[go: up one dir, main page]

WO2019114246A1 - Identity authentication method, server and client device - Google Patents

Identity authentication method, server and client device Download PDF

Info

Publication number
WO2019114246A1
WO2019114246A1 PCT/CN2018/092950 CN2018092950W WO2019114246A1 WO 2019114246 A1 WO2019114246 A1 WO 2019114246A1 CN 2018092950 W CN2018092950 W CN 2018092950W WO 2019114246 A1 WO2019114246 A1 WO 2019114246A1
Authority
WO
WIPO (PCT)
Prior art keywords
attribute information
client device
behavior attribute
identity authentication
server
Prior art date
Application number
PCT/CN2018/092950
Other languages
French (fr)
Chinese (zh)
Inventor
余玮琦
Original Assignee
中国银联股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国银联股份有限公司 filed Critical 中国银联股份有限公司
Publication of WO2019114246A1 publication Critical patent/WO2019114246A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to an identity authentication method, a server, and a client device.
  • the embodiments of the present invention provide an identity authentication method, a server, and a client device, to solve the technical problem that the account information is fraudulent after the terminal is lost in the prior art.
  • the present invention provides an identity authentication method, the method comprising:
  • the server Receiving, by the server, the first behavior attribute information sent by the client device, where the first behavior attribute information is information generated by the user equipment that the client device collects in the preset time period to operate the client device;
  • the server performs the similarity matching between the first behavior attribute information and the legal sample in the legal sample set, and if the matching fails, sends an explicit identity authentication request message to the client device; A set of behavior attribute information collected by the client device after identity authentication.
  • the method further includes:
  • the server receives an explicit identity authentication response message sent by the client device
  • the server determines, according to the explicit identity authentication response message, that the first behavior attribute information is used as a special sample after the explicit identity authentication is passed, and adds the special sample to the legal sample set.
  • the server performs similarity matching between the first behavior attribute information and a legal sample in the legal sample set, including:
  • the server determines that the matching fails when the first behavior attribute information satisfies the following conditions:
  • the server Determining, by the server, that the first similarity value is smaller than a first threshold, where the first similarity value is a similarity value between the first behavior attribute information and an average value of legal samples in the legal sample set;
  • the server determines that the second similarity value is less than a second threshold, and the second similarity value is a similarity value between the first behavior attribute information and each special sample in the legal sample set.
  • the method further includes:
  • the server adds the first behavior attribute information as a legal sample to the legal sample set.
  • an embodiment of the present invention provides an identity authentication method, where the method includes:
  • the client device sends the first behavior attribute information to the server;
  • the first behavior attribute information is information generated by the user equipment that the client device collects in the preset time period to operate the client device;
  • the client device receives an explicit identity authentication request message sent by the server, where the explicit identity authentication request message is that the server performs similarity matching between the first behavior attribute information and a legal sample in a legal sample set.
  • the legal sample set is a set of behavior attribute information collected by the client device after the identity authentication.
  • a third method, the embodiment of the present invention provides a server, where the server includes:
  • a receiving unit configured to receive first behavior attribute information sent by the client device, where the first behavior attribute information is information generated by the user equipment that the client device collects in a preset time period to operate the client device;
  • a processing unit configured to perform similarity matching on the first behavior attribute information with a legal sample in the legal sample set;
  • the legal sample set is a set of behavior attribute information collected by the client device after the identity authentication;
  • a sending unit configured to send an explicit identity authentication request message to the client device after the processing unit determines that the matching fails.
  • the receiving unit is further configured to:
  • the processing unit is further configured to determine, according to the explicit identity authentication response message, that the first behavior attribute information is used as a special sample after the explicit identity authentication is passed, and add the special sample to the legal sample set. in.
  • processing unit is specifically configured to:
  • the first similarity value is less than a first threshold, and the first similarity value is a similarity value between the first behavior attribute information and an average value of legal samples in the legal sample set;
  • the second similarity value is less than a second threshold, the second similarity value being a similarity value between the first behavior attribute information and each of the special samples in the legal sample set.
  • processing unit is further configured to:
  • the first behavior attribute information is added as a legal sample to the legal sample set.
  • an embodiment of the present invention provides a client device, where the client device includes:
  • a sending unit configured to send first behavior attribute information to the server;
  • the first behavior attribute information is information generated by the user equipment collected by the client device in a preset time period to operate the client device;
  • a receiving unit configured to receive an explicit identity authentication request message sent by the server, where the explicit identity authentication request message is that the server performs similarity matching between the first behavior attribute information and a legal sample in a legal sample set
  • the legal sample set is a set of behavior attribute information collected by the client device after the identity authentication.
  • an embodiment of the present invention provides an authentication device, including:
  • a memory for storing program instructions
  • a processor configured to invoke a program instruction stored in the memory, and execute the above method according to the obtained program.
  • an embodiment of the present invention provides a computer readable storage medium, where the storage medium stores instructions that, when executed on a computer, cause a computer to implement the method of the first aspect described above.
  • an embodiment of the present invention provides a computer program product, the computer program product comprising a computing program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions, when the program instruction is The computer, when executed, causes the computer to perform any of the methods described above.
  • the server receives the first behavior attribute information sent by the client device, and performs similarity matching between the first behavior attribute information and the legal sample in the legal sample set. If the matching fails, the server sends the information to the client.
  • the end device sends an explicit identity authentication request message.
  • the first behavior attribute information is information generated by the user equipment collected by the client device in a preset time period, and the legal sample collection is collected by the client device after the identity authentication is performed. A collection of behavioral attribute information.
  • the server continues to receive the information generated by the user operating the client device, and matches the received information with the legal sample, so that the malicious user spoofs the user.
  • the account information is difficult for the malicious user to imitate or steal the operation information of the original user. Therefore, the malicious user is identified because the behavior attribute is different from the original user during use, thereby effectively preventing the account information from being fraudulently used.
  • the problem is to improve the reliability of identity authentication, and thus to ensure the security of users' information.
  • FIG. 1 is a schematic structural diagram of a system used in an embodiment of the present invention.
  • FIG. 2 is a schematic flowchart of an identity authentication method according to an embodiment of the present invention.
  • FIG. 3 is a schematic diagram of a preset time period according to an embodiment of the present disclosure.
  • FIG. 4 is a schematic diagram of an overall process involved in an embodiment of the present invention.
  • FIG. 5 is a schematic structural diagram of a server according to an embodiment of the present disclosure.
  • FIG. 6 is a schematic structural diagram of a client device according to an embodiment of the present invention.
  • FIG. 7 is a schematic structural diagram of an authentication device according to another embodiment of the present invention.
  • FIG. 8 is a schematic structural diagram of an authentication device according to another embodiment of the present invention.
  • FIG. 1 is a schematic diagram showing a system architecture used in an embodiment of the present invention.
  • a system architecture applicable to an embodiment of the present invention includes a server 101 and one or more client devices, such as shown in FIG. 1 .
  • Client device 102, client device 103, and client device 104 are shown.
  • the server and the client device 102, the client device 103, and the client device 104 can communicate through the network.
  • the server 101 can send the display to any of the client device 102, the client device 103, and the client device 104.
  • Identity authentication request message any client device can return an explicit identity authentication response message according to the explicit identity authentication request message.
  • the client device may be multiple types of devices, such as a smart phone, a tablet computer, a notebook computer, and the like.
  • FIG. 2 is a schematic flowchart of an identity authentication method according to an embodiment of the present invention. As shown in FIG. 2, the method includes the following steps:
  • Step 201 The client device sends the first behavior attribute information to the server.
  • Step 202 The server receives the first behavior attribute information sent by the client device.
  • Step 203 The server performs similarity matching between the first behavior attribute information and the legal sample in the legal sample set. If the matching fails, the server sends an explicit identity authentication request message to the client device.
  • Step 204 The client device receives an explicit identity authentication request message sent by the server.
  • the server continues to receive the information generated by the user operating the client device, and matches the received information with the legal sample, so that the malicious user spoofs the user.
  • the account information is difficult for the malicious user to imitate or steal the operation information of the original user. Therefore, the malicious user is identified because the behavior attribute is different from the original user during use, thereby effectively preventing the account information from being fraudulently used.
  • the problem is to improve the reliability of identity authentication, and thus to ensure the security of users' information.
  • the embodiment of the present invention needs to generate a legal sample set in advance, wherein the legal sample set is a set of behavior attribute information collected by the client device after explicit identity authentication.
  • the client device collects the behavior attribute information of the user in the login process, and uses the collected behavior attribute information as a legal sample.
  • the explicit identity authentication is an authentication method that requires the user to input a password, such as an account name and a corresponding static password, a card number and a corresponding static password, a mobile phone number, and a corresponding short message verification code.
  • the smart phone when a user logs in to an application by using a client device, for example, when the user logs in to the mobile banking by using the smart phone, the bank card number and password need to be input first, and when the input bank card number and password are correct, the identity authentication is determined. Then, the smart phone can collect behavior attribute information during the user login process, and take the collected behavior attribute information as a legal sample.
  • the behavior attribute information is information generated by the user operating the client device. Further, in consideration of the information generated by the user operating the client device, there may be information that has less influence on the identity authentication. Therefore, the information generated by the user operating the client device may be filtered, and the identity authentication may be greatly affected. The information is used as the behavior attribute information, so that the behavior attribute information is more in line with the user's behavior characteristics, and the accuracy of the behavior attribute information can be improved.
  • the information generated by the user operating the client device may include behavior elements such as the user's IP address, the location of the client device, the user's reading speed, and the web page address.
  • behavior elements such as the user's IP address, the location of the client device, the user's reading speed, and the web page address.
  • the location of the user's IP address is relatively fixed, and thus can be used as a behavior element in the behavior attribute information; similarly, the user's reading speed is a usage habit of the user, and thus can also be used as behavior attribute information.
  • the behavioral element in the webpage; the webpage address can be changed according to the user's needs. Therefore, the webpage address may not be included in the behavior attribute information.
  • Table 1 An example of whether the information generated by the user operating the client device is used as the behavior attribute information.
  • the first behavior attribute information is information generated by the user equipment collected by the client device in the preset time period.
  • the preset time period is any one of the N time periods before the user logs in to the account, and the time period is the next time.
  • the time period diagram can be equally divided into N time periods after the user logs in successfully to the next login period, and the client device can collect information generated by the user operating the client device in the ith time period, and collect the information.
  • the information is used as the first behavior attribute information.
  • the attribute included in the first behavior attribute information is consistent with the attribute included in the behavior attribute in the legal sample.
  • a preset time period may be determined by a person skilled in the art according to experience and actual conditions, and is not limited thereto.
  • the server may perform the similarity matching between the first behavior attribute information and the legal sample in the legal sample set.
  • a possible implementation manner is to obtain a first similarity value between the first behavior attribute information and each legal sample for any legal sample in the legal sample set.
  • the method for determining the matching failure is different. For example, if it is determined that the first similarity value between the first behavior attribute information and each legal sample is smaller than the pre-predetermined value. If the similarity threshold is set, the matching fails; or if the first similarity value between the first behavior attribute information and each legal sample is determined to be greater than or equal to the preset similarity threshold, the number is less than the preset threshold. , the match failed.
  • the preset similarity threshold and the preset number threshold may be determined by a person skilled in the art according to experience and actual conditions, and are not specifically limited.
  • the average value of the legal samples in the legal sample set is determined, and the first similarity value between the first behavior attribute information and the average value of the legal samples in the legal sample set is obtained, and It is determined whether the similarity value is less than the first threshold, and if it is less, the matching fails.
  • the first threshold value may be determined by a person skilled in the art according to experience and actual conditions, and is not limited thereto. The following describes the method of similarity matching using the average value of legal samples, including the following steps:
  • Step 301 Determine an average value of legal samples in the legal sample set.
  • the legal sample is the behavior attribute information collected by the client, and each legal sample includes at least one behavior element.
  • the behavioral element can be divided into a numerical behavioral element and a textual behavioral element, for example, the user's reading speed is "88.75 lines/min", due to "user reading speed”
  • the attribute value of the behavior element is “88.75 lines/min”, and the attribute value is a numerical value. Therefore, “user reading speed” can be used as a numerical behavior element;
  • the location of the client device is “Ningxiu Qingxiu District” due to The attribute value of the behavior element of "the location where the client device is located” is "Qingxiu District of Nanning City”, and the attribute value is text. Therefore, "the location where the client device is located” can be used as a text type behavior element.
  • the average of the attribute values of the numeric behavioral elements can be used as the average of the behavioral elements.
  • the legal sample set includes three legal samples, wherein in the legal sample 1, the user's reading speed is "88.75 lines/min"; in the legal sample 2, the user's reading The speed is “80.75 lines/min”; in the legal sample 3, the user's reading speed is “84.75 lines/min”, which can be obtained by using the average calculation formula.
  • the average reading speed of the user is “84.75 lines”. /min”.
  • the average of textual behavioral elements can be determined based on the probability distribution of the attribute values of the textual behavioral elements.
  • the legal sample set includes three legal samples. In the legal sample 1, the IP address of the user is “172.18.19.20”, the city where the client device is located is “Nanning”, and the city where the client device is located is located.
  • the user's IP address is "172.18.19.20", the city where the client device is located is “Nanning”, and the city where the client device is located is “Qingxiu District”; legal sample 3
  • the IP address of the user is “172.18.19.20”, the city where the client device is located is “Nanning”, and the city where the client device is located is “Jiangnan District”.
  • the probability that the user's IP address is "172.18.19.20" is three times, and the probability distribution of the user's IP address can be recorded as ⁇ 172.18.19.20, 3 ⁇ ; where the client device is located
  • the probability of the city appearing as “Nanning” is 3 times, and the probability distribution of the city where the client device is located can be recorded as ⁇ Nanning, 3 ⁇ ;
  • the probability of the occurrence of the “Qixiu District” in the urban area where the client device is located is 2 times.
  • the probability that the urban area where the client device is located is “Jiangnan District” is one time.
  • the probability distribution of the urban area where the client device is located can be recorded as ⁇ Qingxiu District, 2; Jiangnan District, 1 ⁇ .
  • Table 3 An example of the probability distribution of text-type behavioral elements
  • Step 302 Determine a weight value of the behavior element for each behavior element of the legal sample.
  • the assignment of the weight value of the behavior element directly leads to the reliability and accuracy of the identity authentication.
  • There are two main methods for the assignment of the existing weight value one is subjective weighting based on the subjective judgment of the decision maker.
  • the law the other is the objective weighting method based on the decision matrix.
  • the embodiment of the present invention takes the subjective weighting method as an example to determine the weight value of the behavioral element, and adopts the subjective weighting method to avoid the influence of the decision matrix, thereby ensuring the consistency of the decision thinking and improving the rationality of the weight value distribution.
  • the behavioral elements of the legal sample include the user's IP address, the city where the client device is located, the city where the client device is located, and the user's reading. speed.
  • the weight value of the user's IP address can be set to 0.2
  • the weight value of the city where the client device is located is set to 0.3
  • the weight value of the urban area where the client device is located is set to 0.2
  • the weight value of the user's reading speed is set. Is 0.3.
  • Table 4 An example of weight value assignment for behavioral elements
  • Behavioral element Weights User's IP address 0.2 The city where the client device is located 0.3 The city where the client device is located 0.2 User reading speed 0.3
  • Table 4 is only an example, and those skilled in the art can modify the content shown in Table 4 according to experience and actual situation, and are not limited thereto.
  • Step 303 Determine, according to an average value of the legal sample and a weight value of the behavior element, a first similarity value between the first behavior attribute information and an average value of the legal sample.
  • the attribute value of the numerical behavior element and the numerical behavior element in the first sample attribute information may be in the legal sample set.
  • the average value determines the degree of difference between the numerical behavioral element and the legal sample in the first behavior attribute information, thereby determining the similarity value between the numerical behavioral element and the legal sample.
  • the similarity value between the first behavior attribute information and the average value of the legal sample can be calculated by the following formula:
  • T s is the similarity value between the numerical behavior element in the first behavior attribute information and the average value of the corresponding numerical behavior element in the legal sample
  • x is the numerical behavior element in the first behavior attribute information
  • the numerical behavioral element is a reading speed of the user.
  • the average reading speed of the user is 84.75 lines/min; in the first behavior attribute information, the reading speed of the user is 50 lines. /min, according to the above calculation formula, the similarity value between the reading speed of the user in the first behavior attribute and the average reading speed of the user in the legal sample set is 0.59.
  • the attribute value of the text-type behavior element and the text-type behavior element may be in the legal sample set according to the first behavior attribute information.
  • the probability distribution determines the similarity value between the text-type behavioral element and the legal sample in the first behavior attribute information.
  • the first behavior attribute information and the similarity value of the legal sample can be calculated by the following formula:
  • T w is the similarity value between the text-type behavior element in the first behavior attribute information and the corresponding text-type behavior element in the legal sample
  • y is the text type in the legal sample set and the first behavior attribute information The number of samples with the same attribute value of the behavioral element
  • N is the total number of samples in the legal sample set. y is an integer greater than or equal to 0, and N is an integer greater than or equal to 1.
  • the text-type behavior element is an urban area where the client device is located.
  • the probability distribution of the urban area where the client device is located is ⁇ Qingxiu District, 2; Jiangnan District, 1 ⁇ ;
  • the urban area where the client device is located is Qingxiu District, and according to the above calculation formula, the similarity between the urban area where the client device is located in the first behavior attribute and the urban area where the client device in the legal sample set is located is obtained. The value is 0.67.
  • the first value may be determined according to the weight value of each behavior element.
  • the first similarity value between the behavior attribute information and the average value of the legal sample can be calculated by the following formula:
  • i is an integer greater than or equal to 1
  • j is an integer greater than or equal to 1.
  • the client device As an example of the first similarity value between the first behavior attribute information and the average value of the legal samples, if it is determined that the user's IP address has a weight value of 0.2, the client device The weight of the city where the city is located is 0.3, the weight of the urban area where the client device is located is 0.2, the weight of the user's reading speed is 0.3, and the probability distribution of the user's IP address in the legal sample set is determined to be ⁇ 172.18.
  • the probability distribution of the city where the client device is located is ⁇ Nanning, 3 ⁇
  • the probability distribution of the urban area where the client device is located is ⁇ Qingxiu District, 2; Jiangnan District, 1 ⁇
  • the average reading speed of the user The value is 84.75 lines/min, and according to the above calculation formula, the first similarity value between the first behavior attribute information and the average value of the legal samples is 0.798.
  • Behavioral element Weights Average of legal samples The attribute value in the first behavior attribute User's IP address 0.2 ⁇ 172.18.19.20,3 ⁇ 172.18.19.20 The city where the client device is located 0.3 ⁇ Nanning, 3 ⁇ Nanning
  • Step 304 Determine whether the first similarity value is less than the first threshold. If the value is smaller than the first threshold, the matching fails; otherwise, the matching is successful.
  • the server determines, according to the received explicit identity authentication response message sent by the client device, that the first behavior attribute information is used as a special sample and the special sample is passed after the identity authentication is passed. Adding to the legal sample set, and determining whether the number of legal samples in the legal sample set is greater than a preset sample number threshold. If greater than, deleting legal samples with a longer storage time in the legal sample set, until The number of legal samples in the deleted legal sample set is not greater than the preset sample number threshold.
  • the preset sample number threshold may be determined by a person skilled in the art according to experience and actual conditions, and is not limited.
  • the legal sample set is updated, because the legal sample stored for a long time may not conform to the current user behavior, so the first behavior attribute information of each identity authentication is added to the legal sample set, and The legal sample with a long storage time in the legal sample set is deleted, thereby improving the referenceability of the legal sample set.
  • the embodiment of the present invention provides another method for similarity matching, which specifically includes the following steps:
  • Step 1 After determining that the first behavior attribute information fails to match the legality sample in the legal sample set, the server determines whether there is a special sample. If yes, step 2 is performed; if not, step 3 is performed.
  • Step 2 The server matches the first behavior attribute information with a special sample for similarity.
  • the server determines that only one special sample exists, determining, according to the first behavior attribute information and the special sample, a second similarity value of the first behavior attribute information and the special sample; And determining whether the second similarity value is less than a second threshold, and if it is less than the second threshold, the matching fails.
  • the server determines that there are multiple special samples, determining, for each special sample, the first behavior attribute information and the second similarity value of each special sample; and determining whether there is a second threshold or more The second similarity value, if not present, the match fails.
  • the method for calculating the second similarity value may refer to the foregoing method for calculating the first similarity value, and details are not described herein again.
  • a person skilled in the art can also determine the calculation method of the second similarity value according to the experience and the actual situation, which is not limited.
  • Step 3 If the server determines that the matching fails, the server sends an explicit identity authentication request message to the client device.
  • Step 401 The server receives the first behavior attribute information sent by the client device.
  • Step 402 The server performs the similarity matching between the first behavior attribute information and the legal sample in the legal sample set. If the matching fails, step 403 is performed; if the matching is successful, step 404 is performed.
  • step 403 the server determines whether there is a special sample. If yes, step 405 is performed; if not, step 406 is performed.
  • Step 404 The server adds the first behavior attribute information to the legal sample set, and returns to step 401.
  • Step 405 The server performs the similarity matching between the first behavior attribute information and the special sample. If the matching fails, step 406 is performed; if the matching is successful, step 409 is performed.
  • Step 406 The server sends an explicit identity authentication request message to the client device.
  • Step 407 The server receives an explicit identity authentication response message sent by the client device.
  • Step 408 The server determines whether the explicit identity authentication is passed. If yes, step 409 is performed; if not, step 410 is performed.
  • Step 409 The server takes the first behavior attribute information as a special sample, and adds the special sample to the legal sample set, and returns to step 401.
  • Step 410 The server determines that the identity authentication fails, and returns to step 401.
  • the server can continuously determine whether the user operating the client device is a malicious user according to the information generated by the received user operation client device. In this way, even if a malicious user spoofs the user's account information, it is difficult for the malicious user to imitate or steal the operation information of the original user. Therefore, the malicious user is identified because the behavior attribute is different from the original user during use. Therefore, the problem that the account information is fraudulently used can be effectively avoided, the reliability of the identity authentication is improved, and the information security of the user can be ensured.
  • a server provided by an embodiment of the present invention, as shown in FIG. 5, includes a receiving unit 501, a processing unit 502, and a sending unit 503.
  • the receiving unit 501 is configured to receive first behavior attribute information that is sent by the client device, where the first behavior attribute information is information generated by the user equipment that the client device collects in a preset time period to operate the client device;
  • the processing unit 502 is configured to perform the similarity matching between the first behavior attribute information and the legal sample in the legal sample set; the legal sample set is a set of behavior attribute information collected by the client device after the identity authentication;
  • the sending unit 503 is configured to send an explicit identity authentication request message to the client device after the processing unit determines that the matching fails.
  • the receiving unit 501 is further configured to:
  • the processing unit is further configured to determine, according to the explicit identity authentication response message, that the first behavior attribute information is used as a special sample after the explicit identity authentication is passed, and add the special sample to the legal sample set. in.
  • processing unit 502 is specifically configured to:
  • the first similarity value is less than a first threshold, and the first similarity value is a similarity value between the first behavior attribute information and an average value of legal samples in the legal sample set;
  • the second similarity value is less than a second threshold, the second similarity value being a similarity value between the first behavior attribute information and each of the special samples in the legal sample set.
  • processing unit 502 is further configured to:
  • the first behavior attribute information is added as a legal sample to the legal sample set.
  • the embodiment of the present invention further provides a client device.
  • the client device 600 includes a receiving unit 602 and a sending unit 601.
  • the sending unit 601 is configured to send the first behavior attribute information to the server, where the first behavior attribute information is information generated by the user equipment collected by the client device in a preset time period to operate the client device;
  • the receiving unit 602 is configured to receive an explicit identity authentication request message sent by the server, where the explicit identity authentication request message is that the server compares the first behavior attribute information with a legal sample in a legal sample set. When the matching fails, the legal sample set is a set of behavior attribute information collected by the client device after identity authentication.
  • Embodiments of the present invention provide a computer readable storage medium storing instructions that, when executed on a computer, cause a computer to implement the method described above.
  • Embodiments of the present invention also provide a computer program product comprising a computing program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions, when the program instructions are executed by a computer Having the computer perform the method of any of the above claims.
  • the present invention further provides an authentication device, as shown in FIG. 7, including a processor 701, a memory 702, a transceiver 703, and a bus interface 704, wherein the processor 701, the memory 702, and the transceiver 703 pass through Bus interface 704 is connected;
  • the processor 701 is configured to read a program in the memory 702, and execute the following method: receiving, by the transceiver 703, first behavior attribute information sent by the client device; the first behavior attribute information is the client The user generated by the device in the preset time period operates the information generated by the client device;
  • the first behavior attribute information is matched with the legal sample in the legal sample set, and if the matching fails, the explicit identity authentication request message is sent to the client device by the transceiver 703; the legal sample set is a set of behavior attribute information collected by the client device after identity authentication;
  • the memory 702 is configured to store one or more executable programs, and may store data used by the processor 701 when performing operations;
  • the bus interface 704 is configured to provide an interface.
  • the processor 701 receives the explicit identity authentication response message sent by the client device by using the transceiver 703, and determines that the first identity is determined after the explicit identity authentication is passed according to the explicit identity authentication response message.
  • the behavior attribute information is taken as a special sample, and the special sample is added to the legal sample set.
  • the processor 701 performs similarity matching on the first behavior attribute information with a legal sample in the legal sample set, including:
  • the first similarity value is less than a first threshold, and the first similarity value is a similarity value between the first behavior attribute information and an average value of legal samples in the legal sample set;
  • the server determines that the second similarity value is less than a second threshold, and the second similarity value is a similarity value between the first behavior attribute information and each special sample in the legal sample set.
  • processor 701 is further configured to:
  • the first behavior attribute information is added as a legal sample to the legal sample set.
  • the present invention further provides an authentication device, as shown in FIG. 8, including a processor 801, a memory 802, a transceiver 803, and a bus interface 804, wherein the processor 801, the memory 802, and the transceiver 803 pass through Bus interface 804 is connected;
  • the processor 801 is configured to read a program in the memory 802, and execute the following method: sending, by the transceiver 803, first behavior attribute information to a server; the first behavior attribute information is that the client device is pre- Setting, by the user, the information generated by the client device during the time period; receiving, by the transceiver 803, an explicit identity authentication request message sent by the server, where the explicit identity authentication request message is that the server
  • the behavior attribute information fails to be matched with the legal sample in the legal sample set, the legal sample set is a set of behavior attribute information collected by the client device after the identity authentication;
  • the memory 802 is configured to store one or more executable programs, and may store data used by the processor 801 when performing an operation;
  • the bus interface 804 is configured to provide an interface.
  • the server receives the first behavior attribute information sent by the client device, and performs similarity matching between the first behavior attribute information and the legal sample in the legal sample set. If the matching fails, the server sends the information to the client.
  • the end device sends an explicit identity authentication request message.
  • the first behavior attribute information is information generated by the user equipment collected by the client device in a preset time period, and the legal sample collection is collected by the client device after the identity authentication is performed. A collection of behavioral attribute information.
  • the server continues to receive the information generated by the user operating the client device, and matches the received information with the legal sample, so that the malicious user spoofs the user.
  • the account information is difficult for the malicious user to imitate or steal the operation information of the original user. Therefore, the malicious user is identified because the behavior attribute is different from the original user during use, thereby effectively preventing the account information from being fraudulently used.
  • the problem is to improve the reliability of identity authentication, and thus to ensure the security of users' information.
  • embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or a combination of software and hardware. Moreover, the invention can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) including computer usable program code.
  • computer-usable storage media including but not limited to disk storage, CD-ROM, optical storage, etc.
  • the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
  • the apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
  • These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
  • the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.
  • embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or a combination of software and hardware. Moreover, the invention can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) including computer usable program code.
  • computer-usable storage media including but not limited to disk storage, CD-ROM, optical storage, etc.
  • the present invention has been described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (system), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or FIG.
  • the computer program instructions can be provided to a general purpose computer, a special purpose computer, an embedded processor, or a processor of other programmable data processing device such that instructions executed by a processor of the computer or other programmable data processing device can be implemented in a flowchart
  • the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
  • the apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
  • These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
  • the instructions provide steps for implementing the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Telephonic Communication Services (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

Disclosed are an identity authentication method, a server and a client device. The method comprises: a server receiving first behavior attribute information sent by a client device, and carrying out similarity matching between the first behavior attribute information and legitimate samples in a legitimate sample set, and if the matching fails, sending an explicit identity authentication request message to the client device. By means of the method, since the first behavior attribute information is information generated when a user operates a client, even if a malicious user fraudulently uses account information of the user, as it is difficult for the malicious user to imitate or steal operation information of an original user, the malicious user is identified in the use process because the behavior attribute is different from that of the original user, thereby effectively avoiding the problem that the account information is fraudulently used, improving the reliability of identity authentication, and thus ensuring the information security of the user.

Description

一种身份认证方法、服务器及客户端设备Identity authentication method, server and client device
本申请要求在2017年12月13日提交中国专利局、申请号为201711331515.X、发明名称为“一种身份认证方法、服务器及客户端设备”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese patent application filed on December 13, 2017 by the Chinese Patent Office, application number 201711331515.X, and the invention name is "an authentication method, server and client device". The citations are incorporated herein by reference.
技术领域Technical field
本发明涉及通信技术领域,尤其涉及一种身份认证方法、服务器及客户端设备。The present invention relates to the field of communications technologies, and in particular, to an identity authentication method, a server, and a client device.
背景技术Background technique
随着互联网和电子商务的发展,计算机网络应用已经渗透到各行各业,全球信息化已经成为人类发展的大趋势。近年来网络安全问题尤为严峻,用户频繁的受到黑客、木马、恶意软件的攻击,银行账户被窃取、资金被盗用、用户身份被冒用现象等屡见不鲜。因此,保证互联网中用户身份的可靠性成为一个重要的课题。With the development of the Internet and e-commerce, computer network applications have penetrated into all walks of life, and global informationization has become a major trend in human development. In recent years, network security problems have been particularly serious. Users have been frequently attacked by hackers, Trojans, and malware. Bank accounts have been stolen, funds have been stolen, and user identities have been fraudulently used. Therefore, ensuring the reliability of user identity on the Internet has become an important issue.
目前,常用的身份认证方法包括静态密码、智能卡、动态口令、短信密码、数字签名、生物识别等,考虑到这些认证方法通常是在用户登录的过程中对用户身份进行识别,而在用户登录后不会继续识别用户身份。以静态密码为例,当用户使用静态密码进行登录时,需要输入账号名称和对应的静态密码,认证系统可通过用户输入的账号名称和对应的静态密码识别用户身份。然而采用这种认证方法,一旦用户的手机丢失,且用户所登录的账号仍处于登录状态时,恶意用户即可冒用用户的账号信息。At present, commonly used identity authentication methods include static passwords, smart cards, dynamic passwords, short message passwords, digital signatures, biometrics, etc., in view of these authentication methods, the user identity is usually identified during the user login process, and after the user logs in, User identity will not continue to be recognized. Taking a static password as an example, when a user logs in using a static password, the account name and the corresponding static password are required. The authentication system can identify the user identity by the account name entered by the user and the corresponding static password. However, with this authentication method, once the user's mobile phone is lost and the account that the user is logged in is still in the login state, the malicious user can fraudulently use the user's account information.
基于此,目前亟需一种身份认证方法,用于解决现有技术中终端丢失后导致账号信息被冒用的问题。Based on this, there is a need for an identity authentication method for solving the problem that the account information is fraudulent after the terminal is lost in the prior art.
发明内容Summary of the invention
本发明实施例提供一种身份认证方法、服务器及客户端设备,以解决现 有技术中终端丢失后导致账号信息被冒用的技术问题。The embodiments of the present invention provide an identity authentication method, a server, and a client device, to solve the technical problem that the account information is fraudulent after the terminal is lost in the prior art.
第一方面,本发明提供一种身份认证方法,所述方法包括:In a first aspect, the present invention provides an identity authentication method, the method comprising:
服务器接收客户端设备发送的第一行为属性信息;所述第一行为属性信息为所述客户端设备在预设时间段内采集的用户操作所述客户端设备产生的信息;Receiving, by the server, the first behavior attribute information sent by the client device, where the first behavior attribute information is information generated by the user equipment that the client device collects in the preset time period to operate the client device;
所述服务器将所述第一行为属性信息与合法样本集合中的合法样本进行相似度匹配,若匹配失败,则向所述客户端设备发送显式身份认证请求消息;所述合法样本集合为通过身份认证后所述客户端设备采集的行为属性信息的集合。The server performs the similarity matching between the first behavior attribute information and the legal sample in the legal sample set, and if the matching fails, sends an explicit identity authentication request message to the client device; A set of behavior attribute information collected by the client device after identity authentication.
可选地,所述方法还包括:Optionally, the method further includes:
所述服务器接收所述客户端设备发送的显式身份认证响应消息;The server receives an explicit identity authentication response message sent by the client device;
所述服务器根据所述显式身份认证响应消息,确定显式身份认证通过后,将所述第一行为属性信息作为特殊样本,并将所述特殊样本加入所述合法样本集合中。The server determines, according to the explicit identity authentication response message, that the first behavior attribute information is used as a special sample after the explicit identity authentication is passed, and adds the special sample to the legal sample set.
可选地,所述服务器将所述第一行为属性信息与合法样本集合中的合法样本进行相似度匹配,包括:Optionally, the server performs similarity matching between the first behavior attribute information and a legal sample in the legal sample set, including:
所述服务器确定所述第一行为属性信息满足以下条件时确定匹配失败:The server determines that the matching fails when the first behavior attribute information satisfies the following conditions:
所述服务器确定第一相似度值小于第一阈值,所述第一相似度值为所述第一行为属性信息和所述合法样本集合中的合法样本的平均值之间的相似度值;Determining, by the server, that the first similarity value is smaller than a first threshold, where the first similarity value is a similarity value between the first behavior attribute information and an average value of legal samples in the legal sample set;
且,And,
所述服务器确定第二相似度值小于第二阈值,所述第二相似度值为所述第一行为属性信息和所述合法样本集合中的每个特殊样本之间的相似度值。The server determines that the second similarity value is less than a second threshold, and the second similarity value is a similarity value between the first behavior attribute information and each special sample in the legal sample set.
可选地,所述方法还包括:Optionally, the method further includes:
若匹配成功,则所述服务器将所述第一行为属性信息作为合法样本添加到所述合法样本集合。If the matching is successful, the server adds the first behavior attribute information as a legal sample to the legal sample set.
第二方面,本发明实施例提供一种身份认证方法,所述方法包括:In a second aspect, an embodiment of the present invention provides an identity authentication method, where the method includes:
客户端设备向服务器发送第一行为属性信息;所述第一行为属性信息为所述客户端设备在预设时间段内采集的用户操作所述客户端设备产生的信息;The client device sends the first behavior attribute information to the server; the first behavior attribute information is information generated by the user equipment that the client device collects in the preset time period to operate the client device;
所述客户端设备接收所述服务器发送的显式身份认证请求消息,所述显式身份认证请求消息是所述服务器将所述第一行为属性信息与合法样本集合中的合法样本进行相似度匹配失败时发送的,所述合法样本集合为通过身份认证后所述客户端设备采集的行为属性信息的集合。The client device receives an explicit identity authentication request message sent by the server, where the explicit identity authentication request message is that the server performs similarity matching between the first behavior attribute information and a legal sample in a legal sample set. When the packet is sent, the legal sample set is a set of behavior attribute information collected by the client device after the identity authentication.
第三方法,本发明实施例提供一种服务器,所述服务器包括:A third method, the embodiment of the present invention provides a server, where the server includes:
接收单元,用于接收客户端设备发送的第一行为属性信息;所述第一行为属性信息为所述客户端设备在预设时间段内采集的用户操作所述客户端设备产生的信息;a receiving unit, configured to receive first behavior attribute information sent by the client device, where the first behavior attribute information is information generated by the user equipment that the client device collects in a preset time period to operate the client device;
处理单元,用于将所述第一行为属性信息与合法样本集合中的合法样本进行相似度匹配;所述合法样本集合为通过身份认证后所述客户端设备采集的行为属性信息的集合;a processing unit, configured to perform similarity matching on the first behavior attribute information with a legal sample in the legal sample set; the legal sample set is a set of behavior attribute information collected by the client device after the identity authentication;
发送单元,用于在所述处理单元确定匹配失败后,向所述客户端设备发送显式身份认证请求消息。And a sending unit, configured to send an explicit identity authentication request message to the client device after the processing unit determines that the matching fails.
可选地,所述接收单元还用于:Optionally, the receiving unit is further configured to:
接收所述客户端设备发送的显式身份认证响应消息;Receiving an explicit identity authentication response message sent by the client device;
所述处理单元,还用于根据所述显式身份认证响应消息,确定显式身份认证通过后,将所述第一行为属性信息作为特殊样本,并将所述特殊样本加入所述合法样本集合中。The processing unit is further configured to determine, according to the explicit identity authentication response message, that the first behavior attribute information is used as a special sample after the explicit identity authentication is passed, and add the special sample to the legal sample set. in.
可选地,所述处理单元具体用于:Optionally, the processing unit is specifically configured to:
确定所述第一行为属性信息满足以下条件时确定匹配失败:Determining that the matching fails when the first behavior attribute information satisfies the following conditions:
确定第一相似度值小于第一阈值,所述第一相似度值为所述第一行为属性信息和所述合法样本集合中的合法样本的平均值之间的相似度值;Determining that the first similarity value is less than a first threshold, and the first similarity value is a similarity value between the first behavior attribute information and an average value of legal samples in the legal sample set;
且,And,
确定第二相似度值小于第二阈值,所述第二相似度值为所述第一行为属性信息和所述合法样本集合中的每个特殊样本之间的相似度值。Determining that the second similarity value is less than a second threshold, the second similarity value being a similarity value between the first behavior attribute information and each of the special samples in the legal sample set.
可选地,所述处理单元还用于:Optionally, the processing unit is further configured to:
若确定匹配成功,则将所述第一行为属性信息作为合法样本添加到所述合法样本集合。If it is determined that the matching is successful, the first behavior attribute information is added as a legal sample to the legal sample set.
第四方面,本发明实施例提供一种客户端设备,所述客户端设备包括:In a fourth aspect, an embodiment of the present invention provides a client device, where the client device includes:
发送单元,用于向服务器发送第一行为属性信息;所述第一行为属性信息为所述客户端设备在预设时间段内采集的用户操作所述客户端设备产生的信息;a sending unit, configured to send first behavior attribute information to the server; the first behavior attribute information is information generated by the user equipment collected by the client device in a preset time period to operate the client device;
接收单元,用于接收所述服务器发送的显式身份认证请求消息,所述显式身份认证请求消息是所述服务器将所述第一行为属性信息与合法样本集合中的合法样本进行相似度匹配失败时发送的,所述合法样本集合为通过身份认证后所述客户端设备采集的行为属性信息的集合。a receiving unit, configured to receive an explicit identity authentication request message sent by the server, where the explicit identity authentication request message is that the server performs similarity matching between the first behavior attribute information and a legal sample in a legal sample set When the packet is sent, the legal sample set is a set of behavior attribute information collected by the client device after the identity authentication.
第五方面,本发明实施例提供一种认证设备,包括:In a fifth aspect, an embodiment of the present invention provides an authentication device, including:
存储器,用于存储程序指令;a memory for storing program instructions;
处理器,用于调用所述存储器中存储的程序指令,按照获得的程序执行上述方法。And a processor, configured to invoke a program instruction stored in the memory, and execute the above method according to the obtained program.
第六方面,本发明实施例提供一种计算机可读存储介质,所述存储介质存储有指令,当所述指令在计算机上运行时,使得计算机实现执行上述所述第一方面的方法。In a sixth aspect, an embodiment of the present invention provides a computer readable storage medium, where the storage medium stores instructions that, when executed on a computer, cause a computer to implement the method of the first aspect described above.
第七方面,本发明实施例提供一种计算机程序产品,所述计算机程序产品包括存储在非暂态计算机可读存储介质上的计算程序,所述计算机程序包括程序指令,当所述程序指令被计算机执行时,使所述计算机执行上述任一所述方法。In a seventh aspect, an embodiment of the present invention provides a computer program product, the computer program product comprising a computing program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions, when the program instruction is The computer, when executed, causes the computer to perform any of the methods described above.
本发明实施例中,服务器接收客户端设备发送的第一行为属性信息,并将所述第一行为属性信息与合法样本集合中的合法样本进行相似度匹配,若匹配失败,则向所述客户端设备发送显式身份认证请求消息。其中,所述第一行为属性信息为所述客户端设备在预设时间段内采集的用户操作所述客户端设备产生的信息;所述合法样本集合为通过身份认证后所述客户端设备采 集的行为属性信息的集合。本发明实施例中,服务器通过在用户登录成功之后,继续接收用户操作客户端设备产生的信息,并将接收到的信息与合法样本进行相似度匹配,通过这种方法,即使恶意用户冒用用户的账号信息,由于恶意用户很难模仿或盗取原用户的操作信息,因此,恶意用户在使用过程中会因为行为属性与原用户不同而被识别出来,从而能够有效避免账号信息被冒用的问题,提高身份认证的可靠性,进而能够保证用户的信息安全。In the embodiment of the present invention, the server receives the first behavior attribute information sent by the client device, and performs similarity matching between the first behavior attribute information and the legal sample in the legal sample set. If the matching fails, the server sends the information to the client. The end device sends an explicit identity authentication request message. The first behavior attribute information is information generated by the user equipment collected by the client device in a preset time period, and the legal sample collection is collected by the client device after the identity authentication is performed. A collection of behavioral attribute information. In the embodiment of the present invention, after the user successfully logs in, the server continues to receive the information generated by the user operating the client device, and matches the received information with the legal sample, so that the malicious user spoofs the user. The account information is difficult for the malicious user to imitate or steal the operation information of the original user. Therefore, the malicious user is identified because the behavior attribute is different from the original user during use, thereby effectively preventing the account information from being fraudulently used. The problem is to improve the reliability of identity authentication, and thus to ensure the security of users' information.
附图说明DRAWINGS
为了更清楚地说明本发明实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简要介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域的普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings used in the description of the embodiments will be briefly described below. It is obvious that the drawings in the following description are only some embodiments of the present invention, Those skilled in the art can also obtain other drawings based on these drawings without paying for inventive labor.
图1为本发明实施例使用的一种系统架构示意图;1 is a schematic structural diagram of a system used in an embodiment of the present invention;
图2为本发明实施例提供的一种身份认证方法所对应的流程示意图;2 is a schematic flowchart of an identity authentication method according to an embodiment of the present invention;
图3为本发明实施例提供的一种预设时间段的示意图;FIG. 3 is a schematic diagram of a preset time period according to an embodiment of the present disclosure;
图4为本发明实施例中所涉及到的整体性流程的示意图;4 is a schematic diagram of an overall process involved in an embodiment of the present invention;
图5为本发明实施例提供的一种服务器的结构示意图;FIG. 5 is a schematic structural diagram of a server according to an embodiment of the present disclosure;
图6为本发明实施例还提供一种客户端设备的结构示意图;FIG. 6 is a schematic structural diagram of a client device according to an embodiment of the present invention;
图7为本发明另一实施例提供的认证设备的结构示意图;FIG. 7 is a schematic structural diagram of an authentication device according to another embodiment of the present invention;
图8为本发明另一实施例提供的认证设备的结构示意图。FIG. 8 is a schematic structural diagram of an authentication device according to another embodiment of the present invention.
具体实施方式Detailed ways
为了使本发明的目的、技术方案和优点更加清楚,下面将结合附图对本发明作进一步地详细描述,显然,所描述的实施例仅仅是本发明一部份实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其它实施例,都属于本发明保护的范围。The present invention will be further described in detail with reference to the accompanying drawings, in which . All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
图1示例性示出了本发明实施例使用的一种系统架构示意图,如图1所 示,本发明实施例适用的系统架构包括服务器101、一个或多个客户端设备,例如图1中所示出的客户端设备102、客户端设备103和客户端设备104。服务器与客户端设备102、客户端设备103、客户端设备104可以通过网络进行通信,例如,服务器101可以向客户端设备102、客户端设备103、客户端设备104中任一客户端设备发送显式身份认证请求消息,任一客户端设备可以根据显式身份认证请求消息返回显式身份认证响应消息。FIG. 1 is a schematic diagram showing a system architecture used in an embodiment of the present invention. As shown in FIG. 1 , a system architecture applicable to an embodiment of the present invention includes a server 101 and one or more client devices, such as shown in FIG. 1 . Client device 102, client device 103, and client device 104 are shown. The server and the client device 102, the client device 103, and the client device 104 can communicate through the network. For example, the server 101 can send the display to any of the client device 102, the client device 103, and the client device 104. Identity authentication request message, any client device can return an explicit identity authentication response message according to the explicit identity authentication request message.
本发明实施例中,客户端设备可以为多种类型的设备,例如,智能手机、平板电脑、笔记本电脑等。In the embodiment of the present invention, the client device may be multiple types of devices, such as a smart phone, a tablet computer, a notebook computer, and the like.
基于图1所示的系统架构,图2为本发明实施例提供的一种身份认证方法所对应的流程示意图,如图2所示,具体包括如下步骤:Based on the system architecture shown in FIG. 1, FIG. 2 is a schematic flowchart of an identity authentication method according to an embodiment of the present invention. As shown in FIG. 2, the method includes the following steps:
步骤201,客户端设备向服务器发送第一行为属性信息。Step 201: The client device sends the first behavior attribute information to the server.
步骤202,服务器接收客户端设备发送的第一行为属性信息。Step 202: The server receives the first behavior attribute information sent by the client device.
步骤203,服务器将所述第一行为属性信息与合法样本集合中的合法样本进行相似度匹配,若匹配失败,则向所述客户端设备发送显式身份认证请求消息。Step 203: The server performs similarity matching between the first behavior attribute information and the legal sample in the legal sample set. If the matching fails, the server sends an explicit identity authentication request message to the client device.
步骤204,客户端设备接收所述服务器发送的显式身份认证请求消息。Step 204: The client device receives an explicit identity authentication request message sent by the server.
本发明实施例中,服务器通过在用户登录成功之后,继续接收用户操作客户端设备产生的信息,并将接收到的信息与合法样本进行相似度匹配,通过这种方法,即使恶意用户冒用用户的账号信息,由于恶意用户很难模仿或盗取原用户的操作信息,因此,恶意用户在使用过程中会因为行为属性与原用户不同而被识别出来,从而能够有效避免账号信息被冒用的问题,提高身份认证的可靠性,进而能够保证用户的信息安全。In the embodiment of the present invention, after the user successfully logs in, the server continues to receive the information generated by the user operating the client device, and matches the received information with the legal sample, so that the malicious user spoofs the user. The account information is difficult for the malicious user to imitate or steal the operation information of the original user. Therefore, the malicious user is identified because the behavior attribute is different from the original user during use, thereby effectively preventing the account information from being fraudulently used. The problem is to improve the reliability of identity authentication, and thus to ensure the security of users' information.
在执行步骤201之前,本发明实施例需要预先生成合法样本集合,其中,合法样本集合为通过显式身份认证后所述客户端设备采集的行为属性信息的集合。具体地,在用户通过身份认证后,比如采用显式身份认证的方法登录账号后,客户端设备采集登录过程中的用户的行为属性信息,并将采集到的行为属性信息作为合法样本。其中,显式身份认证为需要用户输入口令的认 证方法,比如账号名称与对应的静态密码、卡号与对应的静态密码、手机号与对应的短信验证码等。Before performing step 201, the embodiment of the present invention needs to generate a legal sample set in advance, wherein the legal sample set is a set of behavior attribute information collected by the client device after explicit identity authentication. Specifically, after the user is authenticated by the user, for example, by using an explicit identity authentication method, the client device collects the behavior attribute information of the user in the login process, and uses the collected behavior attribute information as a legal sample. The explicit identity authentication is an authentication method that requires the user to input a password, such as an account name and a corresponding static password, a card number and a corresponding static password, a mobile phone number, and a corresponding short message verification code.
一个示例中,用户利用客户端设备登录某一应用程序时,例如,用户利用智能手机登录手机银行时,需要先输入银行卡号和密码,当输入的银行卡号和密码无误时,则确定通过身份认证;然后,智能手机可以采集用户登录过程中的行为属性信息,并将采集到的行为属性信息作为合法样本。In an example, when a user logs in to an application by using a client device, for example, when the user logs in to the mobile banking by using the smart phone, the bank card number and password need to be input first, and when the input bank card number and password are correct, the identity authentication is determined. Then, the smart phone can collect behavior attribute information during the user login process, and take the collected behavior attribute information as a legal sample.
本发明实施例中,行为属性信息为用户操作客户端设备产生的信息。进一步地,考虑到用户操作客户端设备产生的信息中,可能存在对身份认证影响较小的信息,因此,可对用户操作客户端设备产生的信息进行筛选,并将对身份认证影响较大的信息作为行为属性信息,从而使得行为属性信息更加符合用户的行为特征,能够提高行为属性信息的准确性。In the embodiment of the present invention, the behavior attribute information is information generated by the user operating the client device. Further, in consideration of the information generated by the user operating the client device, there may be information that has less influence on the identity authentication. Therefore, the information generated by the user operating the client device may be filtered, and the identity authentication may be greatly affected. The information is used as the behavior attribute information, so that the behavior attribute information is more in line with the user's behavior characteristics, and the accuracy of the behavior attribute information can be improved.
如表1所示,用户操作客户端设备产生的信息可以包括用户的IP地址、客户端设备所在的位置、用户的阅读速度、网页地址等行为要素。其中,针对同一用户,用户的IP地址所在的位置相对固定,因此可以作为行为属性信息中的行为要素;类似地,用户的阅读速度是用户的一种使用习惯,因此也可以作为作为行为属性信息中的行为要素;而网页地址可以根据用户的需求而变化,因此,行为属性信息中可以不包括网页地址。As shown in Table 1, the information generated by the user operating the client device may include behavior elements such as the user's IP address, the location of the client device, the user's reading speed, and the web page address. Wherein, for the same user, the location of the user's IP address is relatively fixed, and thus can be used as a behavior element in the behavior attribute information; similarly, the user's reading speed is a usage habit of the user, and thus can also be used as behavior attribute information. The behavioral element in the webpage; the webpage address can be changed according to the user's needs. Therefore, the webpage address may not be included in the behavior attribute information.
表1:用户操作客户端设备产生的信息是否作为行为属性信息的一种示例Table 1: An example of whether the information generated by the user operating the client device is used as the behavior attribute information.
用户操作客户端设备产生的信息User-generated information generated by the client device 是否作为行为属性信息Whether as behavior attribute information
用户的IP地址User's IP address Yes
客户端设备所在的位置Where the client device is located Yes
用户的阅读速度User reading speed Yes
网页地址website link no
……...... ……......
步骤201中,第一行为属性信息为客户端设备在预设时间段内采集的用户操作所述客户端设备产生的信息。In step 201, the first behavior attribute information is information generated by the user equipment collected by the client device in the preset time period.
本发明实施例中,预设时间段为用户登录账号成功后至下一次登录账号前的N个时间段中任意一个时间段,如图3所示,为本发明实施例提供的一 种预设时间段的示意图,在用户登录成功后至下一次登录期间,可以均等分为N个时间段,客户端设备可以在第i时间段采集用户操作所述客户端设备产生的信息,并把采集到的信息作为第一行为属性信息。其中,第一行为属性信息所包括的属性与合法样本中的行为属性所包括的属性一致。In the embodiment of the present invention, the preset time period is any one of the N time periods before the user logs in to the account, and the time period is the next time. The time period diagram can be equally divided into N time periods after the user logs in successfully to the next login period, and the client device can collect information generated by the user operating the client device in the ith time period, and collect the information. The information is used as the first behavior attribute information. The attribute included in the first behavior attribute information is consistent with the attribute included in the behavior attribute in the legal sample.
需要说明的是,图3所示出的内容仅为一种可能的实现方式,本领域技术人员可以根据经验和实际情况自行确定预设时间段,具体不做限定。It should be noted that the content shown in FIG. 3 is only one possible implementation manner, and a preset time period may be determined by a person skilled in the art according to experience and actual conditions, and is not limited thereto.
步骤202和步骤203中,服务器在接收到客户端设备发送的第一行为属性信息后,将第一行为属性信息与合法样本集合中的合法样本进行相似度匹配的方式可以有多种,一种可能的实现方式为,针对合法样本集合中的任意一个合法样本,获取第一行为属性信息与每个合法样本之间的第一相似度值。In step 202 and step 203, after receiving the first behavior attribute information sent by the client device, the server may perform the similarity matching between the first behavior attribute information and the legal sample in the legal sample set. A possible implementation manner is to obtain a first similarity value between the first behavior attribute information and each legal sample for any legal sample in the legal sample set.
进一步地,通过上述方法获取第一相似度值之后,确定匹配失败的方法有多种,例如,若确定所述第一行为属性信息与每个合法样本之间的第一相似度值均小于预设相似度阈值,则匹配失败;或者,若确定所述第一行为属性信息与每个合法样本之间的第一相似度值中大于等于预设相似度阈值的个数小于预设个数阈值,则匹配失败。其中,预设相似度阈值、预设个数阈值可以是本领域技术人员根据经验和实际情况确定的,具体不做限定。After the first similarity value is obtained by the foregoing method, the method for determining the matching failure is different. For example, if it is determined that the first similarity value between the first behavior attribute information and each legal sample is smaller than the pre-predetermined value. If the similarity threshold is set, the matching fails; or if the first similarity value between the first behavior attribute information and each legal sample is determined to be greater than or equal to the preset similarity threshold, the number is less than the preset threshold. , the match failed. The preset similarity threshold and the preset number threshold may be determined by a person skilled in the art according to experience and actual conditions, and are not specifically limited.
另一种可能是实现方式为,确定合法样本集合中的合法样本的平均值,获取第一行为属性信息和所述合法样本集合中的合法样本的平均值之间的第一相似度值,并判断所述相似度值是否小于第一阈值,若小于,则匹配失败。其中,第一阈值可以是本领域技术人员根据经验和实际情况确定的,具体不做限定。下面具体介绍采用合法样本的平均值进行相似度匹配的方式,包括以下步骤:Another possibility is that the average value of the legal samples in the legal sample set is determined, and the first similarity value between the first behavior attribute information and the average value of the legal samples in the legal sample set is obtained, and It is determined whether the similarity value is less than the first threshold, and if it is less, the matching fails. The first threshold value may be determined by a person skilled in the art according to experience and actual conditions, and is not limited thereto. The following describes the method of similarity matching using the average value of legal samples, including the following steps:
步骤301,确定合法样本集合中的合法样本的平均值。Step 301: Determine an average value of legal samples in the legal sample set.
具体来说,合法样本为客户端采集到的行为属性信息,每个合法样本包括至少一个行为要素。其中,根据行为要素的属性值的不同,可将行为要素分为数值型行为要素和文本型行为要素,比如,用户的阅读速度为“88.75行/min”,由于“用户的阅读速度”这一行为要素的属性值为“88.75行/min”, 该属性值为数值,因此,“用户的阅读速度”可作为数值型行为要素;客户端设备所在的位置为“南宁市青秀区”,由于“客户端设备所在的位置”这一行为要素的属性值为“南宁市青秀区”,该属性值为文本,因此,“客户端设备所在的位置”可作为文本型行为要素。Specifically, the legal sample is the behavior attribute information collected by the client, and each legal sample includes at least one behavior element. Among them, according to the attribute value of the behavioral element, the behavioral element can be divided into a numerical behavioral element and a textual behavioral element, for example, the user's reading speed is "88.75 lines/min", due to "user reading speed" The attribute value of the behavior element is “88.75 lines/min”, and the attribute value is a numerical value. Therefore, “user reading speed” can be used as a numerical behavior element; the location of the client device is “Ningxiu Qingxiu District” due to The attribute value of the behavior element of "the location where the client device is located" is "Qingxiu District of Nanning City", and the attribute value is text. Therefore, "the location where the client device is located" can be used as a text type behavior element.
针对数值型行为要素,可以将数值型行为要素的属性值的平均值作为该行为要素的平均值。以用户的阅读速度为例,如表2所示,合法样本集合包括3个合法样本,其中,合法样本1中,用户的阅读速度为“88.75行/min”;合法样本2中,用户的阅读速度为“80.75行/min”;合法样本3中,用户的阅读速度为“84.75行/min”,采用平均值计算公式可以得到,合法样本集合中,用户的阅读速度的平均值为“84.75行/min”。For numerical behavioral elements, the average of the attribute values of the numeric behavioral elements can be used as the average of the behavioral elements. Taking the user's reading speed as an example, as shown in Table 2, the legal sample set includes three legal samples, wherein in the legal sample 1, the user's reading speed is "88.75 lines/min"; in the legal sample 2, the user's reading The speed is “80.75 lines/min”; in the legal sample 3, the user's reading speed is “84.75 lines/min”, which can be obtained by using the average calculation formula. In the legal sample set, the average reading speed of the user is “84.75 lines”. /min".
表2:数值型行为要素的平均值的一种示例Table 2: An example of the average of numerical behavioral elements
合法样本集合Legal sample collection 用户的阅读速度User reading speed
合法样本1Legal sample 1 88.75行/min88.75 lines/min
合法样本2Legal sample 2 80.75行/min80.75 lines/min
合法样本3Legal sample 3 84.75行/min84.75 lines/min
平均值average value 84.75行/min84.75 lines/min
针对文本型行为要素,可以根据文本型行为要素的属性值的概率分布,确定文本型行为要素的平均值。如表3所示,合法样本集合包括3个合法样本,其中,合法样本1中,用户的IP地址为“172.18.19.20”,客户端设备所在的城市为“南宁”,客户端设备所在的城区为“青秀区”;合法样本2中,用户的IP地址为“172.18.19.20”,客户端设备所在的城市为“南宁”,客户端设备所在的城区为“青秀区”;合法样本3中,用户的IP地址为“172.18.19.20”,客户端设备所在的城市为“南宁”,客户端设备所在的城区为“江南区”。可知,以上3个合法样本中,用户的IP地址为“172.18.19.20”出现的概率为3次,可将用户的IP地址的概率分布记为{172.18.19.20,3};客户端设备所在的城市为“南宁”出现的概率为3次,可将客户端设备所在的城市的概率分布记为{南宁,3};客户端设备所在的城区为“青秀区”出现的概率为2次,客户端设备所在的城区为“江南区”出现的概率为1次,可将客户端设备所 在的城区的概率分布记为{青秀区,2;江南区,1}。For text-based behavioral elements, the average of textual behavioral elements can be determined based on the probability distribution of the attribute values of the textual behavioral elements. As shown in Table 3, the legal sample set includes three legal samples. In the legal sample 1, the IP address of the user is “172.18.19.20”, the city where the client device is located is “Nanning”, and the city where the client device is located is located. "Qingxiu District"; in the legal sample 2, the user's IP address is "172.18.19.20", the city where the client device is located is "Nanning", and the city where the client device is located is "Qingxiu District"; legal sample 3 The IP address of the user is “172.18.19.20”, the city where the client device is located is “Nanning”, and the city where the client device is located is “Jiangnan District”. It can be seen that in the above three legal samples, the probability that the user's IP address is "172.18.19.20" is three times, and the probability distribution of the user's IP address can be recorded as {172.18.19.20, 3}; where the client device is located The probability of the city appearing as “Nanning” is 3 times, and the probability distribution of the city where the client device is located can be recorded as {Nanning, 3}; the probability of the occurrence of the “Qixiu District” in the urban area where the client device is located is 2 times. The probability that the urban area where the client device is located is “Jiangnan District” is one time. The probability distribution of the urban area where the client device is located can be recorded as {Qingxiu District, 2; Jiangnan District, 1}.
表3:文本型行为要素的概率分布的一种示例Table 3: An example of the probability distribution of text-type behavioral elements
合法样本集合Legal sample collection 用户的IP地址User's IP address 客户端设备所在的城市The city where the client device is located 客户端设备所在的城区The city where the client device is located
合法样本1Legal sample 1 172.18.19.20172.18.19.20 南宁Nanning 青秀区Qingxiu District
合法样本2Legal sample 2 172.18.19.20172.18.19.20 南宁Nanning 青秀区Qingxiu District
合法样本3Legal sample 3 172.18.19.20172.18.19.20 南宁Nanning 江南区Jiangnan District
概率分布Probability distributions {172.18.19.20,3}{172.18.19.20,3} {南宁,3}{Nanning, 3} {青秀区,2;江南区,1}{青秀区, 2; Jiangnan District, 1}
步骤302,针对合法样本的每个行为要素,确定所述行为要素的权重值。Step 302: Determine a weight value of the behavior element for each behavior element of the legal sample.
本发明实施例中,行为要素的权重值的分配会直接引导到身份认证的可靠性和准确性,现有的权重值分配主要有两种方法,一种是基于决策者主观判断的主观赋权法,另一种是基于决策矩阵的客观赋权法。本发明实施例以主观赋权法为例确定行为要素的权重值,采用主观赋权法,能够避免决策矩阵的影响,从而保证决策思维的一致性,提高权重值分配的合理性。In the embodiment of the present invention, the assignment of the weight value of the behavior element directly leads to the reliability and accuracy of the identity authentication. There are two main methods for the assignment of the existing weight value, one is subjective weighting based on the subjective judgment of the decision maker. The law, the other is the objective weighting method based on the decision matrix. The embodiment of the present invention takes the subjective weighting method as an example to determine the weight value of the behavioral element, and adopts the subjective weighting method to avoid the influence of the decision matrix, thereby ensuring the consistency of the decision thinking and improving the rationality of the weight value distribution.
一个示例中,如表4所示,为行为要素的权重值分配的一种示例,合法样本的行为要素包括用户的IP地址、客户端设备所在的城市、客户端设备所在的城区、用户的阅读速度。可将用户的IP地址的权重值设为0.2,将客户端设备所在的城市的权重值设为0.3,将客户端设备所在的城区的权重值设为0.2,将用户的阅读速度的权重值设为0.3。In one example, as shown in Table 4, an example of the assignment of weight values for behavioral elements, the behavioral elements of the legal sample include the user's IP address, the city where the client device is located, the city where the client device is located, and the user's reading. speed. The weight value of the user's IP address can be set to 0.2, the weight value of the city where the client device is located is set to 0.3, the weight value of the urban area where the client device is located is set to 0.2, and the weight value of the user's reading speed is set. Is 0.3.
表4:行为要素的权重值分配的一种示例Table 4: An example of weight value assignment for behavioral elements
行为要素Behavioral element 权重值Weights
用户的IP地址User's IP address 0.20.2
客户端设备所在的城市The city where the client device is located 0.30.3
客户端设备所在的城区The city where the client device is located 0.20.2
用户的阅读速度User reading speed 0.30.3
表4仅为一种示例,本领域的技术人员可以根据经验和实际情况对表4所示出的内容进行修改,具体不做限定。Table 4 is only an example, and those skilled in the art can modify the content shown in Table 4 according to experience and actual situation, and are not limited thereto.
步骤303,根据所述合法样本的平均值和所述行为要素的权重值,确定所述第一行为属性信息和所述合法样本的平均值之间的第一相似度值。Step 303: Determine, according to an average value of the legal sample and a weight value of the behavior element, a first similarity value between the first behavior attribute information and an average value of the legal sample.
本发明实施例中,针对数值型行为要素,在确定数值型行为要素的平均 值之后,可以根据第一行为属性信息中该数值型行为要素的属性值和该数值型行为要素在合法样本集合中的平均值,确定第一行为属性信息中的该数值型行为要素与合法样本之间的差异度值,进而能够确定该数值型行为要素与合法样本之间的相似度值。具体地,针对数值型行为要素,第一行为属性信息和所述合法样本的平均值之间的的相似度值可以通过以下公式计算:In the embodiment of the present invention, after determining the average value of the numerical behavior element for the numerical behavior element, the attribute value of the numerical behavior element and the numerical behavior element in the first sample attribute information may be in the legal sample set. The average value determines the degree of difference between the numerical behavioral element and the legal sample in the first behavior attribute information, thereby determining the similarity value between the numerical behavioral element and the legal sample. Specifically, for the numerical behavior element, the similarity value between the first behavior attribute information and the average value of the legal sample can be calculated by the following formula:
Figure PCTCN2018092950-appb-000001
Figure PCTCN2018092950-appb-000001
其中,T s为第一行为属性信息中的数值型行为要素与合法样本中对应的数值型行为要素的平均值之间的的相似度值;x为第一行为属性信息中数值型行为要素的属性值;
Figure PCTCN2018092950-appb-000002
为合法样本中对应的的数值型行为要素的平均值。 Where T s is the similarity value between the numerical behavior element in the first behavior attribute information and the average value of the corresponding numerical behavior element in the legal sample; x is the numerical behavior element in the first behavior attribute information Attribute value
Figure PCTCN2018092950-appb-000002
Is the average of the corresponding numeric behavioral elements in the legal sample.
一个示例中,所述数值型行为要素为用户的阅读速度,在合法样本集合中,用户的阅读速度的平均值为84.75行/min;在第一行为属性信息中,用户的阅读速度为50行/min,则根据上述计算公式得到第一行为属性中用户的阅读速度与合法样本集合中的用户的阅读速度的平均值之间的相似度值为0.59。In one example, the numerical behavioral element is a reading speed of the user. In the legal sample set, the average reading speed of the user is 84.75 lines/min; in the first behavior attribute information, the reading speed of the user is 50 lines. /min, according to the above calculation formula, the similarity value between the reading speed of the user in the first behavior attribute and the average reading speed of the user in the legal sample set is 0.59.
本发明实施例中,针对文本型行为要素,在确定文本型行为要素的概率分布之后,可以根据第一行为属性信息中该文本型行为要素的属性值和该文本型行为要素在合法样本集合中的概率分布,确定第一行为属性信息中的文本型行为要素与合法样本之间的相似度值。具体地,针对文本型行为要素,第一行为属性信息和所述合法样本之的的相似度值可以通过以下公式计算:In the embodiment of the present invention, after determining the probability distribution of the text-type behavior element, the attribute value of the text-type behavior element and the text-type behavior element may be in the legal sample set according to the first behavior attribute information. The probability distribution determines the similarity value between the text-type behavioral element and the legal sample in the first behavior attribute information. Specifically, for the text type behavior element, the first behavior attribute information and the similarity value of the legal sample can be calculated by the following formula:
Figure PCTCN2018092950-appb-000003
Figure PCTCN2018092950-appb-000003
其中,T w为第一行为属性信息中的文本型行为要素与合法样本中对应的文本型行为要素之间的的相似度值;y为合法样本集合中与第一行为属性信息中的文本型行为要素的属性值相同的样本数;N为合法样本集合中总的样本数。y为大于等于0的整数,N为大于等于1的整数。 Where T w is the similarity value between the text-type behavior element in the first behavior attribute information and the corresponding text-type behavior element in the legal sample; y is the text type in the legal sample set and the first behavior attribute information The number of samples with the same attribute value of the behavioral element; N is the total number of samples in the legal sample set. y is an integer greater than or equal to 0, and N is an integer greater than or equal to 1.
一个示例中,所述文本型行为要素为客户端设备所在的城区,在合法样本集合中,客户端设备所在的城区的概率分布为{青秀区,2;江南区,1};在第一行为属性信息中,客户端设备所在的城区为青秀区,则根据上述计算 公式得到第一行为属性中客户端设备所在的城区与合法样本集合中的客户端设备所在的城区之间的相似度值为0.67。In an example, the text-type behavior element is an urban area where the client device is located. In the legal sample set, the probability distribution of the urban area where the client device is located is {Qingxiu District, 2; Jiangnan District, 1}; In the behavior attribute information, the urban area where the client device is located is Qingxiu District, and according to the above calculation formula, the similarity between the urban area where the client device is located in the first behavior attribute and the urban area where the client device in the legal sample set is located is obtained. The value is 0.67.
进一步地,在采用上文所描述的方法获得第一行为属性信息中各个行为要素与合法样本集合中对应的行为要素之间的相似度值之后,可以根据各个行为要素的权重值,确定第一行为属性信息和合法样本的平均值之间的第一相似度值,具体可以通过以下公式计算:Further, after obtaining the similarity value between each behavior element in the first behavior attribute information and the corresponding behavior element in the legal sample set by using the method described above, the first value may be determined according to the weight value of each behavior element. The first similarity value between the behavior attribute information and the average value of the legal sample can be calculated by the following formula:
Figure PCTCN2018092950-appb-000004
Figure PCTCN2018092950-appb-000004
其中,T为第一行为属性信息和合法样本的平均值之间的第一相似度值,
Figure PCTCN2018092950-appb-000005
为第一行为属性信息中第i个数值型行为要素与合法样本之间的相似度值;ω i为第一行为属性信息中第i个数值型行为要素的权重值;
Figure PCTCN2018092950-appb-000006
为第一行为属性信息中第j个文本型行为要素与合法样本之间的相似度值;ω j为第一行为属性信息中第j个文本型行为要素的权重值。i为大于等于1的整数,j为大于等于1的整数。 Where T is the first similarity value between the first behavior attribute information and the average of the legal samples,
Figure PCTCN2018092950-appb-000005
a similarity value between the i-th numerical behavior element and the legal sample in the first behavior attribute information; ω i is a weight value of the i-th numerical behavior element in the first behavior attribute information;
Figure PCTCN2018092950-appb-000006
The similarity value between the jth text-type behavior element and the legal sample in the first behavior attribute information; ω j is the weight value of the j-th text-type behavior element in the first behavior attribute information. i is an integer greater than or equal to 1, and j is an integer greater than or equal to 1.
基于上述所描述的第一行为属性信息和合法样本的平均值之间的第一相似度值的计算方法,下面举例说明。The calculation method based on the first similarity value between the first behavior attribute information and the average value of the legal samples described above is exemplified below.
一个示例中,如表5所示,为第一行为属性信息和合法样本的平均值之间的第一相似度值的一种示例,若确定用户的IP地址的权重值为0.2,客户端设备所在的城市的权重值为0.3,客户端设备所在的城区的权重值为0.2,用户的阅读速度的权重值为0.3,且,确定合法样本集合中,用户的IP地址的概率分布为{172.18.19.20,3},客户端设备所在的城市的概率分布为{南宁,3},客户端设备所在的城区的概率分布为{青秀区,2;江南区,1},用户的阅读速度的平均值为84.75行/min,则根据上述计算公式,第一行为属性信息和合法样本的平均值之间的第一相似度值为0.798。In one example, as shown in Table 5, as an example of the first similarity value between the first behavior attribute information and the average value of the legal samples, if it is determined that the user's IP address has a weight value of 0.2, the client device The weight of the city where the city is located is 0.3, the weight of the urban area where the client device is located is 0.2, the weight of the user's reading speed is 0.3, and the probability distribution of the user's IP address in the legal sample set is determined to be {172.18. 19.20,3}, the probability distribution of the city where the client device is located is {Nanning, 3}, and the probability distribution of the urban area where the client device is located is {Qingxiu District, 2; Jiangnan District, 1}, the average reading speed of the user The value is 84.75 lines/min, and according to the above calculation formula, the first similarity value between the first behavior attribute information and the average value of the legal samples is 0.798.
表5:第一相似度值的一种示例Table 5: An example of the first similarity value
行为要素Behavioral element 权重值Weights 合法样本的平均值Average of legal samples 第一行为属性中的属性值The attribute value in the first behavior attribute
用户的IP地址User's IP address 0.20.2 {172.18.19.20,3}{172.18.19.20,3} 172.18.19.20172.18.19.20
客户端设备所在的城市The city where the client device is located 0.30.3 {南宁,3}{Nanning, 3} 南宁Nanning
客户端设备所在的城区The city where the client device is located 0.20.2 {青秀区,2;江南区,1}{青秀区, 2; Jiangnan District, 1} 江南区Jiangnan District
用户的阅读速度User reading speed 0.30.3 84.75行/min84.75 lines/min 64.75行/min64.75 lines/min
需要说明的是,上述所描述的计算方法仅为本发明实施例提供的一种示例,本领域技术人员可以根据经验和实际情况对上述方法进行修改,具体不做限定。It should be noted that the above-mentioned calculation method is only an example provided by the embodiment of the present invention, and those skilled in the art may modify the above method according to experience and actual conditions, and are not limited thereto.
步骤304,判断所述第一相似度值是否小于第一阈值,若小于第一阈值,则匹配失败;否则,匹配成功。Step 304: Determine whether the first similarity value is less than the first threshold. If the value is smaller than the first threshold, the matching fails; otherwise, the matching is successful.
进一步地,在执行上述步骤204之后,服务器根据接收到的客户端设备发送的显式身份认证响应消息,确定身份认证通过后,将所述第一行为属性信息作为特殊样本并将所述特殊样本加入所述合法样本集合中,并判断所述合法样本集合中的合法样本的数目是否大于预设样本数阈值,若大于,则删除所述合法样本集合中的存储时间较长的合法样本,直至删除后的所述合法样本集合中的合法样本的数目不大于所述预设样本数阈值。其中,预设样本数阈值可以是本领域技术人员根据经验和实际情况确定的,具体不做限定。通过这种方式对合法样本集合进行更新,因为存储时间较长的合法样本可能已经不符合目前的用户行为,所以将每次通过身份认证的第一行为属性信息加入到合法样本集合中,并将合法样本集合中存储时间较长的合法样本删除,从而能够提高合法样本集合的可参考性。Further, after performing the foregoing step 204, the server determines, according to the received explicit identity authentication response message sent by the client device, that the first behavior attribute information is used as a special sample and the special sample is passed after the identity authentication is passed. Adding to the legal sample set, and determining whether the number of legal samples in the legal sample set is greater than a preset sample number threshold. If greater than, deleting legal samples with a longer storage time in the legal sample set, until The number of legal samples in the deleted legal sample set is not greater than the preset sample number threshold. The preset sample number threshold may be determined by a person skilled in the art according to experience and actual conditions, and is not limited. In this way, the legal sample set is updated, because the legal sample stored for a long time may not conform to the current user behavior, so the first behavior attribute information of each identity authentication is added to the legal sample set, and The legal sample with a long storage time in the legal sample set is deleted, thereby improving the referenceability of the legal sample set.
本发明实施例提供另一种相似度匹配的方法,具体包括如下步骤:The embodiment of the present invention provides another method for similarity matching, which specifically includes the following steps:
步骤一,服务器确定所述第一行为属性信息与合法样本集合中的合法样本进行相似度匹配失败后,确定是否存在特殊样本,若存在,则执行步骤二;若不存在,则执行步骤三。Step 1: After determining that the first behavior attribute information fails to match the legality sample in the legal sample set, the server determines whether there is a special sample. If yes, step 2 is performed; if not, step 3 is performed.
步骤二,服务器将所述第一行为属性信息与特殊样本进行相似度匹配。Step 2: The server matches the first behavior attribute information with a special sample for similarity.
具体来说,服务器若确定仅存在一个特殊样本,则根据所述第一行为属性信息和所述特殊样本,确定所述所述第一行为属性信息与所述特殊样本的第二相似度值;并判断所述第二相似度值是否小于第二阈值,若小于第二阈 值,则匹配失败。Specifically, if the server determines that only one special sample exists, determining, according to the first behavior attribute information and the special sample, a second similarity value of the first behavior attribute information and the special sample; And determining whether the second similarity value is less than a second threshold, and if it is less than the second threshold, the matching fails.
服务器若确定存在多个特殊样本,则针对每个特殊样本,确定所述所述第一行为属性信息与所述每个特殊样本的第二相似度值;并判断是否存在大于等于上述第二阈值的第二相似度值,若不存在,则匹配失败。If the server determines that there are multiple special samples, determining, for each special sample, the first behavior attribute information and the second similarity value of each special sample; and determining whether there is a second threshold or more The second similarity value, if not present, the match fails.
本发明实施例中,第二相似度值的具体计算方法可以参考上述第一相似度值的计算方法,在此不再赘述。本领域技术人员也可以根据经验和实际情况自行确定第二相似度值的计算方法,具体不做限定。In the embodiment of the present invention, the method for calculating the second similarity value may refer to the foregoing method for calculating the first similarity value, and details are not described herein again. A person skilled in the art can also determine the calculation method of the second similarity value according to the experience and the actual situation, which is not limited.
步骤三,服务器若确定匹配失败,则向所述客户端设备发送显式身份认证请求消息。Step 3: If the server determines that the matching fails, the server sends an explicit identity authentication request message to the client device.
为了更清楚地介绍上述身份认证方法,下面结合图4,对本发明实施例中所涉及到的流程进行整体性说明。如图4所示,可以包括以下步骤:In order to introduce the above-mentioned identity authentication method more clearly, the flow involved in the embodiment of the present invention will be described in detail below with reference to FIG. As shown in FIG. 4, the following steps may be included:
步骤401,服务器接收客户端设备发送的第一行为属性信息。Step 401: The server receives the first behavior attribute information sent by the client device.
步骤402,所述服务器将所述第一行为属性信息与合法样本集合中的合法样本进行相似度匹配,若匹配失败,则执行步骤403;若匹配成功,则执行步骤404。Step 402: The server performs the similarity matching between the first behavior attribute information and the legal sample in the legal sample set. If the matching fails, step 403 is performed; if the matching is successful, step 404 is performed.
步骤403,所述服务器判断是否存在特殊样本,若存在,则执行步骤405;若不存在,则执行步骤406。In step 403, the server determines whether there is a special sample. If yes, step 405 is performed; if not, step 406 is performed.
步骤404,所述服务器将所述第一行为属性信息加入所述合法样本集合中,并返回步骤401。Step 404: The server adds the first behavior attribute information to the legal sample set, and returns to step 401.
步骤405,所述服务器将所述第一行为属性信息与特殊样本进行相似度匹配,若匹配失败,则执行步骤406;若匹配成功,则执行步骤409。Step 405: The server performs the similarity matching between the first behavior attribute information and the special sample. If the matching fails, step 406 is performed; if the matching is successful, step 409 is performed.
步骤406,所述服务器向客户端设备发送显式身份认证请求消息。Step 406: The server sends an explicit identity authentication request message to the client device.
步骤407,所述服务器接收所述客户端设备发送的显式身份认证响应消息。Step 407: The server receives an explicit identity authentication response message sent by the client device.
步骤408,所述服务器判断是否通过显式身份认证,若通过,则执行步骤409;若未通过,则执行步骤410。Step 408: The server determines whether the explicit identity authentication is passed. If yes, step 409 is performed; if not, step 410 is performed.
步骤409,所述服务器将所述第一行为属性信息作为特殊样本,并将所述特殊样本加入所述合法样本集合中,并返回步骤401。Step 409: The server takes the first behavior attribute information as a special sample, and adds the special sample to the legal sample set, and returns to step 401.
步骤410,所述服务器确定身份认证失败,并返回步骤401。Step 410: The server determines that the identity authentication fails, and returns to step 401.
本发明实施例中,在用户登录成功之后,服务器能够持续地根据接收到的用户操作客户端设备产生的信息,确定操作所述客户端设备的用户是否为恶意用户。采用这种方法,即使恶意用户冒用用户的账号信息,由于恶意用户很难模仿或盗取原用户的操作信息,因此,恶意用户在使用过程中会因为行为属性与原用户不同而被识别出来,从而能够有效避免账号信息被冒用的问题,提高身份认证的可靠性,进而能够保证用户的信息安全。In the embodiment of the present invention, after the user successfully logs in, the server can continuously determine whether the user operating the client device is a malicious user according to the information generated by the received user operation client device. In this way, even if a malicious user spoofs the user's account information, it is difficult for the malicious user to imitate or steal the operation information of the original user. Therefore, the malicious user is identified because the behavior attribute is different from the original user during use. Therefore, the problem that the account information is fraudulently used can be effectively avoided, the reliability of the identity authentication is improved, and the information security of the user can be ensured.
基于相同构思,本发明实施例提供的一种服务器,如图5所示,该服务器500包括接收单元501、处理单元502、发送单元503;其中,Based on the same concept, a server provided by an embodiment of the present invention, as shown in FIG. 5, includes a receiving unit 501, a processing unit 502, and a sending unit 503.
接收单元501,用于接收客户端设备发送的第一行为属性信息;所述第一行为属性信息为所述客户端设备在预设时间段内采集的用户操作所述客户端设备产生的信息;The receiving unit 501 is configured to receive first behavior attribute information that is sent by the client device, where the first behavior attribute information is information generated by the user equipment that the client device collects in a preset time period to operate the client device;
处理单元502,用于将所述第一行为属性信息与合法样本集合中的合法样本进行相似度匹配;所述合法样本集合为通过身份认证后所述客户端设备采集的行为属性信息的集合;The processing unit 502 is configured to perform the similarity matching between the first behavior attribute information and the legal sample in the legal sample set; the legal sample set is a set of behavior attribute information collected by the client device after the identity authentication;
发送单元503,用于在所述处理单元确定匹配失败后,向所述客户端设备发送显式身份认证请求消息。The sending unit 503 is configured to send an explicit identity authentication request message to the client device after the processing unit determines that the matching fails.
可选地,所述接收单元501还用于:Optionally, the receiving unit 501 is further configured to:
接收所述客户端设备发送的显式身份认证响应消息;Receiving an explicit identity authentication response message sent by the client device;
所述处理单元,还用于根据所述显式身份认证响应消息,确定显式身份认证通过后,将所述第一行为属性信息作为特殊样本,并将所述特殊样本加入所述合法样本集合中。The processing unit is further configured to determine, according to the explicit identity authentication response message, that the first behavior attribute information is used as a special sample after the explicit identity authentication is passed, and add the special sample to the legal sample set. in.
可选地,所述处理单元502具体用于:Optionally, the processing unit 502 is specifically configured to:
确定所述第一行为属性信息满足以下条件时确定匹配失败:Determining that the matching fails when the first behavior attribute information satisfies the following conditions:
确定第一相似度值小于第一阈值,所述第一相似度值为所述第一行为属性信息和所述合法样本集合中的合法样本的平均值之间的相似度值;Determining that the first similarity value is less than a first threshold, and the first similarity value is a similarity value between the first behavior attribute information and an average value of legal samples in the legal sample set;
且,And,
确定第二相似度值小于第二阈值,所述第二相似度值为所述第一行为属性信息和所述合法样本集合中的每个特殊样本之间的相似度值。Determining that the second similarity value is less than a second threshold, the second similarity value being a similarity value between the first behavior attribute information and each of the special samples in the legal sample set.
可选地,所述处理单元502还用于:Optionally, the processing unit 502 is further configured to:
若确定匹配成功,则将所述第一行为属性信息作为合法样本添加到所述合法样本集合。If it is determined that the matching is successful, the first behavior attribute information is added as a legal sample to the legal sample set.
基于同样的发明构思,本发明实施例还提供一种客户端设备,如图6所示,该客户端设备600包括接收单元602、发送单元601;其中,Based on the same inventive concept, the embodiment of the present invention further provides a client device. As shown in FIG. 6, the client device 600 includes a receiving unit 602 and a sending unit 601.
发送单元601,用于向服务器发送第一行为属性信息;所述第一行为属性信息为所述客户端设备在预设时间段内采集的用户操作所述客户端设备产生的信息;The sending unit 601 is configured to send the first behavior attribute information to the server, where the first behavior attribute information is information generated by the user equipment collected by the client device in a preset time period to operate the client device;
接收单元602,用于接收所述服务器发送的显式身份认证请求消息,所述显式身份认证请求消息是所述服务器将所述第一行为属性信息与合法样本集合中的合法样本进行相似度匹配失败时发送的,所述合法样本集合为通过身份认证后所述客户端设备采集的行为属性信息的集合。The receiving unit 602 is configured to receive an explicit identity authentication request message sent by the server, where the explicit identity authentication request message is that the server compares the first behavior attribute information with a legal sample in a legal sample set. When the matching fails, the legal sample set is a set of behavior attribute information collected by the client device after identity authentication.
本发明实施例提供一种计算机可读存储介质,所述存储介质存储有指令,当所述指令在计算机上运行时,使得计算机实现执行上述所述的方法。Embodiments of the present invention provide a computer readable storage medium storing instructions that, when executed on a computer, cause a computer to implement the method described above.
本发明实施例还提供一种计算机程序产品,所述计算机程序产品包括存储在非暂态计算机可读存储介质上的计算程序,所述计算机程序包括程序指令,当所述程序指令被计算机执行时,使所述计算机执行权利要求上述任一所述方法。Embodiments of the present invention also provide a computer program product comprising a computing program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions, when the program instructions are executed by a computer Having the computer perform the method of any of the above claims.
基于相同的原理,本发明还提供一种认证设备,如图7所示,包括处理器701、存储器702、收发机703、总线接口704,其中处理器701、存储器702与收发机703之间通过总线接口704连接;Based on the same principle, the present invention further provides an authentication device, as shown in FIG. 7, including a processor 701, a memory 702, a transceiver 703, and a bus interface 704, wherein the processor 701, the memory 702, and the transceiver 703 pass through Bus interface 704 is connected;
所述处理器701,用于读取所述存储器702中的程序,执行下列方法:通过收发机703接收客户端设备发送的第一行为属性信息;所述第一行为属性信息为所述客户端设备在预设时间段内采集的用户操作所述客户端设备产生的信息;The processor 701 is configured to read a program in the memory 702, and execute the following method: receiving, by the transceiver 703, first behavior attribute information sent by the client device; the first behavior attribute information is the client The user generated by the device in the preset time period operates the information generated by the client device;
将所述第一行为属性信息与合法样本集合中的合法样本进行相似度匹配,若匹配失败,则通过收发机703向所述客户端设备发送显式身份认证请求消息;所述合法样本集合为通过身份认证后所述客户端设备采集的行为属性信息的集合;The first behavior attribute information is matched with the legal sample in the legal sample set, and if the matching fails, the explicit identity authentication request message is sent to the client device by the transceiver 703; the legal sample set is a set of behavior attribute information collected by the client device after identity authentication;
所述存储器702,用于存储一个或多个可执行程序,可以存储所述处理器701在执行操作时所使用的数据;The memory 702 is configured to store one or more executable programs, and may store data used by the processor 701 when performing operations;
所述总线接口704,用于提供接口。The bus interface 704 is configured to provide an interface.
进一步地,所述处理器701通过收发机703接收所述客户端设备发送的显式身份认证响应消息;根据所述显式身份认证响应消息,确定显式身份认证通过后,将所述第一行为属性信息作为特殊样本,并将所述特殊样本加入所述合法样本集合中。Further, the processor 701 receives the explicit identity authentication response message sent by the client device by using the transceiver 703, and determines that the first identity is determined after the explicit identity authentication is passed according to the explicit identity authentication response message. The behavior attribute information is taken as a special sample, and the special sample is added to the legal sample set.
进一步地,所述处理器701将所述第一行为属性信息与合法样本集合中的合法样本进行相似度匹配,包括:Further, the processor 701 performs similarity matching on the first behavior attribute information with a legal sample in the legal sample set, including:
确定所述第一行为属性信息满足以下条件时确定匹配失败:Determining that the matching fails when the first behavior attribute information satisfies the following conditions:
确定第一相似度值小于第一阈值,所述第一相似度值为所述第一行为属性信息和所述合法样本集合中的合法样本的平均值之间的相似度值;Determining that the first similarity value is less than a first threshold, and the first similarity value is a similarity value between the first behavior attribute information and an average value of legal samples in the legal sample set;
且,And,
所述服务器确定第二相似度值小于第二阈值,所述第二相似度值为所述第一行为属性信息和所述合法样本集合中的每个特殊样本之间的相似度值。The server determines that the second similarity value is less than a second threshold, and the second similarity value is a similarity value between the first behavior attribute information and each special sample in the legal sample set.
进一步地,所述处理器701还用于:Further, the processor 701 is further configured to:
若匹配成功,则将所述第一行为属性信息作为合法样本添加到所述合法样本集合。If the matching is successful, the first behavior attribute information is added as a legal sample to the legal sample set.
基于相同的原理,本发明还提供一种认证设备,如图8所示,包括处理器801、存储器802、收发机803、总线接口804,其中处理器801、存储器802与收发机803之间通过总线接口804连接;Based on the same principle, the present invention further provides an authentication device, as shown in FIG. 8, including a processor 801, a memory 802, a transceiver 803, and a bus interface 804, wherein the processor 801, the memory 802, and the transceiver 803 pass through Bus interface 804 is connected;
所述处理器801,用于读取所述存储器802中的程序,执行下列方法:通过收发机803向服务器发送第一行为属性信息;所述第一行为属性信息为所述 客户端设备在预设时间段内采集的用户操作所述客户端设备产生的信息;通过收发机803接收所述服务器发送的显式身份认证请求消息,所述显式身份认证请求消息是所述服务器将所述第一行为属性信息与合法样本集合中的合法样本进行相似度匹配失败时发送的,所述合法样本集合为通过身份认证后所述客户端设备采集的行为属性信息的集合;The processor 801 is configured to read a program in the memory 802, and execute the following method: sending, by the transceiver 803, first behavior attribute information to a server; the first behavior attribute information is that the client device is pre- Setting, by the user, the information generated by the client device during the time period; receiving, by the transceiver 803, an explicit identity authentication request message sent by the server, where the explicit identity authentication request message is that the server When the behavior attribute information fails to be matched with the legal sample in the legal sample set, the legal sample set is a set of behavior attribute information collected by the client device after the identity authentication;
所述存储器802,用于存储一个或多个可执行程序,可以存储所述处理器801在执行操作时所使用的数据;The memory 802 is configured to store one or more executable programs, and may store data used by the processor 801 when performing an operation;
所述总线接口804,用于提供接口。The bus interface 804 is configured to provide an interface.
本发明实施例中,服务器接收客户端设备发送的第一行为属性信息,并将所述第一行为属性信息与合法样本集合中的合法样本进行相似度匹配,若匹配失败,则向所述客户端设备发送显式身份认证请求消息。其中,所述第一行为属性信息为所述客户端设备在预设时间段内采集的用户操作所述客户端设备产生的信息;所述合法样本集合为通过身份认证后所述客户端设备采集的行为属性信息的集合。本发明实施例中,服务器通过在用户登录成功之后,继续接收用户操作客户端设备产生的信息,并将接收到的信息与合法样本进行相似度匹配,通过这种方法,即使恶意用户冒用用户的账号信息,由于恶意用户很难模仿或盗取原用户的操作信息,因此,恶意用户在使用过程中会因为行为属性与原用户不同而被识别出来,从而能够有效避免账号信息被冒用的问题,提高身份认证的可靠性,进而能够保证用户的信息安全。In the embodiment of the present invention, the server receives the first behavior attribute information sent by the client device, and performs similarity matching between the first behavior attribute information and the legal sample in the legal sample set. If the matching fails, the server sends the information to the client. The end device sends an explicit identity authentication request message. The first behavior attribute information is information generated by the user equipment collected by the client device in a preset time period, and the legal sample collection is collected by the client device after the identity authentication is performed. A collection of behavioral attribute information. In the embodiment of the present invention, after the user successfully logs in, the server continues to receive the information generated by the user operating the client device, and matches the received information with the legal sample, so that the malicious user spoofs the user. The account information is difficult for the malicious user to imitate or steal the operation information of the original user. Therefore, the malicious user is identified because the behavior attribute is different from the original user during use, thereby effectively preventing the account information from being fraudulently used. The problem is to improve the reliability of identity authentication, and thus to ensure the security of users' information.
本领域内的技术人员应明白,本发明的实施例可提供为方法、系统、或计算机程序产品。因此,本发明可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art will appreciate that embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or a combination of software and hardware. Moreover, the invention can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) including computer usable program code.
本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程 和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention has been described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (system), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or FIG. These computer program instructions can be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine for the execution of instructions for execution by a processor of a computer or other programmable data processing device. Means for implementing the functions specified in one or more of the flow or in a block or blocks of the flow chart.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。The computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device. The apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device. The instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.
尽管已描述了本发明的优选实施例,但本领域内的技术人员一旦得知了基本创造性概念,则可对这些实施例作出另外的变更和修改。所以,所附权利要求意欲解释为包括优选实施例以及落入本发明范围的所有变更和修改。While the preferred embodiment of the invention has been described, it will be understood that Therefore, the appended claims are intended to be interpreted as including the preferred embodiments and the modifications and
显然,本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的精神和范围。这样,倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包含这些改动和变型在内。It is apparent that those skilled in the art can make various modifications and variations to the invention without departing from the spirit and scope of the invention. Thus, it is intended that the present invention cover the modifications and modifications of the invention
本领域内的技术人员应明白,本发明的实施例可提供为方法、系统、或计算机程序产品。因此,本发明可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art will appreciate that embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or a combination of software and hardware. Moreover, the invention can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) including computer usable program code.
本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程 和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器,使得通过该计算机或其他可编程数据处理设备的处理器执行的指令可实现流程图中的一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。The present invention has been described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (system), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or FIG. The computer program instructions can be provided to a general purpose computer, a special purpose computer, an embedded processor, or a processor of other programmable data processing device such that instructions executed by a processor of the computer or other programmable data processing device can be implemented in a flowchart The function specified in one or more processes and/or block diagrams in one or more blocks.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。The computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device. The apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图的一个流程或多个流程和/或方框图的一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device. The instructions provide steps for implementing the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
尽管已描述了本发明的优选实施例,但本领域内的技术人员一旦得知了基本创造性概念,则可对这些实施例作出另外的变更和修改。所以,所附权利要求意欲解释为包括优选实施例以及落入本发明范围的所有变更和修改。While the preferred embodiment of the invention has been described, it will be understood that Therefore, the appended claims are intended to be interpreted as including the preferred embodiments and the modifications and
显然,本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的精神和范围。这样,倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包含这些改动和变型在内。It is apparent that those skilled in the art can make various modifications and variations to the invention without departing from the spirit and scope of the invention. Thus, it is intended that the present invention cover the modifications and modifications of the invention

Claims (14)

  1. 一种身份认证方法,其特征在于,所述方法包括:An identity authentication method, characterized in that the method comprises:
    服务器接收客户端设备发送的第一行为属性信息;所述第一行为属性信息为所述客户端设备在预设时间段内采集的用户操作所述客户端设备产生的信息;Receiving, by the server, the first behavior attribute information sent by the client device, where the first behavior attribute information is information generated by the user equipment that the client device collects in the preset time period to operate the client device;
    所述服务器将所述第一行为属性信息与合法样本集合中的合法样本进行相似度匹配,若匹配失败,则向所述客户端设备发送显式身份认证请求消息;所述合法样本集合为通过身份认证后所述客户端设备采集的行为属性信息的集合。The server performs the similarity matching between the first behavior attribute information and the legal sample in the legal sample set, and if the matching fails, sends an explicit identity authentication request message to the client device; A set of behavior attribute information collected by the client device after identity authentication.
  2. 根据权利要求1所述的方法,其特征在于,所述方法还包括:The method of claim 1 further comprising:
    所述服务器接收所述客户端设备发送的显式身份认证响应消息;The server receives an explicit identity authentication response message sent by the client device;
    所述服务器根据所述显式身份认证响应消息,确定显式身份认证通过后,将所述第一行为属性信息作为特殊样本,并将所述特殊样本加入所述合法样本集合中。The server determines, according to the explicit identity authentication response message, that the first behavior attribute information is used as a special sample after the explicit identity authentication is passed, and adds the special sample to the legal sample set.
  3. 根据权利要求2所述的方法,其特征在于,所述服务器将所述第一行为属性信息与合法样本集合中的合法样本进行相似度匹配,包括:The method according to claim 2, wherein the server matches the first behavior attribute information with a legal sample in the legal sample set, including:
    所述服务器确定所述第一行为属性信息满足以下条件时确定匹配失败:The server determines that the matching fails when the first behavior attribute information satisfies the following conditions:
    所述服务器确定第一相似度值小于第一阈值,所述第一相似度值为所述第一行为属性信息和所述合法样本集合中的合法样本的平均值之间的相似度值;Determining, by the server, that the first similarity value is smaller than a first threshold, where the first similarity value is a similarity value between the first behavior attribute information and an average value of legal samples in the legal sample set;
    且,And,
    所述服务器确定第二相似度值小于第二阈值,所述第二相似度值为所述第一行为属性信息和所述合法样本集合中的每个特殊样本之间的相似度值。The server determines that the second similarity value is less than a second threshold, and the second similarity value is a similarity value between the first behavior attribute information and each special sample in the legal sample set.
  4. 根据权利要求1至3任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 1 to 3, wherein the method further comprises:
    若匹配成功,则所述服务器将所述第一行为属性信息作为合法样本添加到所述合法样本集合。If the matching is successful, the server adds the first behavior attribute information as a legal sample to the legal sample set.
  5. 一种身份认证方法,其特征在于,所述方法包括:An identity authentication method, characterized in that the method comprises:
    客户端设备向服务器发送第一行为属性信息;所述第一行为属性信息为所述客户端设备在预设时间段内采集的用户操作所述客户端设备产生的信息;The client device sends the first behavior attribute information to the server; the first behavior attribute information is information generated by the user equipment that the client device collects in the preset time period to operate the client device;
    所述客户端设备接收所述服务器发送的显式身份认证请求消息,所述显式身份认证请求消息是所述服务器将所述第一行为属性信息与合法样本集合中的合法样本进行相似度匹配失败时发送的,所述合法样本集合为通过身份认证后所述客户端设备采集的行为属性信息的集合。The client device receives an explicit identity authentication request message sent by the server, where the explicit identity authentication request message is that the server performs similarity matching between the first behavior attribute information and a legal sample in a legal sample set. When the packet is sent, the legal sample set is a set of behavior attribute information collected by the client device after the identity authentication.
  6. 一种服务器,其特征在于,所述服务器包括:A server, wherein the server comprises:
    接收单元,用于接收客户端设备发送的第一行为属性信息;所述第一行为属性信息为所述客户端设备在预设时间段内采集的用户操作所述客户端设备产生的信息;a receiving unit, configured to receive first behavior attribute information sent by the client device, where the first behavior attribute information is information generated by the user equipment that the client device collects in a preset time period to operate the client device;
    处理单元,用于将所述第一行为属性信息与合法样本集合中的合法样本进行相似度匹配;所述合法样本集合为通过身份认证后所述客户端设备采集的行为属性信息的集合;a processing unit, configured to perform similarity matching on the first behavior attribute information with a legal sample in the legal sample set; the legal sample set is a set of behavior attribute information collected by the client device after the identity authentication;
    发送单元,用于在所述处理单元确定匹配失败后,向所述客户端设备发送显式身份认证请求消息。And a sending unit, configured to send an explicit identity authentication request message to the client device after the processing unit determines that the matching fails.
  7. 根据权利要求6所述的服务器,其特征在于,所述接收单元还用于:The server according to claim 6, wherein the receiving unit is further configured to:
    接收所述客户端设备发送的显式身份认证响应消息;Receiving an explicit identity authentication response message sent by the client device;
    所述处理单元,还用于根据所述显式身份认证响应消息,确定显式身份认证通过后,将所述第一行为属性信息作为特殊样本,并将所述特殊样本加入所述合法样本集合中。The processing unit is further configured to determine, according to the explicit identity authentication response message, that the first behavior attribute information is used as a special sample after the explicit identity authentication is passed, and add the special sample to the legal sample set. in.
  8. 根据权利要求7所述的服务器,其特征在于,所述处理单元具体用于:The server according to claim 7, wherein the processing unit is specifically configured to:
    确定所述第一行为属性信息满足以下条件时确定匹配失败:Determining that the matching fails when the first behavior attribute information satisfies the following conditions:
    确定第一相似度值小于第一阈值,所述第一相似度值为所述第一行为属性信息和所述合法样本集合中的合法样本的平均值之间的相似度值;Determining that the first similarity value is less than a first threshold, and the first similarity value is a similarity value between the first behavior attribute information and an average value of legal samples in the legal sample set;
    且,And,
    确定第二相似度值小于第二阈值,所述第二相似度值为所述第一行为属 性信息和所述合法样本集合中的每个特殊样本之间的相似度值。Determining that the second similarity value is less than a second threshold, the second similarity value being a similarity value between the first behavioral attribute information and each of the special samples in the set of legal samples.
  9. 根据权利要求6至8任一项所述的服务器,其特征在于,所述处理单元还用于:The server according to any one of claims 6 to 8, wherein the processing unit is further configured to:
    若确定匹配成功,则将所述第一行为属性信息作为合法样本添加到所述合法样本集合。If it is determined that the matching is successful, the first behavior attribute information is added as a legal sample to the legal sample set.
  10. 一种客户端设备,其特征在于,所述客户端设备包括:A client device, the client device comprising:
    发送单元,用于向服务器发送第一行为属性信息;所述第一行为属性信息为所述客户端设备在预设时间段内采集的用户操作所述客户端设备产生的信息;a sending unit, configured to send first behavior attribute information to the server; the first behavior attribute information is information generated by the user equipment collected by the client device in a preset time period to operate the client device;
    接收单元,用于接收所述服务器发送的显式身份认证请求消息,所述显式身份认证请求消息是所述服务器将所述第一行为属性信息与合法样本集合中的合法样本进行相似度匹配失败时发送的,所述合法样本集合为通过身份认证后所述客户端设备采集的行为属性信息的集合。a receiving unit, configured to receive an explicit identity authentication request message sent by the server, where the explicit identity authentication request message is that the server performs similarity matching between the first behavior attribute information and a legal sample in a legal sample set When the packet is sent, the legal sample set is a set of behavior attribute information collected by the client device after the identity authentication.
  11. 一种计算机可读存储介质,其特征在于,所述存储介质存储有指令,当所述指令在计算机上运行时,使得计算机实现执行权利要求1至4中任一项所述的方法。A computer readable storage medium, characterized in that the storage medium stores instructions that, when executed on a computer, cause the computer to perform the method of any one of claims 1 to 4.
  12. 一种计算机程序产品,其特征在于,所述计算机程序产品包括存储在非暂态计算机可读存储介质上的计算程序,所述计算机程序包括程序指令,当所述程序指令被计算机执行时,使所述计算机执行权利要求1~5任一所述方法。A computer program product, comprising: a computing program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions, when the program instructions are executed by a computer, The computer performs the method of any of claims 1-5.
  13. 一种认证设备,其特征在于,包括处理器、存储器、收发机、总线接口,其中处理器、存储器与收发机之间通过总线接口连接;An authentication device, comprising: a processor, a memory, a transceiver, and a bus interface, wherein a processor, a memory and a transceiver are connected by a bus interface;
    所述处理器,用于读取所述存储器中的程序,执行下列方法:通过收发机接收客户端设备发送的第一行为属性信息;所述第一行为属性信息为所述客户端设备在预设时间段内采集的用户操作所述客户端设备产生的信息;The processor is configured to read a program in the memory, and execute the following method: receiving, by the transceiver, first behavior attribute information sent by the client device; the first behavior attribute information is that the client device is pre- Setting, by the user collected during the time period, the information generated by the client device;
    将所述第一行为属性信息与合法样本集合中的合法样本进行相似度匹配,若匹配失败,则通过收发机向所述客户端设备发送显式身份认证请求消息; 所述合法样本集合为通过身份认证后所述客户端设备采集的行为属性信息的集合;The first behavior attribute information is matched with the legal sample in the legal sample set, and if the matching fails, the explicit identity authentication request message is sent to the client device by using the transceiver; the legal sample set is passed a set of behavior attribute information collected by the client device after the identity authentication;
    所述存储器,用于存储一个或多个可执行程序,可以存储所述处理器在执行操作时所使用的数据;The memory is configured to store one or more executable programs, and may store data used by the processor when performing operations;
    所述总线接口,用于提供接口。The bus interface is for providing an interface.
  14. 一种认证设备,其特征在于,包括:An authentication device, comprising:
    处理器、存储器、收发机、总线接口,其中处理器、存储器与收发机之间通过总线接口连接;a processor, a memory, a transceiver, a bus interface, wherein the processor, the memory and the transceiver are connected by a bus interface;
    所述处理器通过收发机向服务器发送第一行为属性信息;所述第一行为属性信息为所述客户端设备在预设时间段内采集的用户操作所述客户端设备产生的信息;通过收发机接收所述服务器发送的显式身份认证请求消息,所述显式身份认证请求消息是所述服务器将所述第一行为属性信息与合法样本集合中的合法样本进行相似度匹配失败时发送的,所述合法样本集合为通过身份认证后所述客户端设备采集的行为属性信息的集合;Transmitting, by the transceiver, the first behavior attribute information to the server by using the transceiver; the first behavior attribute information is information generated by the user equipment acquired by the client device in the preset time period, and being sent and received by the user equipment; Receiving an explicit identity authentication request message sent by the server, where the explicit identity authentication request message is sent when the server fails to match the first behavior attribute information with a legal sample in the legal sample set. The legal sample set is a set of behavior attribute information collected by the client device after identity authentication;
    所述存储器,用于存储一个或多个可执行程序,可以存储所述处理器在执行操作时所使用的数据;The memory is configured to store one or more executable programs, and may store data used by the processor when performing operations;
    所述总线接口,用于提供接口。The bus interface is for providing an interface.
PCT/CN2018/092950 2017-12-13 2018-06-26 Identity authentication method, server and client device WO2019114246A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201711331515.XA CN108234454B (en) 2017-12-13 2017-12-13 An identity authentication method, server and client device
CN201711331515.X 2017-12-13

Publications (1)

Publication Number Publication Date
WO2019114246A1 true WO2019114246A1 (en) 2019-06-20

Family

ID=62652128

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/092950 WO2019114246A1 (en) 2017-12-13 2018-06-26 Identity authentication method, server and client device

Country Status (3)

Country Link
CN (1) CN108234454B (en)
TW (1) TWI701932B (en)
WO (1) WO2019114246A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109151518B (en) * 2018-08-06 2021-02-02 武汉斗鱼网络科技有限公司 Stolen account identification method and device and electronic equipment
CN110570199B (en) * 2019-07-24 2022-10-11 中国科学院信息工程研究所 User identity detection method and system based on user input behaviors
CN111083141A (en) * 2019-12-13 2020-04-28 广州市百果园信息技术有限公司 Method, device, server and storage medium for identifying counterfeit account
CN111062014A (en) * 2019-12-24 2020-04-24 中国银行股份有限公司 Security authentication method and device and electronic equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120066261A1 (en) * 2009-05-12 2012-03-15 Pioneer Corporation Content search apparatus, content search method, content search program, and recording medium
JP2015219796A (en) * 2014-05-20 2015-12-07 ヤフー株式会社 Authentication providing device, authentication providing method, and program
CN106301778A (en) * 2015-05-19 2017-01-04 中兴通讯股份有限公司 Auth method, device, system and user terminal
CN106384027A (en) * 2016-09-05 2017-02-08 四川长虹电器股份有限公司 User identity recognition system and recognition method thereof
CN106603327A (en) * 2016-11-29 2017-04-26 上海亿账通互联网科技有限公司 Behavior data analysis method and device

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101299762B (en) * 2008-06-20 2011-08-17 北京中星微电子有限公司 Identification authentication method and apparatus
JP2012219796A (en) * 2011-04-14 2012-11-12 Nissan Motor Co Ltd Combustion chamber of internal combustion engine
CN104579668B (en) * 2013-10-28 2018-12-11 深圳市腾讯计算机系统有限公司 The verification method and cipher protection apparatus and verifying system of a kind of user identity
CN105100376A (en) * 2014-05-16 2015-11-25 中国移动通信集团湖南有限公司 Identity authentication method and apparatus

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120066261A1 (en) * 2009-05-12 2012-03-15 Pioneer Corporation Content search apparatus, content search method, content search program, and recording medium
JP2015219796A (en) * 2014-05-20 2015-12-07 ヤフー株式会社 Authentication providing device, authentication providing method, and program
CN106301778A (en) * 2015-05-19 2017-01-04 中兴通讯股份有限公司 Auth method, device, system and user terminal
CN106384027A (en) * 2016-09-05 2017-02-08 四川长虹电器股份有限公司 User identity recognition system and recognition method thereof
CN106603327A (en) * 2016-11-29 2017-04-26 上海亿账通互联网科技有限公司 Behavior data analysis method and device

Also Published As

Publication number Publication date
CN108234454B (en) 2020-12-18
CN108234454A (en) 2018-06-29
TW201929481A (en) 2019-07-16
TWI701932B (en) 2020-08-11

Similar Documents

Publication Publication Date Title
US11252171B2 (en) Methods and systems for detecting abnormal user activity
NL2024003B1 (en) Method and computing device for identifying suspicious users in message exchange systems
JP6068506B2 (en) System and method for dynamic scoring of online fraud detection
US10785134B2 (en) Identifying multiple devices belonging to a single user
US10142308B1 (en) User authentication
RU2610254C2 (en) System and method of determining modified web pages
TWI512521B (en) Secure user attestation and authentication to a remote server
CN106656932B (en) Service processing method and device
US8850567B1 (en) Unauthorized URL requests detection
US9230066B1 (en) Assessing risk for third-party data collectors
US10135830B2 (en) Utilizing transport layer security (TLS) fingerprints to determine agents and operating systems
US9639689B1 (en) User authentication
US10015191B2 (en) Detection of man in the browser style malware using namespace inspection
JP6438534B2 (en) System and method for performing secure online banking transactions
CN114553456B (en) Digital Identity Network Alert
WO2019114246A1 (en) Identity authentication method, server and client device
CN105516133A (en) User identity verification method, server and client
TW201324223A (en) Phishing site processing method, system and computer readable storage medium storing the method
WO2019123455A1 (en) System and method for blocking phishing attempts in computer networks
US11405374B2 (en) System and method for automatic mitigation of leaked credentials in computer networks
CN107995167B (en) Equipment identification method and server
CN105574724A (en) Safety payment protection method and system, safety application client, and safety server
EP4397003A1 (en) Software posture for zero trust access
US20250080573A1 (en) Protecting Against Malicious Websites Using Repetitive Data Signatures
US9641538B1 (en) Authenticating an entity

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18889632

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18889632

Country of ref document: EP

Kind code of ref document: A1