CN112184241A - Identity authentication method and device - Google Patents

Identity authentication method and device Download PDF

Info

Publication number
CN112184241A
CN112184241A CN202011036200.4A CN202011036200A CN112184241A CN 112184241 A CN112184241 A CN 112184241A CN 202011036200 A CN202011036200 A CN 202011036200A CN 112184241 A CN112184241 A CN 112184241A
Authority
CN
China
Prior art keywords
data
application
training
user
equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011036200.4A
Other languages
Chinese (zh)
Other versions
CN112184241B (en
Inventor
门小骅
柴洪峰
孙权
才华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Unionpay Co Ltd
Original Assignee
China Unionpay Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Unionpay Co Ltd filed Critical China Unionpay Co Ltd
Priority to CN202011036200.4A priority Critical patent/CN112184241B/en
Publication of CN112184241A publication Critical patent/CN112184241A/en
Application granted granted Critical
Publication of CN112184241B publication Critical patent/CN112184241B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4016Transaction verification involving fraud or risk level assessment in transaction processing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/241Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Business, Economics & Management (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Accounting & Taxation (AREA)
  • Data Mining & Analysis (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Business, Economics & Management (AREA)
  • Software Systems (AREA)
  • Strategic Management (AREA)
  • Finance (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Artificial Intelligence (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Evolutionary Biology (AREA)
  • Evolutionary Computation (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses an identity authentication method and device, wherein the method comprises the steps that a server obtains equipment data and operation behavior data which are sent by equipment of a user to be identified and are used for operating the equipment, the first training model is used for analyzing the equipment data to determine a first risk value of the user to be identified, a second training model is used for analyzing the operation behavior data to determine a second risk value of the user to be identified, if the first risk value is larger than a first threshold value and the second risk value is larger than a second threshold value, the user to be identified is determined to be an abnormal user, and a determination result is sent to the equipment of the abnormal user. The device data and the operation behavior data of the user to be recognized are comprehensively recognized through the first training model and the second training model which are obtained through different training sets, and compared with the mode that the user behavior risk is mainly analyzed through the sensor data of the device to recognize legal users in the prior art, the device data and the operation behavior data can be combined to be recognized, and the recognition accuracy is improved.

Description

Identity authentication method and device
Technical Field
The invention relates to the technical field of payment security, in particular to an identity authentication method and device.
Background
The effective authentication of the legal user is always the key point of the enterprise attention for providing payment products and services, and under the development trend that more and more products are shifted from a PC (personal computer) end to a mobile end, the risk of automatic attack and embezzlement of lawless persons at a mobile phone end is prevented and controlled, and the product is ensured to really provide services for the legal user. At present, enterprises generally use sensor data to build a risk model for analyzing user behaviors to identify legal users; however, in recent years, new tools capable of simulating sensor changes to some extent have been emerging, which has made it difficult for enterprises to accurately identify legitimate users using only a single sensor data.
Disclosure of Invention
The embodiment of the invention provides an identity authentication method and device, which are used for improving the accuracy and efficiency of identifying a legal user on the premise of acquiring less user privacy data.
In a first aspect, an embodiment of the present invention provides an identity authentication method, including:
the method comprises the steps that a server obtains device data and operation behavior data which are sent by a device of a user to be identified and are used for operating the device;
the server analyzes the equipment data by using a first training model, and determines a first risk value of the user to be identified; the first training model is obtained by training and learning by using a training set marked with device data with application functions;
the server analyzes the operation behavior data by using a second training model to determine a second risk value of the user to be identified; the second training model is obtained by training and learning by using a training set marked with operation behavior data of application functions and time sequences;
if the first risk value is larger than a first threshold value and the second risk value is larger than a second threshold value, the server determines that the user to be identified is an abnormal user and sends a determination result to equipment of the abnormal user, so that the equipment of the abnormal user sends out alarm prompt information.
In the technical scheme, the device data and the operation behavior data of the user to be recognized are comprehensively recognized through the first training model and the second training model which are obtained by using different training sets respectively, and compared with a mode that the user behavior risk is analyzed through the sensor data of the device to recognize a legal user in the prior art, the device data and the operation behavior data can be combined to be recognized, and the recognition accuracy is improved.
Optionally, the obtaining, by the server, the first training model by training and learning using a training set of device data labeled with an application function includes:
the server acquires a training set of equipment data marked with application functions;
the server clusters the application functions of the device data in the training set according to the operation positions of the application functions to obtain device data sets of the application functions of various categories;
the server carries out noise reduction processing on the equipment data in the equipment data set of each type of application function through a complementary filter model, and determines a group of attitude angle data of any type of application function in the same operation time window;
the server analyzes multiple groups of attitude angle data of any category of application functions to determine characteristic data corresponding to the equipment data of each category of application functions;
and the server inputs the characteristic data corresponding to the equipment data of the category application function into a preset classification model for training and learning until the preset classification model is converged to obtain the first training model.
Optionally, the analyzing, by the server, the multiple groups of attitude angle data of any category of application function to determine feature data corresponding to the device data of each category of application function includes:
aiming at any one category of application function in the various categories of application functions, the server calculates the accumulated distance sum of any one group of attitude angle data and other groups of attitude angle data in the multiple groups of attitude angle data of any one category of application function; determining a set of attitude angle data with a smallest accumulated distance sum as a reference vector of the device data of any one category of application; calculating the distance between each group of attitude angle data and the reference vector to obtain a distance characteristic value; extracting variation variance of each group of attitude angle data, a ratio of time from a starting point to an extreme point to time from the extreme point to a terminal point and an angle difference ratio in a statistical analysis mode;
the server determines the reference vector, the distance characteristic value, the variance, the ratio and the angle difference ratio as characteristic data corresponding to the equipment data of any one category of application function.
Optionally, the server performs training learning by using a training set labeled with application functions and time sequence operation behavior data to obtain the second training model, where the training set includes:
the server acquires a training set marked with operation behavior data of application functions and time sequences;
the server analyzes the training set marked with the application function and the time sequence of the operation behavior data by using a sequence pattern mining algorithm to determine frequent operation behavior data meeting a support degree threshold;
and the server inputs the frequently-operated behavior data meeting the support degree threshold value into a preset logistic regression model for training and learning until the preset logistic regression model is converged to obtain the second training model.
Optionally, the method further includes:
when the server determines that the user to be identified carries out payment operation, marking device data corresponding to the application carrying out the payment operation;
the server monitors the flow direction of the marked equipment data within a preset time period;
and if the marked equipment data continuously flows to a first application within a preset time period for a preset time, the server adds the first application into a blacklist and sends an alarm prompt message of the first application to the user.
In a second aspect, an embodiment of the present invention provides an identity authentication apparatus, including:
the device comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring device data and operation behavior data which are sent by the device of a user to be identified and are used when the device is operated;
the processing unit is used for analyzing the equipment data by using a first training model and determining a first risk value of the user to be identified; the first training model is obtained by training and learning by using a training set marked with device data with application functions; analyzing the operation behavior data by using a second training model, and determining a second risk value of the user to be identified; the second training model is obtained by training and learning by using a training set marked with operation behavior data of application functions and time sequences; and if the first risk value is greater than a first threshold value and the second risk value is greater than a second threshold value, determining that the user to be identified is an abnormal user, and sending a determination result to the equipment of the abnormal user, so that the equipment of the abnormal user sends out alarm prompt information.
Optionally, the processing unit is specifically configured to:
acquiring a training set of device data marked with application functions;
clustering the application functions of the equipment data in the training set according to the operation positions of the application functions to obtain equipment data sets of the application functions of various categories;
carrying out noise reduction processing on equipment data in equipment data sets of various types of application functions through a complementary filter model, and determining a group of attitude angle data of any type of application function in the same operation time window;
analyzing a plurality of groups of attitude angle data of any category of application functions to determine characteristic data corresponding to the equipment data of each category of application functions;
and inputting the characteristic data corresponding to the equipment data of the category application function into a preset classification model for training and learning until the preset classification model is converged to obtain the first training model.
Optionally, the processing unit is specifically configured to:
calculating the cumulative distance sum of any group of attitude angle data and other groups of attitude angle data in multiple groups of attitude angle data of any type of application function aiming at any type of application function in the various types of application functions; determining a set of attitude angle data with a smallest accumulated distance sum as a reference vector of the device data of any one category of application; calculating the distance between each group of attitude angle data and the reference vector to obtain a distance characteristic value; extracting variation variance of each group of attitude angle data, a ratio of time from a starting point to an extreme point to time from the extreme point to a terminal point and an angle difference ratio in a statistical analysis mode;
and determining the reference vector, the distance characteristic value, the variance, the ratio and the angle difference ratio as characteristic data corresponding to the equipment data of any one category of application function.
Optionally, the processing unit is specifically configured to:
acquiring a training set marked with operation behavior data of application functions and time sequences;
analyzing the training set marked with the operation behavior data with the application function and the time sequence by using a sequence pattern mining algorithm, and determining frequent operation behavior data meeting a support degree threshold;
and inputting the frequent operation behavior data meeting the support degree threshold value into a preset logistic regression model for training and learning until the preset logistic regression model is converged to obtain the second training model.
Optionally, the processing unit is further configured to:
when the payment operation of the user to be identified is determined, marking device data corresponding to the application performing the payment operation;
monitoring the flow direction of the marked equipment data in a preset time period;
and if the marked equipment data continuously flows to a first application within a preset time period for a preset time, adding the first application into a blacklist, and sending an alarm prompt message of the first application to the user.
In a third aspect, an embodiment of the present invention further provides a computing device, including:
a memory for storing program instructions;
and the processor is used for calling the program instruction stored in the memory and executing the identity authentication method according to the obtained program.
In a fourth aspect, an embodiment of the present invention further provides a computer-readable non-volatile storage medium, which includes computer-readable instructions, and when the computer-readable instructions are read and executed by a computer, the computer is caused to execute the above-mentioned identity authentication method.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic diagram of a system architecture according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating an identity authentication method according to an embodiment of the present invention;
FIG. 3 is a diagram of a classifier according to an embodiment of the present invention;
fig. 4 is a schematic flowchart of an identity authentication method according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of an identity authentication apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be described in further detail with reference to the accompanying drawings, and it is apparent that the described embodiments are only a part of the embodiments of the present invention, not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a system architecture provided in an embodiment of the present invention. As shown in fig. 1, the system architecture may be a server 100, and the server 100 may include a processor 110, a communication interface 120, and a memory 130.
The communication interface 120 is used for communicating with a terminal device, and transceiving information transmitted by the terminal device to implement communication.
The processor 110 is a control center of the server 100, connects various parts of the entire server 100 using various interfaces and lines, performs various functions of the server 100 and processes data by running or executing software programs and/or modules stored in the memory 130 and calling data stored in the memory 130. Alternatively, processor 110 may include one or more processing units.
The memory 130 may be used to store software programs and modules, and the processor 110 executes various functional applications and data processing by operating the software programs and modules stored in the memory 130. The memory 130 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function, and the like; the storage data area may store data created according to a business process, and the like. Further, the memory 130 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device.
It should be noted that the structure shown in fig. 1 is only an example, and the embodiment of the present invention is not limited thereto.
Based on the above description, fig. 2 shows in detail a flow of a method for identity authentication according to an embodiment of the present invention, where the flow may be performed by a device of the method for identity authentication, and the device may be the server or be located in the server.
As shown in fig. 2, the process specifically includes:
in step 201, a server obtains device data and operation behavior data when operating a device, which are sent by a device of a user to be identified.
In the embodiment of the invention, when the user to be identified operates the application on the own device, the device data and the operation behavior data when the user operates the device can be sent to the server. The server may be a cloud server.
The device data may be sensor data such as accelerometer data, gyroscope data, etc. while operating the application. The behavior data may be a series of behaviors for different function modules or menus when operating the application, such as behaviors of clicking my account, registering/logging in, viewing account information, and the like.
Step 202, the server analyzes the device data by using a first training model, and determines a first risk value of the user to be identified.
Before analyzing the device data by using the first training model, the first training model is obtained by training and learning by using a training set of the device data marked with the application function. Specifically, a training set of device data labeled with application functions may be obtained first. And clustering the application functions of the device data in the training set according to the operation positions of the application functions to obtain a device data set of the application functions of each category. And then, carrying out noise reduction on the equipment data in the equipment data set of each type of application function through a complementary filter model, and determining a group of attitude angle data of any type of application function in the same operation time window. And analyzing the multiple groups of attitude angle data of any type of application function to determine characteristic data corresponding to the equipment data of each type of application function. And finally, inputting the characteristic data corresponding to the equipment data with the category application function into a preset classification model for training and learning until the preset classification model is converged to obtain a first training model. The first training model may be a classifier or other neural network model that enables classification. The operation position may be an operation position on a display interface of the terminal device, for example, a position where a user clicks or slides on the display interface when operating a certain application function on the display interface of the mobile phone. The training set of device data tagged with application functionality may be device data within a selected time period.
When determining the feature data, the sum of the accumulated distances between any one of the multiple sets of attitude angle data of any one of the application functions and the other sets of attitude angle data may be calculated for any one of the application functions, and the set of attitude angle data with the smallest sum of the accumulated distances is determined as the reference vector of the device data of any one of the applications. And calculating the distance between each group of attitude angle data and the reference vector to obtain a distance characteristic value. And extracting variation variance of each group of attitude angle data, a ratio of time from the starting point to the extreme point to time from the extreme point to the end point and an angle difference ratio in a statistical analysis mode. And then determining the reference vector, the distance characteristic value, the variance, the ratio and the angle difference ratio as characteristic data corresponding to the equipment data of any category of application functions. When the attitude angle data are analyzed, a dynamic time warping method can be used for analyzing a plurality of groups of attitude angle data.
For example, after the training set is obtained, the data range to be analyzed needs to be defined reasonably, so as to improve the modeling efficiency and avoid unnecessary resource waste. Note that the change in the sensor caused by operating a function on the handset application is essentially determined by the location of the application function on the handset. When the application functions at different positions are operated, the sensor data are changed according to different rules. The conventional key sprites or group control equipment can only simulate random disturbance of a mobile phone in any operation, and the rule that different application functions generate specific disturbance is not considered. The embodiment of the invention considers the regularity, firstly clusters the application functions with similar positions, and then uniformly collects and analyzes the corresponding equipment data according to the application function categories.
The classifier can then be built using the device data. As shown in FIG. 3, the data of the accelerometer and gyroscope within the time window matching the operation of a certain function is first denoised by a complementary filter model, and the processed gyroscope angle θ is then processedgAnd accelerometer angle θaThe attitude angle θ (equation (1)) is calculated in combination, resulting in a set of attitude angle data within the time window resulting from a certain type of operation.
Figure BDA0002705160540000081
Wherein d istτ is the filter time constant for the filter sampling frequency.
And analyzing n groups of attitude angle records of the same type of functional operation in the training set. Before further analysis, the training set data is normalized by means of a reference vector. Because different users have different speeds when operating the functions of the mobile phone, a Dynamic Time Warping (DTW) method is adopted to find the reference vector and calculate the distance between two groups of attitude angle data. Specifically, for two sets of attitude angle data r (n) and t (m), the DTW calculates the cumulative distance sum of the two sets of attitude angle data according to equation (2) to find the optimal path.
D=min∑d(T(in),R(im)) (2)
And calculating the cumulative distance sum of each group of attitude angle data and other n-1 groups of attitude angle data by using DTW, taking the group of attitude angle data with the minimum distance sum as a reference vector [1] when the function operates, and then calculating the distance between each group of attitude angle data and the reference vector to obtain a distance characteristic value [2 ]. In addition, the variance [3] of each group of attitude angles, the time ratio [4] from the starting point to the extreme point to the time ratio [5] from the extreme point to the end point and the angle difference ratio [5] are extracted in a statistical analysis mode, and [1] and [5] are jointly used as feature data of a training classifier.
And constructing a classifier of a legal/illegal user under corresponding operation by Ensemble Learning (EL) by using the characteristic data, namely performing training Learning until the model converges.
Step 203, the server analyzes the operation behavior data by using a second training model, and determines a second risk value of the user to be identified.
Before analyzing the device data by using the second training model, the second training model is obtained by training and learning by using the training set marked with the operation behavior data of the application function and the time sequence. Specifically, a training set of operation behavior data labeled with application functions and timing is acquired first. And then analyzing the training set marked with the application function and the operation behavior data of the time sequence by using a sequence pattern mining algorithm, and determining the frequent operation behavior data meeting the support degree threshold. And finally, inputting the frequent operation behavior data meeting the support degree threshold value into a preset logistic regression model for training and learning until the preset logistic regression model is converged to obtain a second training model. Wherein the support threshold may be set empirically.
Although the same application provides the same function for all users, in the actual use process, different users tend to generate different operation behavior data for a plurality of functions of the application due to the difference of use habits, for example, three functions of a, B and C are also used, and the meanings of sequential operations a → B → C and C → B → a are completely different. The embodiment of the invention refers to a plurality of operation behavior data of the sequential operation as an operation sequence. The embodiment of the invention constructs the logistic regression model by analyzing the behavior relation among a plurality of operation behavior data of a user in a certain time window. Specifically, the method comprises the following steps:
(1) a sequence pattern mining algorithm PrefixSpan or other algorithm capable of implementing sequence mining is utilized. Analyzing the operation behavior data of the plurality of functions, and finding out all frequent operation sequences meeting a certain support degree. The flow of the Prefix span algorithm is briefly described as follows.
Inputting: sequence data set S and a support threshold α.
(a) Finding out frequent prefixes with the length of 1 and the support degree of not less than alpha, constructing a corresponding projection database for each frequent prefix, deleting the non-frequent items from S, and assigning the value of i to 1.
(b) And carrying out recursive mining on each prefix with the length of i and the support degree of not less than alpha. i) And constructing a projection database. If the construction is impossible, the recursion is ended. ii) calculating the support of each item in the projection database. If the support degrees of all the items are less than alpha, the recursion is ended; if the support degree is not less than alpha, combining the item and the current prefix to obtain a new prefix. iii) let i ═ i +1, and step b is performed recursively with the new prefix.
(c) Stopping when there are no longer frequent sequences.
(2) And constructing a logistic regression model for identifying legal/illegal users by using the frequent operation sequences as training data. Legal users have more operation behavior data due to various requirements, but the targets of the illegal users are relatively single (such as billing), so that only a few specific operation behavior data are usually available. In order to improve the efficiency of model estimation, illegal users (abnormal equipment) can be accurately identified as the final target of the model.
Step 204, if the first risk value is greater than a first threshold value and the second risk value is greater than a second threshold value, the server determines that the user to be identified is an abnormal user, and sends a determination result to the device of the abnormal user.
The first threshold and the second threshold may be set empirically, and only when the first risk value and the second risk value are both higher than the corresponding thresholds, it may be determined that the user to be identified is an illegal user, that is, an abnormal user, and at this time, the server may send a determination result to the device of the abnormal user, where the determination result includes information that the user to be identified is an abnormal user. The server can also add the device information into a blacklist and feed the information back to the local application of the device of the abnormal user, and the local application can quickly shield all functions and pop up warning prompts after receiving the information. The alert prompt provides the user with two options, one is to confirm and exit the application; and secondly, feedback is submitted, namely when the legal user is judged by mistake, the feedback can be submitted manually, and the server can update the blacklist according to the feedback of the user, so that the efficiency and the accuracy of identifying the illegal user at the later stage are improved.
In order to guarantee the safety of mobile phone payment, the embodiment of the invention also provides a technical scheme for monitoring the sensor data of the user to be identified, and whether the application of maliciously stealing data exists is determined by monitoring the sensor data. Specifically, when it is determined that the user to be identified performs the payment operation, the device data corresponding to the application performing the payment operation may be marked, then the flow direction of the marked device data within the preset time period is monitored, and if the marked device data continues to flow to the first application for the preset time within the preset time period, the server adds the first application to a blacklist and sends an alarm prompt message of the first application to the user. The preset time period and the preset time may be set empirically. The alarm prompt information of the first application may be set empirically, for example, the alarm prompt information may be an alarm prompt information that risks stealing payment data and requests to close the first application. When the flow direction of the device data is monitored, the flow direction to the first application can also be understood as the flow direction of the device data to a remote server to which the first application belongs.
Specifically, when a user needs to input a payment password, a random numeric keyboard based on an encryption algorithm is popped up by a payment application, and a keyboard clicking vibration mode is automatically started, so that malicious application of receiving sensor data by a background to crack the password is interfered. The technical difficulty of stealing the sliding operation of the mobile phone by the user is high, and the mode of starting the hand-written numeric keyboard can be realized under the selection and permission of the user, so that the malicious application is prevented from cracking the password of the user.
When the user enters a payment password, it is monitored whether data flows from the sensor to other applications, and a marking module is added before the data flows to other applications, so that only the marked data is transmitted to other applications. In a certain time interval, the server tracks the use condition of the sensor data through the marking module, for example, if whether the marking data is continuously transmitted to a remote server or not indicates that the possibility of stealing the data exists, the server adds the related application information into a blacklist. When the user uses the payment function, a warning prompt for capturing data by the malicious application is skipped out, the user is inquired whether to close the malicious application or ignore the malicious application, the sensor access authority and the data marking strategy are adjusted according to the feedback of the user, and a blacklist and a payment safety mechanism are dynamically optimized.
In order to better explain the embodiment of the present invention, the above-mentioned identity authentication process will be described in a specific implementation scenario.
Specifically, the flow shown in fig. 4 is used to explain an implementation scenario of the embodiment of the present invention from the perspective of user usage. Taking a mobile payment application as an example, when a user pays the payment application and operates a general function, the application starts to collect equipment data and operation behavior data in a background of a mobile phone, and inputs the two sets of data into a server at the cloud, the server judges user risks by using a first training model and a second training model, and when the risks reach a certain threshold value, the payment application is triggered to shield the user from operating the general function, and a warning prompt is skipped. When the user selects and confirms, quitting the payment application; when the user selects the feedback information, the application jumps out of the user authentication window, if the user authentication window answers the specified questions to confirm the identity of the user, if the user identity is checked to be correct, the application can be continuously used, the information is fed back to the server, and the blacklist is adjusted. The identity recognition classifiers in fig. 4 are the first training model and the second training model in the embodiment of the present invention.
According to the bearing capacity and the computing capacity of the server, part of operation and equipment data can be selected to be analyzed, and therefore the response speed of the application to the user is guaranteed. For example, functions closely related to user privacy, payment, etc. are selected, or operation and device data for a time window is randomly drawn.
When a user needs to pay a password operation, an encrypted random numeric keyboard (the keyboard is clicked to be accompanied with vibration to interfere sensor data) or a keyboard supporting handwriting input is popped up according to the selection of the user, and the payment operation is finished. Meanwhile, the embedded marking module can add marks to the sensor data at the moment and track the sensor data, the server at the cloud end analyzes the tracking records, when suspicious data transmission behaviors are found, a warning prompt for closing the malicious application is skipped, the user can select to close the malicious application or ignore the malicious application, the sensor data access authority and the data marking strategy are adjusted according to the feedback of the user, and a blacklist and a payment safety mechanism are dynamically optimized.
It should be noted that, when building a model by using the device data and the operation behavior data, in addition to the method detailed in the embodiment, other alternative schemes may also be adopted: and if the risk values calculated by the two training models are used as characteristic variables to carry out logistic regression, estimating the weight of the two characteristic variables in determining the user risk, and constructing a comprehensive risk evaluation model.
In addition, the model may include other parameters related to device information in addition to the device data and operational data of interest in this patent. Such as system version, memory usage, available storage space, battery power, number of processes, mobile network code, etc. The equipment can be distinguished through the parameters, and the high-risk mobile phone client side is shielded.
The embodiment of the invention has the following advantages:
1. the implementation is simple, the system logs of the mobile phone sensor and the application are mainly used, extra equipment does not need to be built, and the system logs can be hidden and executed in the background. The requirement on hardware resources is low, and the requirement on user privacy data is low. The collected operation data and sensor data are uploaded to a cloud server, and after modeling analysis is carried out by the server, the user risk result is returned to the local application, so that the mobile phone memory is not occupied, and the operation efficiency of the application is not influenced.
2. The abnormal device may imitate the operation behavior of a normal user, but may have a difference from the actual operation characteristics of the user. For example, high frequency logs in and accesses a coupon draw page. The user operation records are collected and analyzed from the system logs, the defects of the existing equipment data analysis are overcome through the analysis of the operation data, the identity authentication model is comprehensively established, the advantages of being difficult to crack and forge are achieved, and the authentication accuracy and reliability are improved.
3. A new security framework is provided, and potential safety hazards brought by leakage of personal privacy data of the sensor are controlled.
In the embodiment of the invention, a server acquires device data and operation behavior data which are sent by a device of a user to be identified and are used for operating the device, the first training model is used for analyzing the device data and determining a first risk value of the user to be identified, the first training model is obtained by using a training set marked with device data of an application function for training and learning, the second training model is obtained by using a training set marked with operation behavior data of the application function and a time sequence for training and learning, and if the first risk value is greater than a first threshold value and the second risk value is greater than a second threshold value, the user to be identified is determined to be an abnormal user, and the determination result is sent to the device of the abnormal user, so that the device of the abnormal user sends out alarm prompt information. Compared with the mode of identifying legal users through a risk model for analyzing user behaviors through sensor data of equipment in the prior art, the equipment data and the operation behavior data can be combined for identification, and the identification accuracy is improved.
Based on the same technical concept, fig. 5 exemplarily shows a structure of an identity authentication apparatus provided in an embodiment of the present invention, and the apparatus can perform a flow of identity authentication.
As shown in fig. 5, the apparatus specifically includes:
an obtaining unit 501, configured to obtain device data and operation behavior data when a device of a user to be identified is operated, where the device data and the operation behavior data are sent by the device of the user to be identified;
a processing unit 502, configured to analyze the device data using a first training model, and determine a first risk value of the user to be identified; the first training model is obtained by training and learning by using a training set marked with device data with application functions; analyzing the operation behavior data by using a second training model, and determining a second risk value of the user to be identified; the second training model is obtained by training and learning by using a training set marked with operation behavior data of application functions and time sequences; and if the first risk value is greater than a first threshold value and the second risk value is greater than a second threshold value, determining that the user to be identified is an abnormal user, and sending a determination result to the equipment of the abnormal user, so that the equipment of the abnormal user sends out alarm prompt information.
Optionally, the processing unit 502 is specifically configured to:
acquiring a training set of device data marked with application functions;
clustering the application functions of the equipment data in the training set according to the operation positions of the application functions to obtain equipment data sets of the application functions of various categories;
carrying out noise reduction processing on equipment data in equipment data sets of various types of application functions through a complementary filter model, and determining a group of attitude angle data of any type of application function in the same operation time window;
analyzing a plurality of groups of attitude angle data of any category of application functions to determine characteristic data corresponding to the equipment data of each category of application functions;
and inputting the characteristic data corresponding to the equipment data of the category application function into a preset classification model for training and learning until the preset classification model is converged to obtain the first training model.
Optionally, the processing unit 502 is specifically configured to:
calculating the cumulative distance sum of any group of attitude angle data and other groups of attitude angle data in multiple groups of attitude angle data of any type of application function aiming at any type of application function in the various types of application functions; determining a set of attitude angle data with a smallest accumulated distance sum as a reference vector of the device data of any one category of application; calculating the distance between each group of attitude angle data and the reference vector to obtain a distance characteristic value; extracting variation variance of each group of attitude angle data, a ratio of time from a starting point to an extreme point to time from the extreme point to a terminal point and an angle difference ratio in a statistical analysis mode;
and determining the reference vector, the distance characteristic value, the variance, the ratio and the angle difference ratio as characteristic data corresponding to the equipment data of any one category of application function.
Optionally, the processing unit 502 is specifically configured to:
acquiring a training set marked with operation behavior data of application functions and time sequences;
analyzing the training set marked with the operation behavior data with the application function and the time sequence by using a sequence pattern mining algorithm, and determining frequent operation behavior data meeting a support degree threshold;
and inputting the frequent operation behavior data meeting the support degree threshold value into a preset logistic regression model for training and learning until the preset logistic regression model is converged to obtain the second training model.
Optionally, the processing unit 502 is further configured to:
when the payment operation of the user to be identified is determined, marking device data corresponding to the application performing the payment operation;
monitoring the flow direction of the marked equipment data in a preset time period;
and if the marked equipment data continuously flows to a first application within a preset time period for a preset time, adding the first application into a blacklist, and sending an alarm prompt message of the first application to the user.
Based on the same technical concept, an embodiment of the present invention further provides a computing device, including:
a memory for storing program instructions;
and the processor is used for calling the program instructions stored in the memory and executing the identity authentication method according to the obtained program.
Based on the same technical concept, embodiments of the present invention further provide a computer-readable non-volatile storage medium, which includes computer-readable instructions, and when the computer reads and executes the computer-readable instructions, the computer is caused to execute the above identity authentication method.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims (12)

1. A method of identity authentication, comprising:
the method comprises the steps that a server obtains device data and operation behavior data which are sent by a device of a user to be identified and are used for operating the device;
the server analyzes the equipment data by using a first training model, and determines a first risk value of the user to be identified; the first training model is obtained by training and learning by using a training set marked with device data with application functions;
the server analyzes the operation behavior data by using a second training model to determine a second risk value of the user to be identified; the second training model is obtained by training and learning by using a training set marked with operation behavior data of application functions and time sequences;
if the first risk value is larger than a first threshold value and the second risk value is larger than a second threshold value, the server determines that the user to be identified is an abnormal user and sends a determination result to equipment of the abnormal user, so that the equipment of the abnormal user sends out alarm prompt information.
2. The method of claim 1, wherein the server performs training learning using a training set of device data labeled with application functions to obtain the first training model, and comprises:
the server acquires a training set of equipment data marked with application functions;
the server clusters the application functions of the device data in the training set according to the operation positions of the application functions to obtain device data sets of the application functions of various categories;
the server carries out noise reduction processing on the equipment data in the equipment data set of each type of application function through a complementary filter model, and determines a group of attitude angle data of any type of application function in the same operation time window;
the server analyzes multiple groups of attitude angle data of any category of application functions to determine characteristic data corresponding to the equipment data of each category of application functions;
and the server inputs the characteristic data corresponding to the equipment data of the category application function into a preset classification model for training and learning until the preset classification model is converged to obtain the first training model.
3. The method of claim 2, wherein the server analyzes a plurality of groups of attitude angle data of any category of application function to determine feature data corresponding to the device data of each category of application function, and comprises:
aiming at any one category of application function in the various categories of application functions, the server calculates the accumulated distance sum of any one group of attitude angle data and other groups of attitude angle data in the multiple groups of attitude angle data of any one category of application function; determining a set of attitude angle data with a smallest accumulated distance sum as a reference vector of the device data of any one category of application; calculating the distance between each group of attitude angle data and the reference vector to obtain a distance characteristic value; extracting variation variance of each group of attitude angle data, a ratio of time from a starting point to an extreme point to time from the extreme point to a terminal point and an angle difference ratio in a statistical analysis mode;
the server determines the reference vector, the distance characteristic value, the variance, the ratio and the angle difference ratio as characteristic data corresponding to the equipment data of any one category of application function.
4. The method of claim 1, wherein the server performs training learning using a training set of operation behavior data labeled with application functions and timing to obtain the second training model, and comprises:
the server acquires a training set marked with operation behavior data of application functions and time sequences;
the server analyzes the training set marked with the application function and the time sequence of the operation behavior data by using a sequence pattern mining algorithm to determine frequent operation behavior data meeting a support degree threshold;
and the server inputs the frequently-operated behavior data meeting the support degree threshold value into a preset logistic regression model for training and learning until the preset logistic regression model is converged to obtain the second training model.
5. The method of any of claims 1 to 4, further comprising:
when the server determines that the user to be identified carries out payment operation, marking device data corresponding to the application carrying out the payment operation;
the server monitors the flow direction of the marked equipment data within a preset time period;
and if the marked equipment data continuously flows to a first application within a preset time period for a preset time, the server adds the first application into a blacklist and sends an alarm prompt message of the first application to the user.
6. An apparatus for identity authentication, comprising:
the device comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring device data and operation behavior data which are sent by the device of a user to be identified and are used when the device is operated;
the processing unit is used for analyzing the equipment data by using a first training model and determining a first risk value of the user to be identified; the first training model is obtained by training and learning by using a training set marked with device data with application functions; analyzing the operation behavior data by using a second training model, and determining a second risk value of the user to be identified; the second training model is obtained by training and learning by using a training set marked with operation behavior data of application functions and time sequences; and if the first risk value is greater than a first threshold value and the second risk value is greater than a second threshold value, determining that the user to be identified is an abnormal user, and sending a determination result to the equipment of the abnormal user, so that the equipment of the abnormal user sends out alarm prompt information.
7. The apparatus as claimed in claim 6, wherein said processing unit is specifically configured to:
acquiring a training set of device data marked with application functions;
clustering the application functions of the equipment data in the training set according to the operation positions of the application functions to obtain equipment data sets of the application functions of various categories;
carrying out noise reduction processing on equipment data in equipment data sets of various types of application functions through a complementary filter model, and determining a group of attitude angle data of any type of application function in the same operation time window;
analyzing a plurality of groups of attitude angle data of any category of application functions to determine characteristic data corresponding to the equipment data of each category of application functions;
and inputting the characteristic data corresponding to the equipment data of the category application function into a preset classification model for training and learning until the preset classification model is converged to obtain the first training model.
8. The apparatus as claimed in claim 7, wherein said processing unit is specifically configured to:
calculating the cumulative distance sum of any group of attitude angle data and other groups of attitude angle data in multiple groups of attitude angle data of any type of application function aiming at any type of application function in the various types of application functions; determining a set of attitude angle data with a smallest accumulated distance sum as a reference vector of the device data of any one category of application; calculating the distance between each group of attitude angle data and the reference vector to obtain a distance characteristic value; extracting variation variance of each group of attitude angle data, a ratio of time from a starting point to an extreme point to time from the extreme point to a terminal point and an angle difference ratio in a statistical analysis mode;
and determining the reference vector, the distance characteristic value, the variance, the ratio and the angle difference ratio as characteristic data corresponding to the equipment data of any one category of application function.
9. The apparatus as claimed in claim 6, wherein said processing unit is specifically configured to:
acquiring a training set marked with operation behavior data of application functions and time sequences;
analyzing the training set marked with the operation behavior data with the application function and the time sequence by using a sequence pattern mining algorithm, and determining frequent operation behavior data meeting a support degree threshold;
and inputting the frequent operation behavior data meeting the support degree threshold value into a preset logistic regression model for training and learning until the preset logistic regression model is converged to obtain the second training model.
10. The apparatus of any of claims 6 to 9, wherein the processing unit is further to:
when the payment operation of the user to be identified is determined, marking device data corresponding to the application performing the payment operation;
monitoring the flow direction of the marked equipment data in a preset time period;
and if the marked equipment data continuously flows to a first application within a preset time period for a preset time, adding the first application into a blacklist, and sending an alarm prompt message of the first application to the user.
11. A computing device, comprising:
a memory for storing program instructions;
a processor for calling program instructions stored in said memory to execute the method of any one of claims 1 to 5 in accordance with the obtained program.
12. A computer-readable non-transitory storage medium including computer-readable instructions which, when read and executed by a computer, cause the computer to perform the method of any one of claims 1 to 5.
CN202011036200.4A 2020-09-27 2020-09-27 Identity authentication method and device Active CN112184241B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011036200.4A CN112184241B (en) 2020-09-27 2020-09-27 Identity authentication method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011036200.4A CN112184241B (en) 2020-09-27 2020-09-27 Identity authentication method and device

Publications (2)

Publication Number Publication Date
CN112184241A true CN112184241A (en) 2021-01-05
CN112184241B CN112184241B (en) 2024-02-20

Family

ID=73944628

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011036200.4A Active CN112184241B (en) 2020-09-27 2020-09-27 Identity authentication method and device

Country Status (1)

Country Link
CN (1) CN112184241B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113362070A (en) * 2021-06-03 2021-09-07 中国工商银行股份有限公司 Method, apparatus, electronic device, and medium for identifying operating user
CN113449309A (en) * 2021-06-28 2021-09-28 平安银行股份有限公司 Terminal security state identification method, device, equipment and medium
US11488178B2 (en) * 2020-11-01 2022-11-01 Beijing Didi Infinity Technology And Development Co., Ltd. Systems and methods for verifying digital payments

Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104021339A (en) * 2014-06-10 2014-09-03 北京奇虎科技有限公司 Safety payment method and device for mobile terminal
CN104035396A (en) * 2014-04-18 2014-09-10 重庆大学 Distributed behavior identification method based on wireless sensor network
CN106940805A (en) * 2017-03-06 2017-07-11 江南大学 A kind of group behavior analysis method based on mobile phone sensor
CN107465814A (en) * 2017-07-17 2017-12-12 长沙学院 A kind of user's input recognition method based on mobile phone inertial sensor
CN108510280A (en) * 2018-03-23 2018-09-07 上海氪信信息技术有限公司 A kind of financial fraud behavior prediction method based on mobile device behavioral data
CN108629170A (en) * 2018-04-20 2018-10-09 北京元心科技有限公司 Personal identification method and corresponding device, mobile terminal
CN109542944A (en) * 2018-09-29 2019-03-29 广东工业大学 Smart home user based on timing Causality Analysis manipulates behavior recommended method
CN109635872A (en) * 2018-12-17 2019-04-16 上海观安信息技术股份有限公司 Personal identification method, electronic equipment and computer program product
CN109828997A (en) * 2019-01-03 2019-05-31 温州医科大学 A kind of analysis of university student's behavioral data and academic warning method
CN110175839A (en) * 2019-05-31 2019-08-27 ***股份有限公司 Method for processing payment information, device, equipment and computer readable storage medium
WO2019184119A1 (en) * 2018-03-26 2019-10-03 平安科技(深圳)有限公司 Risk model training method and apparatus, risk identification method and apparatus, device, and medium
WO2020060544A1 (en) * 2018-09-19 2020-03-26 Rulex, Inc. Method for detecting anomalies in a data set
CN111625792A (en) * 2020-07-28 2020-09-04 杭州大乘智能科技有限公司 Identity recognition method based on abnormal behavior detection
CN111652280A (en) * 2020-04-30 2020-09-11 中国平安财产保险股份有限公司 Behavior-based target object data analysis method and device and storage medium

Patent Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104035396A (en) * 2014-04-18 2014-09-10 重庆大学 Distributed behavior identification method based on wireless sensor network
CN104021339A (en) * 2014-06-10 2014-09-03 北京奇虎科技有限公司 Safety payment method and device for mobile terminal
CN106940805A (en) * 2017-03-06 2017-07-11 江南大学 A kind of group behavior analysis method based on mobile phone sensor
CN107465814A (en) * 2017-07-17 2017-12-12 长沙学院 A kind of user's input recognition method based on mobile phone inertial sensor
CN108510280A (en) * 2018-03-23 2018-09-07 上海氪信信息技术有限公司 A kind of financial fraud behavior prediction method based on mobile device behavioral data
WO2019184119A1 (en) * 2018-03-26 2019-10-03 平安科技(深圳)有限公司 Risk model training method and apparatus, risk identification method and apparatus, device, and medium
CN108629170A (en) * 2018-04-20 2018-10-09 北京元心科技有限公司 Personal identification method and corresponding device, mobile terminal
WO2020060544A1 (en) * 2018-09-19 2020-03-26 Rulex, Inc. Method for detecting anomalies in a data set
CN109542944A (en) * 2018-09-29 2019-03-29 广东工业大学 Smart home user based on timing Causality Analysis manipulates behavior recommended method
CN109635872A (en) * 2018-12-17 2019-04-16 上海观安信息技术股份有限公司 Personal identification method, electronic equipment and computer program product
CN109828997A (en) * 2019-01-03 2019-05-31 温州医科大学 A kind of analysis of university student's behavioral data and academic warning method
CN110175839A (en) * 2019-05-31 2019-08-27 ***股份有限公司 Method for processing payment information, device, equipment and computer readable storage medium
CN111652280A (en) * 2020-04-30 2020-09-11 中国平安财产保险股份有限公司 Behavior-based target object data analysis method and device and storage medium
CN111625792A (en) * 2020-07-28 2020-09-04 杭州大乘智能科技有限公司 Identity recognition method based on abnormal behavior detection

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11488178B2 (en) * 2020-11-01 2022-11-01 Beijing Didi Infinity Technology And Development Co., Ltd. Systems and methods for verifying digital payments
CN113362070A (en) * 2021-06-03 2021-09-07 中国工商银行股份有限公司 Method, apparatus, electronic device, and medium for identifying operating user
CN113449309A (en) * 2021-06-28 2021-09-28 平安银行股份有限公司 Terminal security state identification method, device, equipment and medium
CN113449309B (en) * 2021-06-28 2023-10-27 平安银行股份有限公司 Terminal security state identification method, device, equipment and medium

Also Published As

Publication number Publication date
CN112184241B (en) 2024-02-20

Similar Documents

Publication Publication Date Title
CN109635872B (en) Identity recognition method, electronic device and computer program product
CN112184241B (en) Identity authentication method and device
CN105791255B (en) Computer risk identification method and system based on account clustering
CN109922032B (en) Method, device, equipment and storage medium for determining risk of logging in account
CN108366045B (en) Method and device for setting wind control scoring card
CN106845240A (en) A kind of Android malware static detection method based on random forest
CN103593609B (en) Trustworthy behavior recognition method and device
CN104836781A (en) Method distinguishing identities of access users, and device
CN109413023B (en) Training of machine recognition model, machine recognition method and device, and electronic equipment
CN112231570B (en) Recommendation system support attack detection method, device, equipment and storage medium
CN106650350A (en) Identity authentication method and system
CN112733045B (en) User behavior analysis method and device and electronic equipment
CN113572757B (en) Server access risk monitoring method and device
CN112131225B (en) Method and device for determining application installation source and tracing system
CN110675252A (en) Risk assessment method and device, electronic equipment and storage medium
CN110572302B (en) Diskless local area network scene identification method and device and terminal
CN112307464A (en) Fraud identification method and device and electronic equipment
CN110781467A (en) Abnormal business data analysis method, device, equipment and storage medium
CN107220530B (en) Turing test method and system based on user service behavior analysis
CN109587248B (en) User identification method, device, server and storage medium
CN109873836A (en) A kind of methods of risk assessment and device of data
CN107623715B (en) Identity information acquisition method and device
CN115603995A (en) Information processing method, device, equipment and computer readable storage medium
CN114189585A (en) Crank call abnormity detection method and device and computing equipment
CN112417007A (en) Data analysis method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant