CN104809377B - Network user identity monitoring method based on webpage input behavior feature - Google Patents

Network user identity monitoring method based on webpage input behavior feature Download PDF

Info

Publication number
CN104809377B
CN104809377B CN201510214216.2A CN201510214216A CN104809377B CN 104809377 B CN104809377 B CN 104809377B CN 201510214216 A CN201510214216 A CN 201510214216A CN 104809377 B CN104809377 B CN 104809377B
Authority
CN
China
Prior art keywords
mouse
quantile
characteristic vector
vector
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510214216.2A
Other languages
Chinese (zh)
Other versions
CN104809377A (en
Inventor
沈超
杨振宇
管晓宏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xian Jiaotong University
Original Assignee
Xian Jiaotong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xian Jiaotong University filed Critical Xian Jiaotong University
Priority to CN201510214216.2A priority Critical patent/CN104809377B/en
Publication of CN104809377A publication Critical patent/CN104809377A/en
Application granted granted Critical
Publication of CN104809377B publication Critical patent/CN104809377B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Input From Keyboards Or The Like (AREA)
  • Debugging And Monitoring (AREA)
  • Digital Computer Display Output (AREA)
  • User Interface Of Digital Computer (AREA)

Abstract

The invention discloses a kind of network user identity monitoring method based on webpage input behavior feature, the network user is recorded unperturbed is carrying out mouse movement and keystroke operation caused by webpage interaction, operation cutting is carried out based on input attribute, extract the input behavior feature mutually agreed with network interactive mode, the identification model established under every kind of action type, the real-time monitoring of network user identity is relatively realized based on observation window and threshold value.The advantage of the invention is that:Input operation is frequent under webpage interaction scenarios, and different user easily forms unique and unique operator scheme because of factors such as different physilogical characteristics, behavioural habits;The identity model of every kind of keystroke and mouse action is established, can preferably embody the behavioral trait of user, improves the fault-tolerance of identity monitoring;Compared to traditional single authentication method, webpage input operation runs through the whole process of user's webpage interaction, and glitch-free real time identity tracking and monitoring can be achieved, have wider applicability.

Description

Network user identity monitoring method based on webpage input behavior feature
Technical field
The present invention relates to network safety guard technology, more particularly to a kind of network user is in Web page system interaction Identity monitoring method.
Background technology
With developing rapidly for the fields such as internet finance, online education, ecommerce, each network application system is As increasing people's daily life inalienable part.However, the increasing Internet bank's account of the thing followed Family is invaded, and the event that the network systems such as Email Information is stolen are attacked promotes network information security protection question gradual It is valued by people.
It is existing based on belongings (such as ID card), knowledge based (such as password), based on traditional biological feature (such as fingerprint and Iris) auth method only identity legitimacy is verified (during such as system login) at the time of some are specific, it is difficult To carry out the inspection of continuation to the identity legitimacy of user in webpage interaction, and not high (such as password of security be present Easily leak and mix up) or need extra hardware to set (such as fingerprint and iris) limitation.However, interacted by analyzing webpage When mouse and keyboard input operation and realize that the real-time monitoring to network user identity legitimacy can be fine based on this The shortcomings that making up above-mentioned verification mode, so as to effectively protect netizen property and personal secrets.Based on webpage input behavior Network user identity monitor mode there is its significant advantage:1) input operation is frequent under webpage interaction scenarios, and difference is used Family easily forms unique and unique operator scheme because of factors such as different physilogical characteristics, behavioural habits or job specification;2) use Family is in input operation behavior caused by webpage interaction without carrying and memory, it is difficult to hiding and forgery, and foundation is detected from net Obtained in page input operation, it is not necessary to extra hardware device;3) data are completed during user interacts with Web page system Capture and identity detection, the cooperation extra without user, can be achieved non-offensive identity and actively monitor, and have widely peace Full property and applicability.
The content of the invention
It is an object of the invention to provide a kind of method for sustainably verifying network user identity, exist in particular with user Caused mouse input operation and Key stroke operating characteristics to detect the conjunction of operator's identity in real time in Web page system interaction The method of method.
To achieve the above objectives, the present invention adopts the following technical scheme that realization:
A kind of network user identity monitoring method based on webpage input behavior feature, the webpage input behavior are user Mouse action behavior and keystroke operation behavior in webpage, it is characterised in that built including network user identity identification model Two large divisions is persistently monitored with network user identity:
Wherein, network user identity identification model structure comprises the steps:
(1) normally logined during Web page system interacts operation in validated user, gather and record user in net The mouse action data and keystroke operation data inputted on page boundary face, form user's mouse, the raw data set of keystroke behavior;
(2) division of operation behavior:For mouse action, beginning and end line and positive water are slided according to mouse pointer The mouse action that flat angle theta is concentrated to initial data is sorted out, wherein, θ since -22.5 °, draw by every 45 ° of orders counterclockwise It is divided into I~VIII class, eight kinds of mouse action modes, forms I~VIII class mouse mobile behavior training dataset;For keystroke operation, with The end mark of newline " TAB " key and mouse event as keystroke operation, division keystroke operation are the word that multiple length do not wait Accord with sequence;
(3) extraction of operation behavior characteristic vector:For different mouse action modes, extract characteristic vector and calculate feature Vector template, characteristic vector template and the mouse action characteristic vector of extraction are subjected to similarity measurement, obtain each mouse behaviour The distance feature vector of work;The training characteristics set formed under every kind of mouse action mode;For keystroke operation:1. according to each Character contained by character string and character precedence relationship, extract the characteristic vector of corresponding button;2. it is directed to each singly-bound and combination Key, keystroke operation characteristic vector template is calculated, wherein, Macintosh relation between the priority key of two singly-bounds;3. by this feature vector Template and the characteristic vector of each keystroke operation carry out similarity measurement, form the behavior instruction comprising each singly-bound and Macintosh feature Practice characteristic set;
(4) it is positive class by the key mouse training characteristics aggregated label of validated user, every kind of mouse is grasped using one-class classifier The identity model of operation mode and each keystroke operation structure validated user, and obtain various mouse action modes and each keystroke behaviour The judging identity threshold value of validated user corresponding to work;Accordingly, validated user identity model includes at least eight identity submodels;
Network user identity, which persistently monitors, to be comprised the steps:
(1) after user logins Web page system, observation window of the webpage using length as N starts to capture user's mouse action and hit Key operation behavior, the observation window are the user's webpage input operand comprising mouse and the common N number of operation of keystroke collected According to block;
(2) mouse action is directed to, it is sorted out according to moving direction, mouse action characteristic vector is extracted, with identity The characteristic vector template of the respective operations pattern obtained during model construction is entered row distance and compared, and obtains the distance feature of mouse action Vector;For keystroke operation, relation between each key assignments and key that are included according to it, extraction keystroke operation characteristic vector, while from Extracted in the feature database comprising each singly-bound and Macintosh that identity model obtains when building, characteristic vector mould corresponding to combination Plate, distance metric is carried out, obtain the distance feature vector of keystroke operation;
(3) each mouse action and keystroke operation being directed in webpage input operation data block, the distance feature that will be obtained Input of the vector as identity submodel corresponding to the operation, obtains the detected value of each operation, and by the detected value with it is corresponding The decision threshold of identity submodel be compared, judge the abnormality operated every time;
(4) current user identities legitimacy is judged:If continuous monitoring is grasped to M exception in n times behavior operation Make, then judge that active user is disabled user;It is on the contrary then judge active user be validated user, wherein, M is less than or equal to N.
In the above method, the data format of the mouse action is:{ mouse state, mouse position, time };Wherein, mouse Mark state refers to moving mouse button down, mouse button release, mouse the label information of three kinds of states;The keystroke operation Data format, the singly-bound data format for representing single key assignments are:{ key value, time };The combination key data of relation between expression key Form is:{ previous key value, this key value, time }.
The operation behavior division concretely comprises the following steps:
For mouse action,
1) the mouse position coordinate of the starting point event of mouse moving operation of extraction and endpoints, wherein each position The form of coordinate is { horizontal coordinate X, vertical coordinate Y };
2) angle theta of moving operation beginning and end line and horizontal direction is calculated, is I when θ is at -22.5 °~22.5 ° Class mouse action mode;It is II class mouse action mode when θ is at 22.5 °~67.5 °;It is III when θ is at 67.5 °~112.5 ° Class mouse action mode;It is IV class mouse action mode when θ is at 112.5 °~157.5 °;When θ at 157.5 °~180 ° or- It is V class mouse action mode at 180 °~-157.5 °;It is VI class mouse action mode when θ is at -157.5 °~-112.5 °; It is VII class mouse action mode when θ is at -112.5 °~-67.5 °;It is VIII class mouse action when θ is at -67.5 °~-22.5 ° Pattern;
For keystroke operation,
1) for the operation of current typing character, the end mark of this keystroke operation is used as using " TAB " key and mouse event Will, the division to keystroke operation is realized, it is determined that the character string keyed in;
2) behavioural characteristic of each relation between key assignments and each key in character string is extracted one by one, is identified in network user identity It is deposited into model construction comprising in the singly-bound of relationship characteristic, Macintosh Behavioral training feature database between all key assignments, key; These behavioural characteristics are formed characteristic vector to be measured by network user identity in persistently monitoring, and in training characteristics storehouse search, Match somebody with somebody, be combined into corresponding training feature vector template, wherein, each singly-bound is characterized in key time durations, each Macintosh It is characterized in transfer time between key.
The characteristic vector of the mouse action refers to the space-time geometric locus as caused by mouse movement in system webpage A series of behavior measure amounts derived, including Integral Characteristic and processing statistic, it is specific as follows:
Integral Characteristic includes:
Mouse moves X-coordinate, the Y-coordinate of starting point;
Mouse moves X-coordinate, the Y-coordinate of terminal;
The path length of mouse movement and the ratio of displacement;
The duration of mouse movement;
Processing statistic includes:
Mouse movement 30% quantile of X-direction speed, 35% quantile, 40% quantile, 45% quantile, 50% point Digit, 55% quantile, 60% quantile, 65% quantile, 70% quantile;
Mouse movement 30% quantile of Y-direction speed, 35% quantile, 40% quantile, 45% quantile, 50% point Digit, 55% quantile, 60% quantile, 65% quantile, 70% quantile;
Mouse movement 30% quantile of X-direction acceleration, 35% quantile, 40% quantile, 45% quantile, 50% Quantile, 55% quantile, 60% quantile, 65% quantile, 70% quantile;
Mouse movement 30% quantile of Y-direction acceleration, 35% quantile, 40% quantile, 45% quantile, 50% Quantile, 55% quantile, 60% quantile, 65% quantile, 70% quantile;
30% quantile of mouse motion track angle, 35% quantile, 40% quantile, 45% quantile, 50% point Digit, 55% quantile, 60% quantile, 65% quantile, 70% quantile.
The singly-bound of the keystroke operation, Macintosh characteristic vector refer between each key assignments and priority key by typing character string A series of behavior measure amounts that relation is derived, specific features are as follows:
Singly-bound:Duration average, the standard deviation of each button;
Macintosh:Transfer time average, standard deviation between each adjacent key.
The calculating characteristic vector template of the mouse action refer to every kind of mouse mode mouse movement training data in, The distance of characteristic vector other moving operation characteristic vectors into training data of each moving operation is calculated using mahalanobis distance, Form distance vector, characteristic vector template of the minimum characteristic vector of chosen distance vector mould as the operator scheme.
The calculating characteristic vector template of the keystroke operation refers to, for each keystroke operation behavior, include its typing character In string between each key assignments, key in the singly-bound of relation, Macintosh Behavioral training database, using Euclidean distance calculate each singly-bound, The distance of the characteristic vector of Macintosh other character pair vectors into training data, forms distance vector, chosen distance vector The minimum characteristic vector of mould is as characteristic vector template, and it is special to be recorded in the Behavioral training comprising each singly-bound, Macintosh feature Levy in storehouse.
The method have the advantages that:Input operation is frequent under webpage interaction scenarios, and different user is because of different lifes The factors such as reason feature, behavioural habits or job specification, easily form unique and unique operator scheme;For every kind of keystroke operation and Mouse moving operation establishes identification submodel, and judges identity based on observation window fusion, can preferably embody user's Behavioral trait, improve the fault-tolerance of authentication and identity monitoring;Compared to traditional cipher authentication method, webpage input operation The whole process of webpage interaction is carried out through user, glitch-free real time identity tracking and monitoring can be achieved, is had wider Security and applicability.
Brief description of the drawings
Below in conjunction with the accompanying drawings and embodiment is described in further detail to the present invention.
Fig. 1 is the overall procedure schematic diagram of the inventive method.
Fig. 2 is the idiographic flow schematic diagram that the data in Fig. 1 mouse and keystroke operation division unit are sorted out.
Fig. 3 is the schematic flow sheet of the distance feature vector generation in Fig. 1 mouse and keystroke behavioural characteristic extraction unit.
Fig. 4 is Fig. 1 mouse and the schematic flow sheet of the sub- identity model construction unit of keystroke.
Fig. 5 is to use the experimental result picture obtained by the inventive method.
Embodiment
Referring to Fig. 1, the network user identity monitoring method of the invention based on webpage input behavior feature, user identity is included Model construction and operator's identity persistently monitor two parts.The present invention can be used for e-banking system, e-mail system, electricity The real-time monitoring of the network system person's of logining identity legitimacy such as sub- business system, is realized to legal user profile, the safety of property Protection.Specific implementation steps are as follows:
1st, user identity model construction part comprises the steps:
(1) normally logined during Web page system interacts operation in user, gather and record user in webpage circle The mouse mobile data and keystroke operation data inputted on face, form mouse mobile behavior and keystroke needed for identity model structure Behavioral training data set;The form of mouse moving operation data is:{ mouse state, mouse position, time }, wherein, mouse-like State refers to moving mouse button down, mouse button release, mouse the label information of three kinds of states.
For the form of keystroke behavior operation data, represent that its data format of the singly-bound of single key assignments is:Key value, when Between, the Macintosh of relation its data format is between representing key:{ previous key value, this key value, time }.
(2) referring to Fig. 2, for mouse action, moved according to the different mouses concentrated to training data of mouse moving direction Dynamic operation is sorted out;For keystroke operation, returned according to the keystroke operation that TAB keys and mouse event are concentrated to training data Class, it is specially:
For mouse action,
The first step, the cursor position seat of the starting point event for extracting a mouse movement and endpoints is concentrated from training data Mark, wherein the form of each position coordinates is { horizontal coordinate X, vertical coordinate Y };
Second step, the angle theta of mouse movement beginning and end line and horizontal direction is calculated, if θ is less than more than -22.5 ° Equal to 22.5 °, then moving operation is classified as I class;If θ is more than 22.5 ° and is less than or equal to 67.5 °, moving operation is classified as II class; If θ is more than 67.5 ° and is less than or equal to 112.5 °, moving operation is classified as III class;If θ is more than 112.5 ° and is less than or equal to 157.5 °, Moving operation is then classified as IV class;If θ is more than 157.5 ° and is less than or equal to 180 ° or more than -180 ° less than or equal to -157.5 °, will Moving operation is classified as V class;If θ is more than -157.5 ° and is less than or equal to -112.5 °, moving operation is classified as VI class;If θ be more than- 112.5 ° are less than or equal to -67.5 °, then moving operation are classified as into VII class;If θ is more than -67.5 ° and is less than or equal to -22.5 °, will move Dynamic operation is classified as VIII class;If moving operation beginning and end in same position, ignores this operation;
3rd step, the mouse mobile behavior training dataset formed under different operation modes, mouse action mode include:Ⅰ Class mouse is mobile, II class mouse is mobile, III class mouse is mobile, IV class mouse is mobile, V class mouse is mobile, VI class mouse is mobile, VII class mouse moves and the movement of VIII class mouse.
For keystroke operation,
The first step, the operation for current typing character, the knot of this keystroke operation is used as using " TAB " key and mouse event Bundle flag, the division to keystroke operation is realized according to this, it is determined that the character string keyed in;
Second step, extract each relation between key assignments and each key in character string one by one, be deposited into comprising all key assignments, Between key in the singly-bound of relation, Macintosh Behavioral training database.Wherein, each singly-bound is characterized in key time durations, each Macintosh is characterized in transfer time between key.
(3) referring to Fig. 3, moved for the mouse under keystroke operation and every kind of operator scheme, extract characteristic vector and choose Characteristic vector template, the distance feature vector of each key mouse operation is obtained, is specially:
For mouse action,
The first step, the mouse action of training dataset, extraction mouse movement are moved for the mouse under every kind of operator scheme Behavioural characteristic vector, specially a series of mouse movement behaviors that caused space-time geometric locus is derived over the display are surveyed Amount amount, including Integral Characteristic and the class of processing statistic two.Wherein, Integral Characteristic is that the entirety of a moving operation is retouched State, including the X-coordinate of mouse movement starting point and Y-coordinate, the X-coordinate of mouse movement terminal and Y-coordinate, the track length of mouse movement Degree and the ratio of displacement, the duration of mouse movement;Processing statistic is that the fine granularity of a moving operation process is described, Its computational methods is to calculate the feature vector sequence of description first, including velocity series, acceleration degree series, angle sequence, then right Each feature vector sequence calculates descriptive statistics amount as processing statistic;Using to descriptive statistics amount be mainly 30% point of position Number, 35% quantile, 40% quantile, 45% quantile, 50% quantile, 55% quantile, 60% quantile, 65% point of position Number, 70% quantile;
Second step, the training number under the characteristic vector to respective operations pattern of each mouse shifting operation is calculated using horse formula distance Other mouse move the distance of operating characteristics vector in, obtain the distance vector that dimension is (S-1), and wherein S is represented in training set The number of characteristic vector.
3rd step, the mould of each distance vector is calculated, select the minimum characteristic vector of modulus value as characteristic vector template;
4th step, calculate the difference of characteristic vector template in the characteristic vector and respective operations pattern that each operate to Amount, as the distance feature vector of the operation, it is subsequently formed mouse mobile behavior training characteristics set under each operator scheme;
For keystroke operation,
The first step, each keystroke operation concentrated for the keystroke operation training data of cutting, extracts and wherein contains The characteristic vector of all singly-bounds and Macintosh that have, specially spread out by relation between each key assignments and priority key of typing character string A series of behavior measure amounts born, including the feature of multiple singly-bounds and the major class of the feature of multiple Macintosh two.Wherein, singly-bound is special Sign is the description to button behavior each time, including the character keys such as a, b ... y, z, 0,1 ... 8,9 etc. numerical keys and@, #... Deng the average and standard deviation of the key time durations of other keys.Macintosh is characterized in retouching each two button behavior precedence relationship State, including aa, ab ... ay, az, a0, a1 ... a8, a9, a@, a., a#...ba, bb ... by, bz, b0, b1 ... b8, b9, b@, b., Etc. b#... between the key in the case of all key combinations transfer time average and standard deviation.;
Second step, calculated using Euclidean distance the features of whole singly-bounds and Macintosh contained in each keystroke operation to The distance of its characteristic vector in the training data under corresponding set is measured, obtains the distance vector that dimension is (S-1), wherein S tables Show the number of characteristic vector in training set.
3rd step, the mould of each distance vector is calculated, select the minimum characteristic vector of modulus value as characteristic vector template;
4th step, calculate the characteristic vector of each singly-bound and Macintosh and the difference of the characteristic vector template in corresponding storehouse to Amount, as the distance feature of the singly-bound or Macintosh situation vector, it is subsequently formed training characteristics set corresponding with each of which;
(4) it is positive class by the training characteristics aggregated label of validated user, using one-class classifier to every kind of mouse referring to Fig. 4 The identity submodel of Move Mode (I~VIII class Move Mode) structure validated user is marked, using one-class classifier to all singly-bounds Its respective validated user identity submodel is built with Macintosh, and obtains the judging identity threshold of each identity submodel of validated user Value.
2nd, operator's identity continues monitor portion, comprises the steps:
(1) login network in user to enter the Web page during capable interaction, capture mouse, the keystroke operation of active user, Observation window using length as N forms the input operation data block comprising the movement of user's mouse and keystroke behavior and (wrapped in data block Make containing key or mouse action is N number of altogether);
(2) each mouse moving operation being directed in operation data block, sorts out according to moving direction to it, and extraction is special Sign vector, the characteristic vector template of the respective operations pattern obtained when being built with identity model carry out distance metric, obtain the mouse Mark the distance feature vector of operation.For each keystroke operation in operation data block, according to foregoing user identity model construction After the method division of part steps 2, the combination of eigenvectors for extracting each singly-bound and Macintosh describes the keystroke into one The complete characterization vector of operation.The characteristic vector of all identical singly-bounds and Macintosh is equally searched out in training characteristics storehouse, It is combined into the characteristic vector template corresponding with this keystroke operation.Distance metric is carried out, the distance for obtaining the keystroke operation is special Sign vector.
(3) for the movement of each mouse and keystroke operation, using its distance feature vector as the defeated of corresponding sub- identity model Enter (if for example, mouse action is classified as the movement of II class, corresponding identity submodel is the class mobility model of mouse II), obtain The detected value of this operation;
(4) each operation being directed in key mouse operating block, the decision threshold ε by its detected value with corresponding identity submodel (ε numerical value is according to model and different) are compared, if detected value is more than threshold value, judge the operation for abnormal operation;If inspection Measured value is less than threshold value, then judges the operation for normal operating;
(5) the lasting monitoring of current user identities legitimacy:If continuous monitoring is grasped to M exception in the operation of n times key mouse Make, wherein, M is less than or equal to N, then judges that active user is disabled user;It is on the contrary then judge active user be validated user, wherein M is alarm threshold value, can be by user's sets itself.
The present invention is persistently monitored with the user identity of self-built simulation Internet bank system and has carried out experimental verification for embodiment, Comprise the following steps that:
The first step, the generation of training data.14 users of requirement of experiment adhere to several weeks under hardware environment different from each other Analog network banking system is logined, completes remittance of transferring accounts, the function of inquiry into balance of simulation, gathering and record these users is being Keystroke behavior on web interface and mouse behavioral data in system, then these are counted according to keystroke, mouse behavior division rule According to being sorted out, keystroke, the training data of mouse different operation modes are obtained.
Second step, generation distance feature vector.For each user, the characteristic vector under every kind of operator scheme and spy are extracted Vector template is levied, then generates the training characteristics database that mouse moves under all singly-bounds, Macintosh and every kind of operator scheme.
3rd step, user identity model construction.For each user, by the training characteristics data markers of the user for just Class, the sub- identity model using nearest-neighbors method (mahalanobis distance) to every kind of mouse moving operation mode construction validated user, is adopted The sub- identity model of validated user is built to each keystroke operation with Outlier-counting methods, and utilizes training characteristics data Model is learnt.
4th step, the generation of test data.It is caused after the certain number of its login system for each user Key mouse behaviour's behavioral data will not be taken as training data, but record as follow-up test data.
5th step, the lasting monitoring of user identity legitimacy.A certain user is selected as validated user, using length as N's Observation window forms the input operation data block moved comprising keystroke and mouse, for each of which bar test sample, generation Distance feature vector, finds the sub- identity model of its respective operations in validated user identity model, and distance feature vector is defeated Enter the model, obtain the detected value to each test sample, by detected value compared with threshold epsilon, if detected value is less than threshold epsilon, Judge the operation for abnormal operation;Conversely, then judge the operation for normal operating;If continuous monitoring is to super in the operation of n times M abnormal operation (M is less than N) is crossed, then judges that active user is disabled user.
6th step, select remaining users to be used as validated user successively, repeat the process of above-mentioned 5th step, obtain all users Lasting monitored results.
For all users, test the inventive method carries out continuing monitoring in analog network banking system to user identity The degree of accuracy.Fig. 5 is the error rate (equal-error such as what identity in simulation system of the embodiment of the present invention persistently monitored Rate) result, the vertical line in figure on each point illustrate the variance in the inferior error rate of this observed length.
The present invention is can be seen that from Fig. 5 experimental result accurately and quickly to enter the identity of current network user Row lasting monitoring and detection.When the size of observation window is 3 (every 3 operations carry out an identity legitimacy detection), The error rate such as what identity persistently monitored is 3.68%;When the size of observation window is 5, (every 5 operations carry out an identity Legitimacy detects), the error rate such as what identity persistently monitored is 0.85%.The feasibility of the result verification present invention and effectively Property, show that the inventive method can be used as a kind of efficient network user identity safety protection technique.

Claims (6)

1. a kind of network user identity monitoring method based on webpage input behavior feature, it is characterised in that including the network user Identification model construction and network user identity persistently monitor two large divisions:
Wherein, the first step, network user identity identification model structure comprise the steps:
(1) normally logined during Web page system interacts operation in validated user, gather and record user in webpage circle The mouse action data and keystroke operation data inputted on face, form user's mouse, the raw data set of keystroke behavior;
(2) division of operation behavior:For mouse action, beginning and end line and positive horizontal folder are slided according to mouse pointer The mouse action that angle θ concentrates to initial data is sorted out, wherein, for θ since -22.5 °, every 45 ° of orders counterclockwise are divided into I ~VIII eight kinds of class mouse action mode, form I~VIII class mouse mobile behavior training dataset;For keystroke operation, with line feed The end mark of " TAB " key and mouse event as keystroke operation is accorded with, division keystroke operation is the character sequence that multiple length do not wait Row;
(3) extraction of operation behavior characteristic vector:For different mouse action modes, extract characteristic vector and calculate characteristic vector Template, characteristic vector template and the mouse action characteristic vector of extraction are subjected to similarity measurement, obtain each mouse action Distance feature vector;The training characteristics set formed under every kind of mouse action mode;For keystroke operation:1. according to each character Character contained by sequence and character precedence relationship, extract the characteristic vector of corresponding button;2. being directed to each singly-bound and Macintosh, count Keystroke operation characteristic vector template is calculated, wherein, Macintosh relation between the priority key of two singly-bounds;3. by this feature vector mould The characteristic vector of plate and each keystroke operation carries out similarity measurement, forms the Behavioral training comprising each singly-bound and Macintosh feature Characteristic set;
For mouse action,
(3.1.1), the mouse action of training dataset is moved for the mouse under every kind of operator scheme, extract mouse mobile behavior Characteristic vector, specially mouse movement a series of behavior measures that caused space-time geometric locus is derived over the display Amount, including Integral Characteristic and the class of processing statistic two;Wherein, Integral Characteristic is the whole description to a moving operation, The X-coordinate and Y-coordinate, the path length of mouse movement of X-coordinate and Y-coordinate, mouse movement terminal including mouse movement starting point Ratio, the duration of mouse movement with displacement;Processing statistic is that the fine granularity of a moving operation process is described, its Computational methods are to calculate the feature vector sequence of description first, including velocity series, acceleration degree series, angle sequence, then to every Individual feature vector sequence calculates descriptive statistics amount as processing statistic;Using to descriptive statistics amount be mainly 30% point of position Number, 35% quantile, 40% quantile, 45% quantile, 50% quantile, 55% quantile, 60% quantile, 65% point of position Number, 70% quantile;
(3.1.2), the training data under the characteristic vector to respective operations pattern of each mouse shifting operation is calculated using horse formula distance In other mouse move the distance of operating characteristicses vector, obtain the distance vector that dimension is (S-1), wherein S represents special in training set Levy the number of vector;
(3.1.3), the mould of each distance vector is calculated, select the minimum characteristic vector of modulus value as characteristic vector template;
(3.1.4), the difference value vector of the characteristic vector template in the characteristic vector and respective operations pattern each operated is calculated, made For the distance feature vector of the operation, mouse mobile behavior training characteristics set under each operator scheme is subsequently formed;
For keystroke operation,
(3.2.1), each keystroke operation concentrated for the keystroke operation training data of cutting, extracts what is wherein contained The characteristic vector of all singly-bounds and Macintosh, specially derived by relation between each key assignments and priority key of typing character string A series of behavior measure amounts, including the feature of multiple singly-bounds and the major class of the feature of multiple Macintosh two;Wherein, singly-bound is characterized in Description to button behavior each time, including the character keys such as a, b ... y, z, 0,1 ... 8,9 etc. numerical keys and@, #... etc. its The average and standard deviation of the key time durations of his key;Macintosh is characterized in the description to each two button behavior precedence relationship, Including aa, ab ... ay, az, a0, a1 ... a8, a9, a@, a., a#...ba, bb ... by, bz, b0, b1 ... b8, b9, b@, b., Etc. b#... between the key in the case of all key combinations transfer time average and standard deviation;
The characteristic vector that (3.2.2) calculates whole singly-bounds and Macintosh contained in each keystroke operation using Euclidean distance arrives The distance of its characteristic vector in training data under corresponding set, obtains the distance vector that dimension is (S-1), and wherein S represents instruction Practice the number of characteristic vector in set;
(3.2.3), the mould of each distance vector is calculated, select the minimum characteristic vector of modulus value as characteristic vector template;
(3.2.4), the characteristic vector of each singly-bound and Macintosh and the difference value vector of the characteristic vector template in corresponding storehouse are calculated, As the distance feature of the singly-bound or Macintosh situation vector, training characteristics set corresponding with each of which is subsequently formed;
(4) it is positive class by the key mouse training characteristics aggregated label of validated user, using one-class classifier to every kind of mouse action mould The identity model of formula and each keystroke operation structure validated user, and obtain various mouse action modes and each keystroke operation pair The judging identity threshold value for the validated user answered;Accordingly, validated user identity model includes at least eight identity submodels;
Second step, network user identity, which persistently monitors, to be comprised the steps:
(1) after user logins Web page system, observation window of the webpage using length as N starts to capture user's mouse action and keystroke behaviour Make behavior, the observation window is the user's webpage input operand comprising mouse and the common N number of operation of keystroke collected according to block;
(2) mouse action is directed to, it is sorted out according to moving direction, mouse action characteristic vector is extracted, with identity model The characteristic vector template of the respective operations pattern obtained during structure is entered row distance and compared, obtain the distance feature of mouse action to Amount;For keystroke operation, relation between each key assignments and key that are included according to it, keystroke operation characteristic vector is extracted, while from body Extracted in the feature database comprising each singly-bound and Macintosh obtained during part model construction, characteristic vector template corresponding to combination, Distance metric is carried out, obtains the distance feature vector of keystroke operation;
(3) each mouse action and keystroke operation being directed in webpage input operation data block, by obtained distance feature vector As the input of identity submodel corresponding to the operation, the detected value of each operation is obtained, and by the detected value and corresponding body The decision threshold of one's share of expenses for a joint undertaking model is compared, and judges the abnormality operated every time;
(4) current user identities legitimacy is judged:If continuous monitoring is to M abnormal operation in n times behavior operation, Judge that active user is disabled user;It is on the contrary then judge active user be validated user, wherein, M is less than or equal to N;
The data format of the mouse action is:{ mouse state, mouse position, time };Wherein, mouse state is referred to mouse Mark key is pressed, mouse button discharges, the label information of mouse three kinds of states of movement;The data format of the keystroke operation, represent single The singly-bound data format of individual key assignments is:{ key value, time };The Macintosh data format of relation is between expression key:{ previous button Value, this key value, time }.
2. the network user identity monitoring method as claimed in claim 1 based on webpage input behavior feature, it is characterised in that The operation behavior division concretely comprises the following steps:
For mouse action,
1) the mouse position coordinate of the starting point event of mouse moving operation of extraction and endpoints, wherein each position coordinates Form be { horizontal coordinate X, vertical coordinate Y };
2) angle theta of moving operation beginning and end line and horizontal direction is calculated, is I class mouse when θ is at -22.5 °~22.5 ° Mark operator scheme;It is II class mouse action mode when θ is at 22.5 °~67.5 °;It is III class mouse when θ is at 67.5 °~112.5 ° Mark operator scheme;It is IV class mouse action mode when θ is at 112.5 °~157.5 °;When θ is at 157.5 °~180 ° or -180 ° It is V class mouse action mode at~-157.5 °;It is VI class mouse action mode when θ is at -157.5 °~-112.5 °;Work as θ It is VII class mouse action mode at -112.5 °~-67.5 °;It is VIII class mouse action mould when θ is at -67.5 °~-22.5 ° Formula;
For keystroke operation,
1) it is real using " TAB " key and mouse event as the end mark of this keystroke operation for the operation of current typing character Now to the division of keystroke operation, it is determined that the character string keyed in;
2) behavioural characteristic of each relation between key assignments and each key in character string is extracted one by one, in network user identity identification model It is deposited into structure comprising in the singly-bound of relationship characteristic, Macintosh Behavioral training feature database between all key assignments, key;In network These behavioural characteristics are formed characteristic vector to be measured by user identity in persistently monitoring, and are searched for, matched, group in training characteristics storehouse Training feature vector template corresponding to synthesis, wherein, each singly-bound is characterized in key time durations, the feature of each Macintosh It is transfer time between key.
3. the network user identity monitoring method as claimed in claim 1 based on webpage input behavior feature, it is characterised in that The characteristic vector of the mouse action refers to that the space-time geometric locus as caused by mouse movement in system webpage is derived A series of behavior measure amounts, including Integral Characteristic and processing statistic are specific as follows:
Integral Characteristic includes:
Mouse moves X-coordinate, the Y-coordinate of starting point;
Mouse moves X-coordinate, the Y-coordinate of terminal;
The path length of mouse movement and the ratio of displacement;
The duration of mouse movement;
Processing statistic includes:
30% quantile of mouse movement X-direction speed, 35% quantile, 40% quantile, 45% quantile, 50% point of position Number, 55% quantile, 60% quantile, 65% quantile, 70% quantile;
30% quantile of mouse movement Y-direction speed, 35% quantile, 40% quantile, 45% quantile, 50% point of position Number, 55% quantile, 60% quantile, 65% quantile, 70% quantile;
30% quantile of mouse movement X-direction acceleration, 35% quantile, 40% quantile, 45% quantile, 50% point of position Number, 55% quantile, 60% quantile, 65% quantile, 70% quantile;
30% quantile of mouse movement Y-direction acceleration, 35% quantile, 40% quantile, 45% quantile, 50% point of position Number, 55% quantile, 60% quantile, 65% quantile, 70% quantile;
30% quantile of mouse move angle, 35% quantile, 40% quantile, 45% quantile, 50% quantile, 55% Quantile, 60% quantile, 65% quantile, 70% quantile.
4. the network user identity monitoring method as claimed in claim 1 based on webpage input behavior feature, it is characterised in that The singly-bound of the keystroke operation, Macintosh characteristic vector refer to that relation is spread out between each key assignments and priority key by typing character string A series of behavior measure amounts born, specific features are as follows:
Singly-bound:Duration average, the standard deviation of each button;
Macintosh:Transfer time average, standard deviation between each adjacent key.
5. the network user identity monitoring method as claimed in claim 1 based on webpage input behavior feature, the mouse behaviour The calculating characteristic vector template of work refers in the mouse movement training data of every kind of mouse mode, is calculated using mahalanobis distance every The distance of the characteristic vector of individual moving operation other moving operation characteristic vectors into training data, form distance vector, selection Characteristic vector template of the minimum characteristic vector of distance vector mould as the operator scheme.
6. the network user identity monitoring method as claimed in claim 1 based on webpage input behavior feature, the keystroke behaviour The calculating characteristic vector template of work refers to for each keystroke operation behavior, comprising in its typing character string between each key assignments, key In the singly-bound of relation, Macintosh Behavioral training database, each singly-bound is calculated using Euclidean distance, the characteristic vector of Macintosh arrives The distance of other character pair vectors in training data, forms distance vector, and the minimum characteristic vector of chosen distance vector mould is made Be characterized vector template, and be recorded in comprising each singly-bound, Macintosh feature Behavioral training feature database in.
CN201510214216.2A 2015-04-29 2015-04-29 Network user identity monitoring method based on webpage input behavior feature Active CN104809377B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510214216.2A CN104809377B (en) 2015-04-29 2015-04-29 Network user identity monitoring method based on webpage input behavior feature

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510214216.2A CN104809377B (en) 2015-04-29 2015-04-29 Network user identity monitoring method based on webpage input behavior feature

Publications (2)

Publication Number Publication Date
CN104809377A CN104809377A (en) 2015-07-29
CN104809377B true CN104809377B (en) 2018-01-05

Family

ID=53694193

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510214216.2A Active CN104809377B (en) 2015-04-29 2015-04-29 Network user identity monitoring method based on webpage input behavior feature

Country Status (1)

Country Link
CN (1) CN104809377B (en)

Families Citing this family (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105933267A (en) * 2015-08-21 2016-09-07 ***股份有限公司 Identity authentication method and device
CN105429937B (en) * 2015-10-22 2018-07-06 同济大学 Identity identifying method and system based on keystroke behavior
RU2626337C1 (en) * 2016-02-18 2017-07-26 Акционерное общество "Лаборатория Касперского" Method of detecting fraudulent activity on user device
CN107194213B (en) * 2016-03-14 2020-03-27 阿里巴巴集团控股有限公司 Identity recognition method and device
CN106039711B (en) * 2016-05-17 2019-05-14 网易(杭州)网络有限公司 A kind of method for authenticating user identity and device
CN106911668B (en) * 2017-01-10 2020-07-14 同济大学 Identity authentication method and system based on user behavior model
CN107124395B (en) * 2017-03-16 2020-08-07 华北电力大学 Identification method of user identity identification system based on keystroke rhythm
CN107230084B (en) * 2017-05-03 2020-12-29 同济大学 Big data-based user behavior authentication method and system
CN107368718B (en) * 2017-07-06 2022-08-16 同济大学 User browsing behavior authentication method and system
CN107623715B (en) * 2017-08-08 2020-06-09 阿里巴巴集团控股有限公司 Identity information acquisition method and device
CN108229567B (en) * 2018-01-09 2021-06-15 荣联科技集团股份有限公司 Driver identity recognition method and device
CN108200450B (en) * 2018-01-12 2019-11-15 武汉斗鱼网络科技有限公司 A kind of determination method, apparatus, electronic equipment and medium for paying close attention to legitimacy
CN109063431B (en) * 2018-06-21 2021-10-22 西安理工大学 User identity recognition method for weighting keystroke characteristic curve difference degree
CN109446780B (en) * 2018-11-01 2020-11-27 北京知道创宇信息技术股份有限公司 Identity authentication method, device and storage medium thereof
US11630896B1 (en) * 2019-03-07 2023-04-18 Educational Testing Service Behavior-based electronic essay assessment fraud detection
CN110287664A (en) * 2019-07-01 2019-09-27 贵州大学 A kind of identity identifying method being characterized selection based on multirow
CN111124860B (en) * 2019-12-16 2021-04-27 电子科技大学 Method for identifying user by using keyboard and mouse data in uncontrollable environment
CN111625789B (en) * 2020-04-07 2023-04-07 北京工业大学 User identification method based on multi-core learning fusion of mouse and keyboard behavior characteristics
CN111209552A (en) * 2020-04-20 2020-05-29 国网电子商务有限公司 Identity authentication method and device based on user behaviors
CN112580004A (en) * 2020-12-23 2021-03-30 北京通付盾人工智能技术有限公司 Webpage end user behavior acquisition method and system based on biological probe technology
CN113158152A (en) * 2021-05-13 2021-07-23 广西科技师范学院 Computer intelligent auxiliary system based on behavior analysis
CN116418587B (en) * 2023-04-19 2024-04-30 中国电子科技集团公司第三十研究所 Data cross-domain switching behavior audit trail method and data cross-domain switching system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101833619A (en) * 2010-04-29 2010-09-15 西安交通大学 Method for judging identity based on keyboard-mouse crossed certification
CN103530540A (en) * 2013-09-27 2014-01-22 西安交通大学 User identity attribute detection method based on man-machine interaction behavior characteristics
CN104239761A (en) * 2014-09-15 2014-12-24 西安交通大学 Continuous identity authentication method based on touch screen slip behavior characteristics

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012073233A1 (en) * 2010-11-29 2012-06-07 Biocatch Ltd. Method and device for confirming computer end-user identity

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101833619A (en) * 2010-04-29 2010-09-15 西安交通大学 Method for judging identity based on keyboard-mouse crossed certification
CN103530540A (en) * 2013-09-27 2014-01-22 西安交通大学 User identity attribute detection method based on man-machine interaction behavior characteristics
CN104239761A (en) * 2014-09-15 2014-12-24 西安交通大学 Continuous identity authentication method based on touch screen slip behavior characteristics

Also Published As

Publication number Publication date
CN104809377A (en) 2015-07-29

Similar Documents

Publication Publication Date Title
CN104809377B (en) Network user identity monitoring method based on webpage input behavior feature
CN104239761B (en) The identity for sliding behavioural characteristic based on touch screen continues authentication method
Buschek et al. Improving accuracy, applicability and usability of keystroke biometrics on mobile touchscreen devices
Antal et al. Information revealed from scrolling interactions on mobile devices
CN104408341B (en) Smart phone user identity identifying method based on gyroscope behavioural characteristic
US10467394B2 (en) Pointing device biometrics for continuous user authentication
WO2019153604A1 (en) Device and method for creating human/machine identification model, and computer readable storage medium
CN103530540B (en) User identity attribute detection method based on man-machine interaction behavior characteristics
Mondal et al. Continuous authentication using mouse dynamics
Antal et al. An evaluation of one-class and two-class classification algorithms for keystroke dynamics authentication on mobile devices
CN105389486B (en) A kind of authentication method based on mouse behavior
CN108549806A (en) The identity identifying method of behavior is slided and clicked based on user
Rahman et al. Making impostor pass rates meaningless: A case of snoop-forge-replay attack on continuous cyber-behavioral verification with keystrokes
Lin et al. A new non-intrusive authentication approach for data protection based on mouse dynamics
Xu et al. Challenge-response authentication using in-air handwriting style verification
Van Nguyen et al. Finger-drawn pin authentication on touch devices
Shen et al. MouseIdentity: Modeling mouse-interaction behavior for a user verification system
CN107153780A (en) The writing behavioural characteristic authentication method of electronic equipment is dressed based on wrist
Siirtola et al. Effect of context in swipe gesture-based continuous authentication on smartphones
CN102324007A (en) Method for detecting abnormality based on data mining
Kratky et al. Recognition of web users with the aid of biometric user model
CN107430653B (en) Method for identifying an interaction signature of a user
EP2490149A1 (en) System for verifying user identity via mouse dynamics
Alpar Biometric touchstroke authentication by fuzzy proximity of touch locations
CN111124860B (en) Method for identifying user by using keyboard and mouse data in uncontrollable environment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
EXSB Decision made by sipo to initiate substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant