CN104809377B - Network user identity monitoring method based on webpage input behavior feature - Google Patents
Network user identity monitoring method based on webpage input behavior feature Download PDFInfo
- Publication number
- CN104809377B CN104809377B CN201510214216.2A CN201510214216A CN104809377B CN 104809377 B CN104809377 B CN 104809377B CN 201510214216 A CN201510214216 A CN 201510214216A CN 104809377 B CN104809377 B CN 104809377B
- Authority
- CN
- China
- Prior art keywords
- mouse
- quantile
- characteristic vector
- vector
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Input From Keyboards Or The Like (AREA)
- Debugging And Monitoring (AREA)
- Digital Computer Display Output (AREA)
- User Interface Of Digital Computer (AREA)
Abstract
The invention discloses a kind of network user identity monitoring method based on webpage input behavior feature, the network user is recorded unperturbed is carrying out mouse movement and keystroke operation caused by webpage interaction, operation cutting is carried out based on input attribute, extract the input behavior feature mutually agreed with network interactive mode, the identification model established under every kind of action type, the real-time monitoring of network user identity is relatively realized based on observation window and threshold value.The advantage of the invention is that:Input operation is frequent under webpage interaction scenarios, and different user easily forms unique and unique operator scheme because of factors such as different physilogical characteristics, behavioural habits;The identity model of every kind of keystroke and mouse action is established, can preferably embody the behavioral trait of user, improves the fault-tolerance of identity monitoring;Compared to traditional single authentication method, webpage input operation runs through the whole process of user's webpage interaction, and glitch-free real time identity tracking and monitoring can be achieved, have wider applicability.
Description
Technical field
The present invention relates to network safety guard technology, more particularly to a kind of network user is in Web page system interaction
Identity monitoring method.
Background technology
With developing rapidly for the fields such as internet finance, online education, ecommerce, each network application system is
As increasing people's daily life inalienable part.However, the increasing Internet bank's account of the thing followed
Family is invaded, and the event that the network systems such as Email Information is stolen are attacked promotes network information security protection question gradual
It is valued by people.
It is existing based on belongings (such as ID card), knowledge based (such as password), based on traditional biological feature (such as fingerprint and
Iris) auth method only identity legitimacy is verified (during such as system login) at the time of some are specific, it is difficult
To carry out the inspection of continuation to the identity legitimacy of user in webpage interaction, and not high (such as password of security be present
Easily leak and mix up) or need extra hardware to set (such as fingerprint and iris) limitation.However, interacted by analyzing webpage
When mouse and keyboard input operation and realize that the real-time monitoring to network user identity legitimacy can be fine based on this
The shortcomings that making up above-mentioned verification mode, so as to effectively protect netizen property and personal secrets.Based on webpage input behavior
Network user identity monitor mode there is its significant advantage:1) input operation is frequent under webpage interaction scenarios, and difference is used
Family easily forms unique and unique operator scheme because of factors such as different physilogical characteristics, behavioural habits or job specification;2) use
Family is in input operation behavior caused by webpage interaction without carrying and memory, it is difficult to hiding and forgery, and foundation is detected from net
Obtained in page input operation, it is not necessary to extra hardware device;3) data are completed during user interacts with Web page system
Capture and identity detection, the cooperation extra without user, can be achieved non-offensive identity and actively monitor, and have widely peace
Full property and applicability.
The content of the invention
It is an object of the invention to provide a kind of method for sustainably verifying network user identity, exist in particular with user
Caused mouse input operation and Key stroke operating characteristics to detect the conjunction of operator's identity in real time in Web page system interaction
The method of method.
To achieve the above objectives, the present invention adopts the following technical scheme that realization:
A kind of network user identity monitoring method based on webpage input behavior feature, the webpage input behavior are user
Mouse action behavior and keystroke operation behavior in webpage, it is characterised in that built including network user identity identification model
Two large divisions is persistently monitored with network user identity:
Wherein, network user identity identification model structure comprises the steps:
(1) normally logined during Web page system interacts operation in validated user, gather and record user in net
The mouse action data and keystroke operation data inputted on page boundary face, form user's mouse, the raw data set of keystroke behavior;
(2) division of operation behavior:For mouse action, beginning and end line and positive water are slided according to mouse pointer
The mouse action that flat angle theta is concentrated to initial data is sorted out, wherein, θ since -22.5 °, draw by every 45 ° of orders counterclockwise
It is divided into I~VIII class, eight kinds of mouse action modes, forms I~VIII class mouse mobile behavior training dataset;For keystroke operation, with
The end mark of newline " TAB " key and mouse event as keystroke operation, division keystroke operation are the word that multiple length do not wait
Accord with sequence;
(3) extraction of operation behavior characteristic vector:For different mouse action modes, extract characteristic vector and calculate feature
Vector template, characteristic vector template and the mouse action characteristic vector of extraction are subjected to similarity measurement, obtain each mouse behaviour
The distance feature vector of work;The training characteristics set formed under every kind of mouse action mode;For keystroke operation:1. according to each
Character contained by character string and character precedence relationship, extract the characteristic vector of corresponding button;2. it is directed to each singly-bound and combination
Key, keystroke operation characteristic vector template is calculated, wherein, Macintosh relation between the priority key of two singly-bounds;3. by this feature vector
Template and the characteristic vector of each keystroke operation carry out similarity measurement, form the behavior instruction comprising each singly-bound and Macintosh feature
Practice characteristic set;
(4) it is positive class by the key mouse training characteristics aggregated label of validated user, every kind of mouse is grasped using one-class classifier
The identity model of operation mode and each keystroke operation structure validated user, and obtain various mouse action modes and each keystroke behaviour
The judging identity threshold value of validated user corresponding to work;Accordingly, validated user identity model includes at least eight identity submodels;
Network user identity, which persistently monitors, to be comprised the steps:
(1) after user logins Web page system, observation window of the webpage using length as N starts to capture user's mouse action and hit
Key operation behavior, the observation window are the user's webpage input operand comprising mouse and the common N number of operation of keystroke collected
According to block;
(2) mouse action is directed to, it is sorted out according to moving direction, mouse action characteristic vector is extracted, with identity
The characteristic vector template of the respective operations pattern obtained during model construction is entered row distance and compared, and obtains the distance feature of mouse action
Vector;For keystroke operation, relation between each key assignments and key that are included according to it, extraction keystroke operation characteristic vector, while from
Extracted in the feature database comprising each singly-bound and Macintosh that identity model obtains when building, characteristic vector mould corresponding to combination
Plate, distance metric is carried out, obtain the distance feature vector of keystroke operation;
(3) each mouse action and keystroke operation being directed in webpage input operation data block, the distance feature that will be obtained
Input of the vector as identity submodel corresponding to the operation, obtains the detected value of each operation, and by the detected value with it is corresponding
The decision threshold of identity submodel be compared, judge the abnormality operated every time;
(4) current user identities legitimacy is judged:If continuous monitoring is grasped to M exception in n times behavior operation
Make, then judge that active user is disabled user;It is on the contrary then judge active user be validated user, wherein, M is less than or equal to N.
In the above method, the data format of the mouse action is:{ mouse state, mouse position, time };Wherein, mouse
Mark state refers to moving mouse button down, mouse button release, mouse the label information of three kinds of states;The keystroke operation
Data format, the singly-bound data format for representing single key assignments are:{ key value, time };The combination key data of relation between expression key
Form is:{ previous key value, this key value, time }.
The operation behavior division concretely comprises the following steps:
For mouse action,
1) the mouse position coordinate of the starting point event of mouse moving operation of extraction and endpoints, wherein each position
The form of coordinate is { horizontal coordinate X, vertical coordinate Y };
2) angle theta of moving operation beginning and end line and horizontal direction is calculated, is I when θ is at -22.5 °~22.5 °
Class mouse action mode;It is II class mouse action mode when θ is at 22.5 °~67.5 °;It is III when θ is at 67.5 °~112.5 °
Class mouse action mode;It is IV class mouse action mode when θ is at 112.5 °~157.5 °;When θ at 157.5 °~180 ° or-
It is V class mouse action mode at 180 °~-157.5 °;It is VI class mouse action mode when θ is at -157.5 °~-112.5 °;
It is VII class mouse action mode when θ is at -112.5 °~-67.5 °;It is VIII class mouse action when θ is at -67.5 °~-22.5 °
Pattern;
For keystroke operation,
1) for the operation of current typing character, the end mark of this keystroke operation is used as using " TAB " key and mouse event
Will, the division to keystroke operation is realized, it is determined that the character string keyed in;
2) behavioural characteristic of each relation between key assignments and each key in character string is extracted one by one, is identified in network user identity
It is deposited into model construction comprising in the singly-bound of relationship characteristic, Macintosh Behavioral training feature database between all key assignments, key;
These behavioural characteristics are formed characteristic vector to be measured by network user identity in persistently monitoring, and in training characteristics storehouse search,
Match somebody with somebody, be combined into corresponding training feature vector template, wherein, each singly-bound is characterized in key time durations, each Macintosh
It is characterized in transfer time between key.
The characteristic vector of the mouse action refers to the space-time geometric locus as caused by mouse movement in system webpage
A series of behavior measure amounts derived, including Integral Characteristic and processing statistic, it is specific as follows:
Integral Characteristic includes:
Mouse moves X-coordinate, the Y-coordinate of starting point;
Mouse moves X-coordinate, the Y-coordinate of terminal;
The path length of mouse movement and the ratio of displacement;
The duration of mouse movement;
Processing statistic includes:
Mouse movement 30% quantile of X-direction speed, 35% quantile, 40% quantile, 45% quantile, 50% point
Digit, 55% quantile, 60% quantile, 65% quantile, 70% quantile;
Mouse movement 30% quantile of Y-direction speed, 35% quantile, 40% quantile, 45% quantile, 50% point
Digit, 55% quantile, 60% quantile, 65% quantile, 70% quantile;
Mouse movement 30% quantile of X-direction acceleration, 35% quantile, 40% quantile, 45% quantile, 50%
Quantile, 55% quantile, 60% quantile, 65% quantile, 70% quantile;
Mouse movement 30% quantile of Y-direction acceleration, 35% quantile, 40% quantile, 45% quantile, 50%
Quantile, 55% quantile, 60% quantile, 65% quantile, 70% quantile;
30% quantile of mouse motion track angle, 35% quantile, 40% quantile, 45% quantile, 50% point
Digit, 55% quantile, 60% quantile, 65% quantile, 70% quantile.
The singly-bound of the keystroke operation, Macintosh characteristic vector refer between each key assignments and priority key by typing character string
A series of behavior measure amounts that relation is derived, specific features are as follows:
Singly-bound:Duration average, the standard deviation of each button;
Macintosh:Transfer time average, standard deviation between each adjacent key.
The calculating characteristic vector template of the mouse action refer to every kind of mouse mode mouse movement training data in,
The distance of characteristic vector other moving operation characteristic vectors into training data of each moving operation is calculated using mahalanobis distance,
Form distance vector, characteristic vector template of the minimum characteristic vector of chosen distance vector mould as the operator scheme.
The calculating characteristic vector template of the keystroke operation refers to, for each keystroke operation behavior, include its typing character
In string between each key assignments, key in the singly-bound of relation, Macintosh Behavioral training database, using Euclidean distance calculate each singly-bound,
The distance of the characteristic vector of Macintosh other character pair vectors into training data, forms distance vector, chosen distance vector
The minimum characteristic vector of mould is as characteristic vector template, and it is special to be recorded in the Behavioral training comprising each singly-bound, Macintosh feature
Levy in storehouse.
The method have the advantages that:Input operation is frequent under webpage interaction scenarios, and different user is because of different lifes
The factors such as reason feature, behavioural habits or job specification, easily form unique and unique operator scheme;For every kind of keystroke operation and
Mouse moving operation establishes identification submodel, and judges identity based on observation window fusion, can preferably embody user's
Behavioral trait, improve the fault-tolerance of authentication and identity monitoring;Compared to traditional cipher authentication method, webpage input operation
The whole process of webpage interaction is carried out through user, glitch-free real time identity tracking and monitoring can be achieved, is had wider
Security and applicability.
Brief description of the drawings
Below in conjunction with the accompanying drawings and embodiment is described in further detail to the present invention.
Fig. 1 is the overall procedure schematic diagram of the inventive method.
Fig. 2 is the idiographic flow schematic diagram that the data in Fig. 1 mouse and keystroke operation division unit are sorted out.
Fig. 3 is the schematic flow sheet of the distance feature vector generation in Fig. 1 mouse and keystroke behavioural characteristic extraction unit.
Fig. 4 is Fig. 1 mouse and the schematic flow sheet of the sub- identity model construction unit of keystroke.
Fig. 5 is to use the experimental result picture obtained by the inventive method.
Embodiment
Referring to Fig. 1, the network user identity monitoring method of the invention based on webpage input behavior feature, user identity is included
Model construction and operator's identity persistently monitor two parts.The present invention can be used for e-banking system, e-mail system, electricity
The real-time monitoring of the network system person's of logining identity legitimacy such as sub- business system, is realized to legal user profile, the safety of property
Protection.Specific implementation steps are as follows:
1st, user identity model construction part comprises the steps:
(1) normally logined during Web page system interacts operation in user, gather and record user in webpage circle
The mouse mobile data and keystroke operation data inputted on face, form mouse mobile behavior and keystroke needed for identity model structure
Behavioral training data set;The form of mouse moving operation data is:{ mouse state, mouse position, time }, wherein, mouse-like
State refers to moving mouse button down, mouse button release, mouse the label information of three kinds of states.
For the form of keystroke behavior operation data, represent that its data format of the singly-bound of single key assignments is:Key value, when
Between, the Macintosh of relation its data format is between representing key:{ previous key value, this key value, time }.
(2) referring to Fig. 2, for mouse action, moved according to the different mouses concentrated to training data of mouse moving direction
Dynamic operation is sorted out;For keystroke operation, returned according to the keystroke operation that TAB keys and mouse event are concentrated to training data
Class, it is specially:
For mouse action,
The first step, the cursor position seat of the starting point event for extracting a mouse movement and endpoints is concentrated from training data
Mark, wherein the form of each position coordinates is { horizontal coordinate X, vertical coordinate Y };
Second step, the angle theta of mouse movement beginning and end line and horizontal direction is calculated, if θ is less than more than -22.5 °
Equal to 22.5 °, then moving operation is classified as I class;If θ is more than 22.5 ° and is less than or equal to 67.5 °, moving operation is classified as II class;
If θ is more than 67.5 ° and is less than or equal to 112.5 °, moving operation is classified as III class;If θ is more than 112.5 ° and is less than or equal to 157.5 °,
Moving operation is then classified as IV class;If θ is more than 157.5 ° and is less than or equal to 180 ° or more than -180 ° less than or equal to -157.5 °, will
Moving operation is classified as V class;If θ is more than -157.5 ° and is less than or equal to -112.5 °, moving operation is classified as VI class;If θ be more than-
112.5 ° are less than or equal to -67.5 °, then moving operation are classified as into VII class;If θ is more than -67.5 ° and is less than or equal to -22.5 °, will move
Dynamic operation is classified as VIII class;If moving operation beginning and end in same position, ignores this operation;
3rd step, the mouse mobile behavior training dataset formed under different operation modes, mouse action mode include:Ⅰ
Class mouse is mobile, II class mouse is mobile, III class mouse is mobile, IV class mouse is mobile, V class mouse is mobile, VI class mouse is mobile,
VII class mouse moves and the movement of VIII class mouse.
For keystroke operation,
The first step, the operation for current typing character, the knot of this keystroke operation is used as using " TAB " key and mouse event
Bundle flag, the division to keystroke operation is realized according to this, it is determined that the character string keyed in;
Second step, extract each relation between key assignments and each key in character string one by one, be deposited into comprising all key assignments,
Between key in the singly-bound of relation, Macintosh Behavioral training database.Wherein, each singly-bound is characterized in key time durations, each
Macintosh is characterized in transfer time between key.
(3) referring to Fig. 3, moved for the mouse under keystroke operation and every kind of operator scheme, extract characteristic vector and choose
Characteristic vector template, the distance feature vector of each key mouse operation is obtained, is specially:
For mouse action,
The first step, the mouse action of training dataset, extraction mouse movement are moved for the mouse under every kind of operator scheme
Behavioural characteristic vector, specially a series of mouse movement behaviors that caused space-time geometric locus is derived over the display are surveyed
Amount amount, including Integral Characteristic and the class of processing statistic two.Wherein, Integral Characteristic is that the entirety of a moving operation is retouched
State, including the X-coordinate of mouse movement starting point and Y-coordinate, the X-coordinate of mouse movement terminal and Y-coordinate, the track length of mouse movement
Degree and the ratio of displacement, the duration of mouse movement;Processing statistic is that the fine granularity of a moving operation process is described,
Its computational methods is to calculate the feature vector sequence of description first, including velocity series, acceleration degree series, angle sequence, then right
Each feature vector sequence calculates descriptive statistics amount as processing statistic;Using to descriptive statistics amount be mainly 30% point of position
Number, 35% quantile, 40% quantile, 45% quantile, 50% quantile, 55% quantile, 60% quantile, 65% point of position
Number, 70% quantile;
Second step, the training number under the characteristic vector to respective operations pattern of each mouse shifting operation is calculated using horse formula distance
Other mouse move the distance of operating characteristics vector in, obtain the distance vector that dimension is (S-1), and wherein S is represented in training set
The number of characteristic vector.
3rd step, the mould of each distance vector is calculated, select the minimum characteristic vector of modulus value as characteristic vector template;
4th step, calculate the difference of characteristic vector template in the characteristic vector and respective operations pattern that each operate to
Amount, as the distance feature vector of the operation, it is subsequently formed mouse mobile behavior training characteristics set under each operator scheme;
For keystroke operation,
The first step, each keystroke operation concentrated for the keystroke operation training data of cutting, extracts and wherein contains
The characteristic vector of all singly-bounds and Macintosh that have, specially spread out by relation between each key assignments and priority key of typing character string
A series of behavior measure amounts born, including the feature of multiple singly-bounds and the major class of the feature of multiple Macintosh two.Wherein, singly-bound is special
Sign is the description to button behavior each time, including the character keys such as a, b ... y, z, 0,1 ... 8,9 etc. numerical keys and@, #...
Deng the average and standard deviation of the key time durations of other keys.Macintosh is characterized in retouching each two button behavior precedence relationship
State, including aa, ab ... ay, az, a0, a1 ... a8, a9, a@, a., a#...ba, bb ... by, bz, b0, b1 ... b8, b9, b@, b.,
Etc. b#... between the key in the case of all key combinations transfer time average and standard deviation.;
Second step, calculated using Euclidean distance the features of whole singly-bounds and Macintosh contained in each keystroke operation to
The distance of its characteristic vector in the training data under corresponding set is measured, obtains the distance vector that dimension is (S-1), wherein S tables
Show the number of characteristic vector in training set.
3rd step, the mould of each distance vector is calculated, select the minimum characteristic vector of modulus value as characteristic vector template;
4th step, calculate the characteristic vector of each singly-bound and Macintosh and the difference of the characteristic vector template in corresponding storehouse to
Amount, as the distance feature of the singly-bound or Macintosh situation vector, it is subsequently formed training characteristics set corresponding with each of which;
(4) it is positive class by the training characteristics aggregated label of validated user, using one-class classifier to every kind of mouse referring to Fig. 4
The identity submodel of Move Mode (I~VIII class Move Mode) structure validated user is marked, using one-class classifier to all singly-bounds
Its respective validated user identity submodel is built with Macintosh, and obtains the judging identity threshold of each identity submodel of validated user
Value.
2nd, operator's identity continues monitor portion, comprises the steps:
(1) login network in user to enter the Web page during capable interaction, capture mouse, the keystroke operation of active user,
Observation window using length as N forms the input operation data block comprising the movement of user's mouse and keystroke behavior and (wrapped in data block
Make containing key or mouse action is N number of altogether);
(2) each mouse moving operation being directed in operation data block, sorts out according to moving direction to it, and extraction is special
Sign vector, the characteristic vector template of the respective operations pattern obtained when being built with identity model carry out distance metric, obtain the mouse
Mark the distance feature vector of operation.For each keystroke operation in operation data block, according to foregoing user identity model construction
After the method division of part steps 2, the combination of eigenvectors for extracting each singly-bound and Macintosh describes the keystroke into one
The complete characterization vector of operation.The characteristic vector of all identical singly-bounds and Macintosh is equally searched out in training characteristics storehouse,
It is combined into the characteristic vector template corresponding with this keystroke operation.Distance metric is carried out, the distance for obtaining the keystroke operation is special
Sign vector.
(3) for the movement of each mouse and keystroke operation, using its distance feature vector as the defeated of corresponding sub- identity model
Enter (if for example, mouse action is classified as the movement of II class, corresponding identity submodel is the class mobility model of mouse II), obtain
The detected value of this operation;
(4) each operation being directed in key mouse operating block, the decision threshold ε by its detected value with corresponding identity submodel
(ε numerical value is according to model and different) are compared, if detected value is more than threshold value, judge the operation for abnormal operation;If inspection
Measured value is less than threshold value, then judges the operation for normal operating;
(5) the lasting monitoring of current user identities legitimacy:If continuous monitoring is grasped to M exception in the operation of n times key mouse
Make, wherein, M is less than or equal to N, then judges that active user is disabled user;It is on the contrary then judge active user be validated user, wherein
M is alarm threshold value, can be by user's sets itself.
The present invention is persistently monitored with the user identity of self-built simulation Internet bank system and has carried out experimental verification for embodiment,
Comprise the following steps that:
The first step, the generation of training data.14 users of requirement of experiment adhere to several weeks under hardware environment different from each other
Analog network banking system is logined, completes remittance of transferring accounts, the function of inquiry into balance of simulation, gathering and record these users is being
Keystroke behavior on web interface and mouse behavioral data in system, then these are counted according to keystroke, mouse behavior division rule
According to being sorted out, keystroke, the training data of mouse different operation modes are obtained.
Second step, generation distance feature vector.For each user, the characteristic vector under every kind of operator scheme and spy are extracted
Vector template is levied, then generates the training characteristics database that mouse moves under all singly-bounds, Macintosh and every kind of operator scheme.
3rd step, user identity model construction.For each user, by the training characteristics data markers of the user for just
Class, the sub- identity model using nearest-neighbors method (mahalanobis distance) to every kind of mouse moving operation mode construction validated user, is adopted
The sub- identity model of validated user is built to each keystroke operation with Outlier-counting methods, and utilizes training characteristics data
Model is learnt.
4th step, the generation of test data.It is caused after the certain number of its login system for each user
Key mouse behaviour's behavioral data will not be taken as training data, but record as follow-up test data.
5th step, the lasting monitoring of user identity legitimacy.A certain user is selected as validated user, using length as N's
Observation window forms the input operation data block moved comprising keystroke and mouse, for each of which bar test sample, generation
Distance feature vector, finds the sub- identity model of its respective operations in validated user identity model, and distance feature vector is defeated
Enter the model, obtain the detected value to each test sample, by detected value compared with threshold epsilon, if detected value is less than threshold epsilon,
Judge the operation for abnormal operation;Conversely, then judge the operation for normal operating;If continuous monitoring is to super in the operation of n times
M abnormal operation (M is less than N) is crossed, then judges that active user is disabled user.
6th step, select remaining users to be used as validated user successively, repeat the process of above-mentioned 5th step, obtain all users
Lasting monitored results.
For all users, test the inventive method carries out continuing monitoring in analog network banking system to user identity
The degree of accuracy.Fig. 5 is the error rate (equal-error such as what identity in simulation system of the embodiment of the present invention persistently monitored
Rate) result, the vertical line in figure on each point illustrate the variance in the inferior error rate of this observed length.
The present invention is can be seen that from Fig. 5 experimental result accurately and quickly to enter the identity of current network user
Row lasting monitoring and detection.When the size of observation window is 3 (every 3 operations carry out an identity legitimacy detection),
The error rate such as what identity persistently monitored is 3.68%;When the size of observation window is 5, (every 5 operations carry out an identity
Legitimacy detects), the error rate such as what identity persistently monitored is 0.85%.The feasibility of the result verification present invention and effectively
Property, show that the inventive method can be used as a kind of efficient network user identity safety protection technique.
Claims (6)
1. a kind of network user identity monitoring method based on webpage input behavior feature, it is characterised in that including the network user
Identification model construction and network user identity persistently monitor two large divisions:
Wherein, the first step, network user identity identification model structure comprise the steps:
(1) normally logined during Web page system interacts operation in validated user, gather and record user in webpage circle
The mouse action data and keystroke operation data inputted on face, form user's mouse, the raw data set of keystroke behavior;
(2) division of operation behavior:For mouse action, beginning and end line and positive horizontal folder are slided according to mouse pointer
The mouse action that angle θ concentrates to initial data is sorted out, wherein, for θ since -22.5 °, every 45 ° of orders counterclockwise are divided into I
~VIII eight kinds of class mouse action mode, form I~VIII class mouse mobile behavior training dataset;For keystroke operation, with line feed
The end mark of " TAB " key and mouse event as keystroke operation is accorded with, division keystroke operation is the character sequence that multiple length do not wait
Row;
(3) extraction of operation behavior characteristic vector:For different mouse action modes, extract characteristic vector and calculate characteristic vector
Template, characteristic vector template and the mouse action characteristic vector of extraction are subjected to similarity measurement, obtain each mouse action
Distance feature vector;The training characteristics set formed under every kind of mouse action mode;For keystroke operation:1. according to each character
Character contained by sequence and character precedence relationship, extract the characteristic vector of corresponding button;2. being directed to each singly-bound and Macintosh, count
Keystroke operation characteristic vector template is calculated, wherein, Macintosh relation between the priority key of two singly-bounds;3. by this feature vector mould
The characteristic vector of plate and each keystroke operation carries out similarity measurement, forms the Behavioral training comprising each singly-bound and Macintosh feature
Characteristic set;
For mouse action,
(3.1.1), the mouse action of training dataset is moved for the mouse under every kind of operator scheme, extract mouse mobile behavior
Characteristic vector, specially mouse movement a series of behavior measures that caused space-time geometric locus is derived over the display
Amount, including Integral Characteristic and the class of processing statistic two;Wherein, Integral Characteristic is the whole description to a moving operation,
The X-coordinate and Y-coordinate, the path length of mouse movement of X-coordinate and Y-coordinate, mouse movement terminal including mouse movement starting point
Ratio, the duration of mouse movement with displacement;Processing statistic is that the fine granularity of a moving operation process is described, its
Computational methods are to calculate the feature vector sequence of description first, including velocity series, acceleration degree series, angle sequence, then to every
Individual feature vector sequence calculates descriptive statistics amount as processing statistic;Using to descriptive statistics amount be mainly 30% point of position
Number, 35% quantile, 40% quantile, 45% quantile, 50% quantile, 55% quantile, 60% quantile, 65% point of position
Number, 70% quantile;
(3.1.2), the training data under the characteristic vector to respective operations pattern of each mouse shifting operation is calculated using horse formula distance
In other mouse move the distance of operating characteristicses vector, obtain the distance vector that dimension is (S-1), wherein S represents special in training set
Levy the number of vector;
(3.1.3), the mould of each distance vector is calculated, select the minimum characteristic vector of modulus value as characteristic vector template;
(3.1.4), the difference value vector of the characteristic vector template in the characteristic vector and respective operations pattern each operated is calculated, made
For the distance feature vector of the operation, mouse mobile behavior training characteristics set under each operator scheme is subsequently formed;
For keystroke operation,
(3.2.1), each keystroke operation concentrated for the keystroke operation training data of cutting, extracts what is wherein contained
The characteristic vector of all singly-bounds and Macintosh, specially derived by relation between each key assignments and priority key of typing character string
A series of behavior measure amounts, including the feature of multiple singly-bounds and the major class of the feature of multiple Macintosh two;Wherein, singly-bound is characterized in
Description to button behavior each time, including the character keys such as a, b ... y, z, 0,1 ... 8,9 etc. numerical keys and@, #... etc. its
The average and standard deviation of the key time durations of his key;Macintosh is characterized in the description to each two button behavior precedence relationship,
Including aa, ab ... ay, az, a0, a1 ... a8, a9, a@, a., a#...ba, bb ... by, bz, b0, b1 ... b8, b9, b@, b.,
Etc. b#... between the key in the case of all key combinations transfer time average and standard deviation;
The characteristic vector that (3.2.2) calculates whole singly-bounds and Macintosh contained in each keystroke operation using Euclidean distance arrives
The distance of its characteristic vector in training data under corresponding set, obtains the distance vector that dimension is (S-1), and wherein S represents instruction
Practice the number of characteristic vector in set;
(3.2.3), the mould of each distance vector is calculated, select the minimum characteristic vector of modulus value as characteristic vector template;
(3.2.4), the characteristic vector of each singly-bound and Macintosh and the difference value vector of the characteristic vector template in corresponding storehouse are calculated,
As the distance feature of the singly-bound or Macintosh situation vector, training characteristics set corresponding with each of which is subsequently formed;
(4) it is positive class by the key mouse training characteristics aggregated label of validated user, using one-class classifier to every kind of mouse action mould
The identity model of formula and each keystroke operation structure validated user, and obtain various mouse action modes and each keystroke operation pair
The judging identity threshold value for the validated user answered;Accordingly, validated user identity model includes at least eight identity submodels;
Second step, network user identity, which persistently monitors, to be comprised the steps:
(1) after user logins Web page system, observation window of the webpage using length as N starts to capture user's mouse action and keystroke behaviour
Make behavior, the observation window is the user's webpage input operand comprising mouse and the common N number of operation of keystroke collected according to block;
(2) mouse action is directed to, it is sorted out according to moving direction, mouse action characteristic vector is extracted, with identity model
The characteristic vector template of the respective operations pattern obtained during structure is entered row distance and compared, obtain the distance feature of mouse action to
Amount;For keystroke operation, relation between each key assignments and key that are included according to it, keystroke operation characteristic vector is extracted, while from body
Extracted in the feature database comprising each singly-bound and Macintosh obtained during part model construction, characteristic vector template corresponding to combination,
Distance metric is carried out, obtains the distance feature vector of keystroke operation;
(3) each mouse action and keystroke operation being directed in webpage input operation data block, by obtained distance feature vector
As the input of identity submodel corresponding to the operation, the detected value of each operation is obtained, and by the detected value and corresponding body
The decision threshold of one's share of expenses for a joint undertaking model is compared, and judges the abnormality operated every time;
(4) current user identities legitimacy is judged:If continuous monitoring is to M abnormal operation in n times behavior operation,
Judge that active user is disabled user;It is on the contrary then judge active user be validated user, wherein, M is less than or equal to N;
The data format of the mouse action is:{ mouse state, mouse position, time };Wherein, mouse state is referred to mouse
Mark key is pressed, mouse button discharges, the label information of mouse three kinds of states of movement;The data format of the keystroke operation, represent single
The singly-bound data format of individual key assignments is:{ key value, time };The Macintosh data format of relation is between expression key:{ previous button
Value, this key value, time }.
2. the network user identity monitoring method as claimed in claim 1 based on webpage input behavior feature, it is characterised in that
The operation behavior division concretely comprises the following steps:
For mouse action,
1) the mouse position coordinate of the starting point event of mouse moving operation of extraction and endpoints, wherein each position coordinates
Form be { horizontal coordinate X, vertical coordinate Y };
2) angle theta of moving operation beginning and end line and horizontal direction is calculated, is I class mouse when θ is at -22.5 °~22.5 °
Mark operator scheme;It is II class mouse action mode when θ is at 22.5 °~67.5 °;It is III class mouse when θ is at 67.5 °~112.5 °
Mark operator scheme;It is IV class mouse action mode when θ is at 112.5 °~157.5 °;When θ is at 157.5 °~180 ° or -180 °
It is V class mouse action mode at~-157.5 °;It is VI class mouse action mode when θ is at -157.5 °~-112.5 °;Work as θ
It is VII class mouse action mode at -112.5 °~-67.5 °;It is VIII class mouse action mould when θ is at -67.5 °~-22.5 °
Formula;
For keystroke operation,
1) it is real using " TAB " key and mouse event as the end mark of this keystroke operation for the operation of current typing character
Now to the division of keystroke operation, it is determined that the character string keyed in;
2) behavioural characteristic of each relation between key assignments and each key in character string is extracted one by one, in network user identity identification model
It is deposited into structure comprising in the singly-bound of relationship characteristic, Macintosh Behavioral training feature database between all key assignments, key;In network
These behavioural characteristics are formed characteristic vector to be measured by user identity in persistently monitoring, and are searched for, matched, group in training characteristics storehouse
Training feature vector template corresponding to synthesis, wherein, each singly-bound is characterized in key time durations, the feature of each Macintosh
It is transfer time between key.
3. the network user identity monitoring method as claimed in claim 1 based on webpage input behavior feature, it is characterised in that
The characteristic vector of the mouse action refers to that the space-time geometric locus as caused by mouse movement in system webpage is derived
A series of behavior measure amounts, including Integral Characteristic and processing statistic are specific as follows:
Integral Characteristic includes:
Mouse moves X-coordinate, the Y-coordinate of starting point;
Mouse moves X-coordinate, the Y-coordinate of terminal;
The path length of mouse movement and the ratio of displacement;
The duration of mouse movement;
Processing statistic includes:
30% quantile of mouse movement X-direction speed, 35% quantile, 40% quantile, 45% quantile, 50% point of position
Number, 55% quantile, 60% quantile, 65% quantile, 70% quantile;
30% quantile of mouse movement Y-direction speed, 35% quantile, 40% quantile, 45% quantile, 50% point of position
Number, 55% quantile, 60% quantile, 65% quantile, 70% quantile;
30% quantile of mouse movement X-direction acceleration, 35% quantile, 40% quantile, 45% quantile, 50% point of position
Number, 55% quantile, 60% quantile, 65% quantile, 70% quantile;
30% quantile of mouse movement Y-direction acceleration, 35% quantile, 40% quantile, 45% quantile, 50% point of position
Number, 55% quantile, 60% quantile, 65% quantile, 70% quantile;
30% quantile of mouse move angle, 35% quantile, 40% quantile, 45% quantile, 50% quantile, 55%
Quantile, 60% quantile, 65% quantile, 70% quantile.
4. the network user identity monitoring method as claimed in claim 1 based on webpage input behavior feature, it is characterised in that
The singly-bound of the keystroke operation, Macintosh characteristic vector refer to that relation is spread out between each key assignments and priority key by typing character string
A series of behavior measure amounts born, specific features are as follows:
Singly-bound:Duration average, the standard deviation of each button;
Macintosh:Transfer time average, standard deviation between each adjacent key.
5. the network user identity monitoring method as claimed in claim 1 based on webpage input behavior feature, the mouse behaviour
The calculating characteristic vector template of work refers in the mouse movement training data of every kind of mouse mode, is calculated using mahalanobis distance every
The distance of the characteristic vector of individual moving operation other moving operation characteristic vectors into training data, form distance vector, selection
Characteristic vector template of the minimum characteristic vector of distance vector mould as the operator scheme.
6. the network user identity monitoring method as claimed in claim 1 based on webpage input behavior feature, the keystroke behaviour
The calculating characteristic vector template of work refers to for each keystroke operation behavior, comprising in its typing character string between each key assignments, key
In the singly-bound of relation, Macintosh Behavioral training database, each singly-bound is calculated using Euclidean distance, the characteristic vector of Macintosh arrives
The distance of other character pair vectors in training data, forms distance vector, and the minimum characteristic vector of chosen distance vector mould is made
Be characterized vector template, and be recorded in comprising each singly-bound, Macintosh feature Behavioral training feature database in.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510214216.2A CN104809377B (en) | 2015-04-29 | 2015-04-29 | Network user identity monitoring method based on webpage input behavior feature |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510214216.2A CN104809377B (en) | 2015-04-29 | 2015-04-29 | Network user identity monitoring method based on webpage input behavior feature |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104809377A CN104809377A (en) | 2015-07-29 |
CN104809377B true CN104809377B (en) | 2018-01-05 |
Family
ID=53694193
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510214216.2A Active CN104809377B (en) | 2015-04-29 | 2015-04-29 | Network user identity monitoring method based on webpage input behavior feature |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104809377B (en) |
Families Citing this family (22)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105933267A (en) * | 2015-08-21 | 2016-09-07 | ***股份有限公司 | Identity authentication method and device |
CN105429937B (en) * | 2015-10-22 | 2018-07-06 | 同济大学 | Identity identifying method and system based on keystroke behavior |
RU2626337C1 (en) * | 2016-02-18 | 2017-07-26 | Акционерное общество "Лаборатория Касперского" | Method of detecting fraudulent activity on user device |
CN107194213B (en) * | 2016-03-14 | 2020-03-27 | 阿里巴巴集团控股有限公司 | Identity recognition method and device |
CN106039711B (en) * | 2016-05-17 | 2019-05-14 | 网易(杭州)网络有限公司 | A kind of method for authenticating user identity and device |
CN106911668B (en) * | 2017-01-10 | 2020-07-14 | 同济大学 | Identity authentication method and system based on user behavior model |
CN107124395B (en) * | 2017-03-16 | 2020-08-07 | 华北电力大学 | Identification method of user identity identification system based on keystroke rhythm |
CN107230084B (en) * | 2017-05-03 | 2020-12-29 | 同济大学 | Big data-based user behavior authentication method and system |
CN107368718B (en) * | 2017-07-06 | 2022-08-16 | 同济大学 | User browsing behavior authentication method and system |
CN107623715B (en) * | 2017-08-08 | 2020-06-09 | 阿里巴巴集团控股有限公司 | Identity information acquisition method and device |
CN108229567B (en) * | 2018-01-09 | 2021-06-15 | 荣联科技集团股份有限公司 | Driver identity recognition method and device |
CN108200450B (en) * | 2018-01-12 | 2019-11-15 | 武汉斗鱼网络科技有限公司 | A kind of determination method, apparatus, electronic equipment and medium for paying close attention to legitimacy |
CN109063431B (en) * | 2018-06-21 | 2021-10-22 | 西安理工大学 | User identity recognition method for weighting keystroke characteristic curve difference degree |
CN109446780B (en) * | 2018-11-01 | 2020-11-27 | 北京知道创宇信息技术股份有限公司 | Identity authentication method, device and storage medium thereof |
US11630896B1 (en) * | 2019-03-07 | 2023-04-18 | Educational Testing Service | Behavior-based electronic essay assessment fraud detection |
CN110287664A (en) * | 2019-07-01 | 2019-09-27 | 贵州大学 | A kind of identity identifying method being characterized selection based on multirow |
CN111124860B (en) * | 2019-12-16 | 2021-04-27 | 电子科技大学 | Method for identifying user by using keyboard and mouse data in uncontrollable environment |
CN111625789B (en) * | 2020-04-07 | 2023-04-07 | 北京工业大学 | User identification method based on multi-core learning fusion of mouse and keyboard behavior characteristics |
CN111209552A (en) * | 2020-04-20 | 2020-05-29 | 国网电子商务有限公司 | Identity authentication method and device based on user behaviors |
CN112580004A (en) * | 2020-12-23 | 2021-03-30 | 北京通付盾人工智能技术有限公司 | Webpage end user behavior acquisition method and system based on biological probe technology |
CN113158152A (en) * | 2021-05-13 | 2021-07-23 | 广西科技师范学院 | Computer intelligent auxiliary system based on behavior analysis |
CN116418587B (en) * | 2023-04-19 | 2024-04-30 | 中国电子科技集团公司第三十研究所 | Data cross-domain switching behavior audit trail method and data cross-domain switching system |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101833619A (en) * | 2010-04-29 | 2010-09-15 | 西安交通大学 | Method for judging identity based on keyboard-mouse crossed certification |
CN103530540A (en) * | 2013-09-27 | 2014-01-22 | 西安交通大学 | User identity attribute detection method based on man-machine interaction behavior characteristics |
CN104239761A (en) * | 2014-09-15 | 2014-12-24 | 西安交通大学 | Continuous identity authentication method based on touch screen slip behavior characteristics |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2012073233A1 (en) * | 2010-11-29 | 2012-06-07 | Biocatch Ltd. | Method and device for confirming computer end-user identity |
-
2015
- 2015-04-29 CN CN201510214216.2A patent/CN104809377B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101833619A (en) * | 2010-04-29 | 2010-09-15 | 西安交通大学 | Method for judging identity based on keyboard-mouse crossed certification |
CN103530540A (en) * | 2013-09-27 | 2014-01-22 | 西安交通大学 | User identity attribute detection method based on man-machine interaction behavior characteristics |
CN104239761A (en) * | 2014-09-15 | 2014-12-24 | 西安交通大学 | Continuous identity authentication method based on touch screen slip behavior characteristics |
Also Published As
Publication number | Publication date |
---|---|
CN104809377A (en) | 2015-07-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104809377B (en) | Network user identity monitoring method based on webpage input behavior feature | |
CN104239761B (en) | The identity for sliding behavioural characteristic based on touch screen continues authentication method | |
Buschek et al. | Improving accuracy, applicability and usability of keystroke biometrics on mobile touchscreen devices | |
Antal et al. | Information revealed from scrolling interactions on mobile devices | |
CN104408341B (en) | Smart phone user identity identifying method based on gyroscope behavioural characteristic | |
US10467394B2 (en) | Pointing device biometrics for continuous user authentication | |
WO2019153604A1 (en) | Device and method for creating human/machine identification model, and computer readable storage medium | |
CN103530540B (en) | User identity attribute detection method based on man-machine interaction behavior characteristics | |
Mondal et al. | Continuous authentication using mouse dynamics | |
Antal et al. | An evaluation of one-class and two-class classification algorithms for keystroke dynamics authentication on mobile devices | |
CN105389486B (en) | A kind of authentication method based on mouse behavior | |
CN108549806A (en) | The identity identifying method of behavior is slided and clicked based on user | |
Rahman et al. | Making impostor pass rates meaningless: A case of snoop-forge-replay attack on continuous cyber-behavioral verification with keystrokes | |
Lin et al. | A new non-intrusive authentication approach for data protection based on mouse dynamics | |
Xu et al. | Challenge-response authentication using in-air handwriting style verification | |
Van Nguyen et al. | Finger-drawn pin authentication on touch devices | |
Shen et al. | MouseIdentity: Modeling mouse-interaction behavior for a user verification system | |
CN107153780A (en) | The writing behavioural characteristic authentication method of electronic equipment is dressed based on wrist | |
Siirtola et al. | Effect of context in swipe gesture-based continuous authentication on smartphones | |
CN102324007A (en) | Method for detecting abnormality based on data mining | |
Kratky et al. | Recognition of web users with the aid of biometric user model | |
CN107430653B (en) | Method for identifying an interaction signature of a user | |
EP2490149A1 (en) | System for verifying user identity via mouse dynamics | |
Alpar | Biometric touchstroke authentication by fuzzy proximity of touch locations | |
CN111124860B (en) | Method for identifying user by using keyboard and mouse data in uncontrollable environment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
EXSB | Decision made by sipo to initiate substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |