verification operation is approved.

It should be noted that the first obtaining module 62 in this embodiment can be configured to perform step S202 in the embodiment of the present disclosure, and the first verification module 64 in this embodiment can be configured to perform step S204 in the embodiment of the present disclosure. , The first determining module 66 in this embodiment may be configured to execute step S206 in the embodiment of the present disclosure.

It should be noted here that the examples and application scenarios implemented by the foregoing modules and corresponding steps are the same, but are not limited to the content disclosed in the foregoing embodiments. It should be noted that, as a part of the device, the above-mentioned modules can run in the hardware environment as shown in FIG. 1, and can be implemented by software or hardware.

Through the above modules, the behavior data generated on the verification page is obtained from the display verification page, and the behavior data generated on the verification page is divided into two dimensions: browsing behavior and verification behavior. The verification results of the dimensions are merged to obtain the final verification result of the target verification operation, which achieves the purpose of increasing the difficulty of passing the verification, thereby achieving the technical effect of improving the accuracy of the verification operation performed on the verification page, thereby solving related technologies The technical problem of low accuracy in verifying the verification operations performed on the verification page.

As an optional embodiment, the first verification module includes:

An extraction unit, configured to perform feature extraction on the first data to obtain data features corresponding to the first data;

The classification unit is configured to classify the data features, and obtain the target object type corresponding to the target object as the first verification result.

As an optional embodiment, the extraction unit is configured to: divide the first data into data of multiple data types according to the data generation mode; Perform feature extraction on data of each type to obtain the data feature corresponding to the data of each data type;

The classification unit is configured to: respectively classify the data characteristics corresponding to the data of each data type to obtain the object type corresponding to the data of each data type; and to determine the object corresponding to the data of each data type The types are merged to obtain the target object type.

As an optional embodiment, the first verification module includes:

The first input unit is configured to input the first data into a target feature classification model, wherein the target feature classification model is obtained by training an initial feature classification model using browsing behavior data samples marked with object types;

The first obtaining unit is configured to obtain the target object type output by the target feature classification model as the first verification result, wherein the target object type is included in the object type marked by the behavior data sample.

As an optional embodiment, the first acquiring unit is configured to:

The feature extraction layer is used to perform feature extraction on the first data to obtain data features, wherein the target feature classification model includes a first input layer, the feature extraction layer, a classification layer, and a first output layer that are sequentially connected. The first input layer is used to receive the first data;

Classify the data feature through the classification layer to obtain the probability that the data feature belongs to each object type among multiple object types;

The first output layer determines the target object type from the multiple object types according to the probability that the data feature belongs to each of the multiple object types, and outputs the target object type.

As an optional embodiment, the first verification module includes:

The first determining unit is configured to determine whether the second data meets the verification condition corresponding to the verification page;

A second determining unit, configured to determine that the second verification result is used to indicate that the target verification operation fails verification when it is determined that the second data does not meet the verification condition;

The third determining unit is configured to determine whether the target verification operation passes the verification according to the similarity between the second data and the target data when it is determined that the second data meets the verification conditions, to obtain the The second verification result, wherein the target data is data extracted from a verification operation that has passed verification.

As an optional embodiment, the third determining unit is configured to:

Encoding the second data to obtain encoded data;

Inputting the encoded data into a target single classification model, wherein the target single classification model is obtained by training an initial single classification model using the target data;

The verification identifier output by the target single classification model is obtained as the second verification result, wherein the verification identifier is used to indicate whether the encoded data passes verification.

As an optional embodiment, the third determining unit is configured to:

The similarity between the encoded data and the target data is determined by a single classification layer, wherein the target single classification model includes a second input layer connected in sequence, the single classification layer and the second output layer, and the The second input layer is used to receive the encoded data;

Determine the relationship between the similarity and the target similarity through the second output layer;

In the case where the similarity is higher than the target similarity, output a first verification identifier through the second output layer, where the first verification identifier is used to indicate that the encoded data passes verification;

In the case that the similarity is not higher than the target similarity, a second verification identifier is output through the second output layer, where the second verification identifier is used to indicate that the encoded data fails verification.

As an optional embodiment, the device further includes:

The second determining module is configured to, after encoding the second data to obtain the encoded data, determine the target data type corresponding to the encoded data among the multiple data types, wherein the multiple data types It is obtained by clustering historical coded data;

The second obtaining module is configured to obtain the access frequency of the object corresponding to the data belonging to the target data type, wherein the access frequency is used to instruct the object corresponding to the data belonging to the target data type to access the verification page Frequency of;

A third determining module, configured to determine the object identifier of the target object as a suspicious identifier when the access frequency is higher than the target frequency;

The adjustment module is configured to increase the target when the target single classification model is used to process the data from the target marker when the number of times the target marker is determined to be the suspicious marker is higher than the target number Similarity.

As an optional embodiment, the device further includes:

The third acquisition module is configured to perform verification on the target object according to the first data to obtain a first verification result, and perform verification on the target verification operation according to the second data to obtain a second verification result, from Obtain target data in a collection of collected data, where the target data is data extracted from verification operations that have passed verification;

The first training module is configured to use the target data to train the initial single classification model to obtain a target single classification model, wherein the target single classification model is used to verify the target verification operation according to the second data Obtain the second verification result;

The second verification module is configured to use the target single classification model to verify the data in the data set, and obtain the data that fails the verification as a verification result;

A fourth obtaining module, configured to obtain, from the data set, first browsing behavior data corresponding to the target data and second browsing behavior data corresponding to data that has not passed the verification as a verification result;

The labeling module is configured to label the object type corresponding to the first browsing behavior data as the first object type, and label the object type corresponding to the second browsing behavior data as the second object type, to obtain the object type labeled Browse behavioral data samples;

The second training module is configured to train the initial feature classification model using the browsing behavior data sample labeled with the object type to obtain a target feature classification model, wherein the target feature classification model is used to pair according to the first data The target object performs verification to obtain a first verification result.

As an optional embodiment, the device further includes:

The fifth acquisition module is configured to acquire the target operation performed on the displayed operation page before acquiring the first data and the second data generated by the target object on the displayed verification page during the target time period. The first page address of the operation page and the second page address of the verification page;

The search module is configured to search for the first page address and the second page address with the corresponding relationship from the pre-stored operation page address and the verification page address with the corresponding relationship;

A display module, configured to display the verification page when the first page address and the second page address that have a corresponding relationship are found;

The operation module is configured to perform a preset operation on the verification page when the first page address and the second page address that have a corresponding relationship are not found, wherein the preset operation is used to instruct The verification page has security risks.

As an optional embodiment, the fifth acquiring module includes:

The second obtaining unit is configured to obtain encrypted data reported by the client, where the client is used to display the operation page and the verification page;

The third obtaining unit is configured to obtain secret key information corresponding to the client;

The decryption unit is configured to use the secret key information to decrypt the encrypted data to obtain the first page address and the second page address.

As an optional embodiment, the device further includes:

The test module is configured to perform a security test on the operation page and the verification page after obtaining the first page address of the operation page and the second page address of the verification page to obtain the operation page and the verification page. The target risk information corresponding to the verification page, where the target risk information is used to indicate the risks of operations on the operation page and the verification page;

The display module is configured to display the target risk information to the target object.

As an optional embodiment, the test module includes:

The first test unit is configured to perform a security test on the operation page to obtain first risk information, where the first risk information is used to indicate the risks of performing operations on the operation page;

The second test unit is configured to perform a security test on the verification page to obtain second risk information, where the second risk information is used to indicate the risks of operations on the verification page;

The fourth determining unit is configured to determine the target risk information according to the first risk information, the second risk information, and the target search result, wherein the target search result is used to indicate the corresponding relationship from the pre-stored The result of searching the first page address and the second page address that have a corresponding relationship in the operation page address and the verification page address.

It should be noted here that the examples and application scenarios implemented by the foregoing modules and corresponding steps are the same, but are not limited to the content disclosed in the foregoing embodiments. It should be noted that, as a part of the device, the above-mentioned modules can run in the hardware environment as shown in FIG. 1, and can be implemented by software or hardware, where the hardware environment includes a network environment.

According to another aspect of the embodiments of the present disclosure, there is also provided a server or terminal for implementing the verification method of the above operation.

FIG. 7 is a structural block diagram of a terminal according to an embodiment of the present disclosure. As shown in FIG. 7, the terminal may include: one or more (only one is shown in the figure) processor 701, memory 703, and transmission device 705 As shown in FIG. 7, the terminal may also include an input and output device 707.

The memory 703 can be configured to store software programs and modules, such as the operation verification method and device corresponding program instructions/modules in the embodiments of the present disclosure. The processor 701 runs the software programs and modules stored in the memory 703, thereby Perform various functional applications and data processing, that is, realize the verification method of the above-mentioned operation. The memory 703 may include a high-speed random access memory, and may also include a non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 703 may include a memory remotely provided with respect to the processor 701, and these remote memories may be connected to the terminal through a network. Examples of the aforementioned networks include, but are not limited to, the Internet, corporate intranets, local area networks, mobile communication networks, and combinations thereof.

The aforementioned transmission device 705 is configured to receive or send data via a network, and may also be configured to transmit data between the processor and the memory. The above-mentioned optional examples of networks may include wired networks and wireless networks. In one example, the transmission device 705 includes a network adapter (Network Interface Controller, NIC), which can be connected to other network devices and routers via a network cable so as to communicate with the Internet or a local area network. In one example, the transmission device 705 is a radio frequency (RF) module, which is configured to communicate with the Internet in a wireless manner.

Wherein, optionally, the memory 703 is configured to store an application program.

The processor 701 may call the application program stored in the memory 703 through the transmission device 705 to perform the following steps:

By adopting the embodiments of the present disclosure, a scheme of operation verification is provided. By starting from displaying the verification page to obtain the behavior data generated on the verification page, the behavior data generated on the verification page is divided into two dimensions, browsing behavior and verification behavior, and verifying separately to obtain their respective verification results, and then verifying the results of the two dimensions The final verification result of the target verification operation is obtained by fusion, which achieves the purpose of increasing the difficulty of verification, thereby achieving the technical effect of improving the accuracy of the verification operation performed on the verification page, thereby solving the problem of the verification page in the related technology. The verification operation performed on the technical problem of low accuracy of verification.

Optionally, for optional examples in this embodiment, reference may be made to the examples described in the foregoing embodiment, and this embodiment will not be repeated here.

Those of ordinary skill in the art can understand that the structure shown in Fig. 7 is only for illustration, and the terminal can be a smart phone (such as an Android phone, an iOS phone, etc.), a tablet computer, a handheld computer, and a mobile Internet device (Mobile Internet Devices, MID), Terminal equipment such as PAD. FIG. 7 does not limit the structure of the above-mentioned electronic device. For example, the terminal may also include more or fewer components (such as a network interface, a display device, etc.) than shown in FIG. 7, or have a different configuration from that shown in FIG.

Those of ordinary skill in the art can understand that all or part of the steps in the various methods of the above-mentioned embodiments can be completed by instructing the relevant hardware of the terminal device through a program. The program can be stored in a computer-readable storage medium, and the storage medium can be Including: flash disk, read-only memory (Read-Only Memory, ROM), random access device (Random Access Memory, RAM), magnetic disk or optical disk, etc.

The embodiment of the present disclosure also provides a storage medium. Optionally, in this embodiment, the above-mentioned storage medium may be set as the program code of the verification method for executing the operation.

Optionally, in this embodiment, the foregoing storage medium may be located on at least one of the multiple network devices in the network shown in the foregoing embodiment.

Optionally, in this embodiment, the storage medium is configured to store program code for executing the following steps:

Acquiring first data and second data generated by the target object on the displayed verification page within the target time period, wherein the verification page is used to verify the target verification operation performed by the target object on the verification page, The target time period includes the time from displaying the verification page to the end of performing the target verification operation, the first data is browsing behavior data generated by the target object before starting to perform the target verification operation, and The second data is verification behavior data generated by the target object performing the target verification operation;

Optionally, in this embodiment, the foregoing storage medium may include, but is not limited to: U disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), mobile hard disk, magnetic disk Various media that can store program codes such as discs or optical discs.

The sequence numbers of the above-mentioned embodiments of the present disclosure are only for description, and do not represent the superiority or inferiority of the embodiments.

If the integrated unit in the foregoing embodiment is implemented in the form of a software functional unit and sold or used as an independent product, it may be stored in the foregoing computer-readable storage medium. Based on this understanding, the technical solution of the present disclosure essentially or the part that contributes to the prior art or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, It includes several instructions to make one or more computer devices (which may be personal computers, servers, or network devices, etc.) execute all or part of the steps of the methods described in the various embodiments of the present disclosure.

In the above-mentioned embodiments of the present disclosure, the description of each embodiment has its own focus. For parts that are not described in detail in an embodiment, reference may be made to related descriptions of other embodiments.

In the several embodiments provided in the present disclosure, it should be understood that the disclosed client can be implemented in other ways. The device embodiments described above are merely illustrative, for example, the division of the units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components may be combined or may be Integrate into another system, or some features can be ignored or not implemented. In addition, the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, units or modules, and may be in electrical or other forms.

The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.

In addition, the functional units in the various embodiments of the present disclosure may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit. The above-mentioned integrated unit can be implemented in the form of hardware or software functional unit.

The above are only optional implementations of the present disclosure. It should be pointed out that for those of ordinary skill in the art, without departing from the principles of the present disclosure, several improvements and modifications can be made. These improvements and modifications It should also be regarded as the protection scope of the present disclosure.

Claims

An operation verification method, including:

Acquiring the first data and the second data generated by the target object on the displayed verification page within the target time period, wherein the verification page is used to verify the target verification operation performed by the target object on the verification page, The target time period includes the time from the display of the verification page to the end of the execution of the target verification operation, the first data is browsing behavior data generated by the target object before the target verification operation starts, and the The second data is verification behavior data generated by the target object performing the target verification operation;

Verifying the target object according to the first data to obtain a first verification result, and verifying the target verification operation according to the second data to obtain a second verification result;

The target verification result corresponding to the target verification operation is determined according to the first verification result and the second verification result, wherein the target verification result is used to indicate whether the target verification operation passes verification.
The method according to claim 1, wherein, verifying the target object according to the first data to obtain the first verification result comprises:

Performing feature extraction on the first data to obtain data features corresponding to the first data;

The data characteristics are classified, and the target object type corresponding to the target object is obtained as the first verification result.
The method of claim 2, wherein:

Performing feature extraction on the first data to obtain the data feature corresponding to the first data includes: dividing the first data into data of multiple data types according to the way the data is generated; Feature extraction for data of each data type in the data to obtain the data feature corresponding to the data of each data type;

Classifying the data characteristics to obtain the target object type corresponding to the target object as the first verification result includes: separately classifying the data characteristics corresponding to the data of each data type to obtain the The object type corresponding to the data of the data type; the object type corresponding to the data of each data type is merged to obtain the target object type.
The method according to claim 1, wherein, verifying the target object according to the first data to obtain the first verification result comprises:

Inputting the first data into a target feature classification model, where the target feature classification model is obtained by training an initial feature classification model using browsing behavior data samples marked with object types;

The target object type output by the target feature classification model is acquired as the first verification result, wherein the target object type is included in the object type marked by the behavior data sample.
The method according to claim 4, wherein obtaining the target object type output by the target feature classification model as the first verification result comprises:

The feature extraction layer is used to perform feature extraction on the first data to obtain data features, wherein the target feature classification model includes a first input layer, the feature extraction layer, a classification layer, and a first output layer that are sequentially connected. The first input layer is used to receive the first data;

Classify the data feature through the classification layer to obtain the probability that the data feature belongs to each object type among multiple object types;

The first output layer determines the target object type from the multiple object types according to the probability that the data feature belongs to each of the multiple object types, and outputs the target object type.
The method according to claim 1, wherein verifying the target verification operation according to the second data to obtain a second verification result comprises:

Determining whether the second data meets the verification condition corresponding to the verification page;

In a case where it is determined that the second data does not meet the verification condition, determining that the second verification result is used to indicate that the target verification operation fails verification;

In a case where it is determined that the second data meets the verification condition, it is determined whether the target verification operation passes verification according to the similarity between the second data and the target data, and the second verification result is obtained, wherein, The target data is data extracted from verification operations that have passed verification.
The method according to claim 6, wherein determining whether the target verification operation passes verification according to the similarity between the second data and target data, and obtaining the second verification result comprises:

Encoding the second data to obtain encoded data;

Inputting the encoded data into a target single classification model, wherein the target single classification model is obtained by training an initial single classification model using the target data;

The verification identifier output by the target single classification model is obtained as the second verification result, wherein the verification identifier is used to indicate whether the encoded data passes verification.
The method according to claim 7, wherein obtaining the verification identifier output by the target single classification model as the second verification result comprises:

The similarity between the encoded data and the target data is determined by a single classification layer, wherein the target single classification model includes a second input layer connected in sequence, the single classification layer and the second output layer, and the The second input layer is used to receive the encoded data;

Determine the relationship between the similarity and the target similarity through the second output layer;

In the case where the similarity is higher than the target similarity, output a first verification identifier through the second output layer, where the first verification identifier is used to indicate that the encoded data passes verification;

In the case that the similarity is not higher than the target similarity, a second verification identifier is output through the second output layer, where the second verification identifier is used to indicate that the encoded data fails verification.
The method according to claim 8, wherein, after encoding the second data to obtain the encoded data, the method further comprises:

Determine the target data type corresponding to the encoded data among multiple data types, where the multiple data types are obtained by clustering historical encoded data;

Acquiring the access frequency of the object corresponding to the data belonging to the target data type, where the access frequency is used to indicate the frequency of the object corresponding to the data generating the target data type accessing the verification page;

If the access frequency is higher than the target frequency, determining the object identifier of the target object as a suspicious identifier;

In the case where the object identification is determined to be the number of times the suspicious identification is higher than the target number, the target similarity when the target single classification model is used to process the data from the object identification is adjusted upward.
The method according to claim 1, wherein the first verification result is obtained by verifying the target object according to the first data, and the second verification is obtained by verifying the target verification operation according to the second data Before the result, the method also includes:

Obtain target data from the collected data set, where the target data is data extracted from verification operations that have passed verification;

Use the target data to train an initial single classification model to obtain a target single classification model, wherein the target single classification model is used to verify the target verification operation according to the second data to obtain a second verification result;

Use the target single classification model to verify the data in the data set, and obtain the data that fails the verification as a verification result;

Acquiring, from the data set, first browsing behavior data corresponding to the target data and second browsing behavior data corresponding to data whose verification result is that the verification fails;

Marking the object type corresponding to the first browsing behavior data as a first object type, and marking the object type corresponding to the second browsing behavior data as a second object type, to obtain a browsing behavior data sample marked with the object type;

Use the browsing behavior data sample labeled with the object type to train the initial feature classification model to obtain a target feature classification model, wherein the target feature classification model is used to verify the target object according to the first data to obtain The first verification result.
The method according to claim 1, wherein before acquiring the first data and the second data generated by the target object on the displayed verification page within the target time period, the method further comprises:

In the case of detecting the target operation performed on the displayed operation page, acquiring the first page address of the operation page and the second page address of the verification page;

Searching for the first page address and the second page address that have a corresponding relationship from the pre-stored operation page addresses and verification page addresses that have a corresponding relationship;

In a case where the first page address and the second page address that have a corresponding relationship are found, display the verification page;

In the case that the first page address and the second page address that have a corresponding relationship are not found, perform a preset operation on the verification page, where the preset operation is used to indicate that the verification page exists Security Risk.
The method according to claim 11, wherein acquiring the first page address of the operation page and the second page address of the verification page comprises:

Acquiring encrypted data reported by the client, where the client is used to display the operation page and the verification page;

Acquiring secret key information corresponding to the client;

Use the secret key information to decrypt the encrypted data to obtain the first page address and the second page address.
The method according to claim 11, wherein, after obtaining the first page address of the operation page and the second page address of the verification page, the method further comprises:

Perform a security test on the operation page and the verification page to obtain target risk information corresponding to the operation page and the verification page, where the target risk information is used to indicate that the operation page and the verification page The risks of operations on the page;

The target risk information is displayed to the target object.
The method according to claim 13, wherein performing a security test on the operation page and the verification page to obtain target risk information corresponding to the operation page and the verification page comprises:

Performing a security test on the operation page to obtain first risk information, where the first risk information is used to indicate the risks of performing operations on the operation page;

Performing a security test on the verification page to obtain second risk information, where the second risk information is used to indicate the risks of operations on the verification page;

The target risk information is determined according to the first risk information, the second risk information, and the target search result, wherein the target search result is used to indicate that the address of the corresponding operation page and the verification page are stored in advance. The result of searching for the first page address and the second page address that have a corresponding relationship in the.
An operational verification device, including:

The first obtaining module is configured to obtain the first data and the second data generated by the target object on the displayed verification page during the target time period, wherein the verification page is used to perform the execution on the verification page for the target object The target verification operation is verified by the target verification operation, the target time period includes the time from the display of the verification page to the end of the execution of the target verification operation, and the first data is generated by the target object before the target verification operation starts to be executed Browsing behavior data of, where the second data is verification behavior data generated by the target object performing the target verification operation;

A first verification module, configured to verify the target object according to the first data to obtain a first verification result, and to verify the target verification operation according to the second data to obtain a second verification result;

The first determining module is configured to determine a target verification result corresponding to the target verification operation according to the first verification result and the second verification result, wherein the target verification result is used to indicate whether the target verification operation passes verify.
A storage medium including a stored program, wherein the method described in any one of claims 1 to 14 is executed when the program is running.
An electronic device comprising a memory, a processor, and a computer program stored on the memory and capable of running on the processor, and the processor executes any one of claims 1 to 14 through the computer program The method described.