Specific embodiment
In order to make those skilled in the art better understand the technical solutions in the application, below in conjunction with the application realityThe attached drawing in example is applied, the technical scheme in the embodiment of the application is clearly and completely described, it is clear that described implementationExample is merely a part but not all of the embodiments of the present application.Based on the embodiment in the application, this field is commonThe application protection all should belong in technical staff's every other embodiment obtained without creative effortsRange.
The purpose of the embodiment of the present application is to provide a kind of auth method and device, to improve the peace of subscriber authenticationQuan Xing.Wherein, which can be executed by identity-validation device (such as background server).
Fig. 1 is the schematic diagram of a scenario for the authentication that one embodiment of the application provides, as shown in Figure 1, the scene includes usingFamily terminal and identity-validation device, wherein user terminal includes but is not limited to tablet computer 101 as shown in Figure 1, mobile phone102, desktop computer 103, laptop 104, identity-validation device include but is not limited to server 200 as shown in Figure 1.In the scene, identity-validation device can execute the auth method provided in the embodiment of the present application, to carry out to userAuthentication.
Fig. 2 is the flow diagram for the auth method that one embodiment of the application provides, as shown in Fig. 2, the process packetInclude following steps:
Step S202 obtains the behavioural information and network environment associated with behavior information of the network behavior of userInformation and/or user equipment information, and according to preset feature extraction rule, special characteristic is extracted from the information of acquisition;
Step S204, if determining the network behavior according to each special characteristic extracted by risk behavior identification modelFor risk behavior, then being chosen in each special characteristic by classification, Reasons model makes the network behavior be judged as risk behaviorTarget signature;
Step S206 determines the Authentication Questions of the user according to target signature, and identity-based validation problem is to the useFamily carries out authentication.
In the embodiment of the present application, the behavioural information of network behavior of acquisition user and associated with behavior information firstNetwork environment information and/or user equipment information extracted from the information of acquisition special and according to preset feature extraction ruleFeature is determined, if then determining the network behavior for risk according to each special characteristic extracted by risk behavior identification modelBehavior then chooses the target for making the network behavior be judged as risk behavior by classification, Reasons model in each special characteristicFeature finally determines that the Authentication Questions of the user, identity-based validation problem carry out body to the user according to target signaturePart verifying.As it can be seen that through this embodiment, can determine the target signature for making the network behavior of user be judged as risk behavior,And Authentication Questions are determined based on target signature and authentication is carried out to user, flexibly determine that authentication is asked to reachThe effect for inscribing and carrying out to user authentication solves authentication process itself safety caused by Authentication Questions immobilizeIt is low, be easy the problem of being cracked, improve the safety of subscriber authentication.
In above-mentioned steps S202, the behavioural information of the network behavior of user is obtained.The network behavior of user includes but unlimitedIn payment behavior, login behavior etc..The behavioural information of network behavior includes but is not limited to that the information of behavioral agent, behavior are directed toThe information being related in the information and action process of object of action.By taking network behavior is payment behavior as an example, network behaviorBehavioural information includes but is not limited to time of payment, payment amount, payment address name, age, registion time, gathering user's surnameName, age, registion time, payment platform mark etc..By taking network behavior is login behavior as an example, the behavioural information packet of network behaviorInclude but be not limited to login time, login username, login result etc..Wherein login result includes logining successfully and login failure.
In above-mentioned steps S202, network environment information associated with the behavioural information of network behavior and/or use are also obtainedFamily facility information.Wherein, network environment information includes but is not limited to that user executes used user terminal when network behaviorIP (Internet Protocol, network protocol) address, network type of the user terminal etc..Wherein, network type includesWIFI (Wireless-Fidelity, WLAN) and mobile data flow.User equipment information includes but is not limited to userExecute mark, brand, the model, MAC (Media Access Control, media of used user terminal when network behaviorAccess control) address etc..In the present embodiment, available network environment information associated with the behavioural information of network behavior,Alternatively, user equipment information associated with the behavioural information of network behavior is obtained, alternatively, obtaining network environment information and userFacility information.
In above-mentioned steps S202, according further to preset feature extraction rule, special characteristic is extracted from the information of acquisition.ItsIn, regulation has the type for the feature for needing to extract from the information that items are got in preset feature extraction rule, for example, in advanceIf feature extraction rule in provide, when network behavior is payment behavior, in subordinate act information extract the time of payment, payment goldThe special characteristics such as volume, shroff account number, when network behavior is login behavior, in subordinate act information extract login time, user name,The special characteristics such as website logo.It further provides that, IP address, network are extracted from network environment information in preset feature extraction ruleThe special characteristics such as type, the special characteristics such as extract equipment mark, device model from user equipment information.Certainly, it only does hereIt schematically illustrates, the special characteristic extracted from the information that items are got is not limited to the example above.
In above-mentioned steps S204, used first by risk behavior identification model according to each special characteristic judgement extractedWhether the network row at family is risk behavior.Correspondingly, the method in the present embodiment further include: pass through risk behavior trained in advanceIdentification model gives a mark to the degree of risk of network behavior according to each special characteristic extracted, if the wind that marking obtainsDangerous fractional value is more than score threshold, it is determined that network behavior is risk behavior, if the obtained risk score value of marking is less than pointNumber threshold value, it is determined that network behavior is not risk behavior.
Specifically, risk behavior identification model can be neural network model, it is, of course, also possible to be other models, hereIt does not limit specifically.Each special characteristic extracted is input to risk behavior identification model and carries out operation, risk behavior identificationModel gives a mark to the degree of risk of network behavior according to each special characteristic extracted, and exports the risk that marking obtainsFractional value, if the risk score value that marking obtains is more than score threshold, it is determined that network behavior is risk behavior, if marking obtainsRisk score value be less than score threshold, it is determined that network behavior is not risk behavior.
In one embodiment, network behavior is payment behavior, when each special characteristic extracted includes paying party registrationLength, beneficiary registration time length, paying party age and payment amount.Risk behavior identification model is according to each specific spy extractedSign gives a mark to the degree of risk of network behavior and can illustrate are as follows: when first determining whether beneficiary registration time length is greater than firstLong, if beneficiary registration time length is not greater than the first duration, record is scored at 0.2 point, secondly judges that paying party registration time length isNo to be greater than the second duration, if paying party registration time length is not greater than the second duration, record is scored at 0.3 point, then judgement paymentWhether Fang Nianling is greater than age threshold, if more than then record is scored at 0.3 point, finally judges whether payment amount is greater than the amount of moneyThreshold value, if more than then record is scored at 0.3 point, and finally obtaining the corresponding risk score value of the payment behavior is 0.8 point, is more thanScore threshold 0.2 is divided, then determines the payment behavior for risk behavior.
In above-mentioned steps S204, if determining user according to each special characteristic extracted by risk behavior identification modelNetwork behavior be risk behavior, then the network behavior quilt for making user is chosen in each special characteristic by classification, Reasons modelIt is determined as the target signature of risk behavior.It is to be understood that the network behavior that target signature is used to indicate user is judged as windThe reason of dangerous behavior, causes risk behavior identification model that the network behavior of user is determined as risk by the presence of target signatureBehavior.
In the present embodiment, being chosen in each special characteristic by classification, Reasons model is determined the network behavior of userFor the target signature of risk behavior, specifically:
(a1) by classification, Reasons model, determine that each special characteristic it is expected for the contributrion margin of risk score value respectivelyValue;Wherein, classification, Reasons model is established based on Shapley Value method, and risk score value is risk behavior identification model according to each spyDetermine the fractional value that feature gives a mark to the degree of risk of network behavior;
(a2) by each special characteristic, contributrion margin desired value is greater than the feature of default desired value threshold value as target spySign.
Specifically, in the present embodiment, classification, Reasons model can be established based on Shapley Value (Shapley Value) method,Shapley Value is originated from game theory, main thought are as follows: assuming that N number of feature altogether, final marking is S, then mainly passes through calculatingThe contributrion margin desired value of each feature calibrates each feature to the influence degree of final marking S.In the present embodiment, attribution pointAnalysis model is used to analyze risk behavior identification model and is carried out according to degree of risk of each special characteristic to the network behavior of userThe reason of above-mentioned risk score value is obtained after marking.
In the present embodiment, each special characteristic extracted in available step S202, and obtain risk behavior knowledgeThe risk score value that other model is given a mark according to degree of risk of each special characteristic to the network behavior of user, will be eachA special characteristic and the risk score value are input to classification, Reasons model and are handled, and export each spy by classification, Reasons modelDetermine the contributrion margin desired value that feature is directed to the risk score value, corresponding contributrion margin desired value is bigger, the special characteristic pairThe contribution of the risk score value is bigger.
In the present embodiment, it is additionally provided with default desired value threshold value, and by each special characteristic, contributrion margin desired value is bigIn default desired value threshold value feature as target signature, so that selecting makes the network behavior of user be judged as risk behaviorTarget signature.It can determine the reason of network behavior of user is judged as risk behavior by analyzing target signature.
In one embodiment, the network behavior of user is login behavior, which is sentenced by risk behavior identification modelIt is set to risk behavior, determines that the IP feature for obtaining the corresponding user terminal of login behavior is that target is special by classification, Reasons modelSign.By analyzing the IP feature, it can determine that the reason of login behavior of user is judged as risk behavior is that user strange land is stepped onRecord.
In the present embodiment, by classification, Reasons model, determine that each special characteristic is directed to the limit of risk score value respectivelyDesired value is contributed, specifically:
(b1) by classification, Reasons model, gradually based on every N number of feature in each special characteristic, to the network row of userFor degree of risk give a mark, obtain per the corresponding N fractional value of N number of special characteristic;
Wherein, N is the positive integer of the total quantity more than or equal to 1, less than or equal to each special characteristic, when gradually giving a mark, N'sValue gradually adds 1;
(b2) each fractional value obtained according to marking determines that each special characteristic is directed to the limit of risk score value respectivelyContribute desired value.
Here the above process (b1) and (b2) are illustrated by a specific example.It is specific in one specific embodimentThe quantity of feature is three, including feature A, feature B and feature C.In above-mentioned movement (b1), by classification, Reasons model, firstIt based on each feature, gives a mark to the degree of risk of the network behavior of user, obtains each special characteristic correspondingOne fractional value, also will each special characteristic input risk behavior identification model respectively, obtained by risk behavior identification modelThe first fractional value based on each special characteristic, is then based on every two feature, to the degree of risk of the network behavior of user intoRow marking, obtains corresponding second fractional value of every two special characteristic, also i.e. by each special characteristic combination of two, by each groupInput risk behavior identification model is closed, the second fractional value based on each combination is obtained by risk behavior identification model, finallyIt based on every three features, gives a mark to the degree of risk of the network behavior of user, obtains every three special characteristics correspondingThree fractional values also combine each special characteristic three or three, and each combination is inputted risk behavior identification model, passes through risk rowIt obtains for identification model based on each combined third fractional value, it is to be understood that third fractional value is risk score value.SpecificallySituation of giving a mark is as shown in table 1 below.
Table 1
| Feature A | First fractional value D11 |
| Feature B | First fractional value D12 |
| Feature C | First fractional value D13 |
| Feature A+B | Second fractional value D21 |
| Feature A+C | Second fractional value D22 |
| Feature B+C | Second fractional value D23 |
| Feature A+B+C | Third fractional value D3 |
Then, the contributrion margin desired value for calculating feature A is (D11+ (D21-D12)+(D22-D13)+(D3-D12-D13))/3, the contributrion margin desired value for calculating feature B is (D12+ (D21-D11)+(D23-D13)+(D3-D11-D13))/3,The contributrion margin desired value for calculating feature C is (D13+ (D22-D11)+(D23-D12)+(D3-D12-D13))/3.It needs to illustrate, in the classification, Reasons model established based on Shapley Value method, calculate the contributrion margin desired value of each featureMethod is not limited to the example above, can be arranged according to actual needs.
In the present embodiment, establishing classification, Reasons model based on Shapley Value method can be neural network model, the modelTraining process can illustrate are as follows: a large amount of sample data is obtained first, sample data can collect to obtain by artificial mode,Every group of sample data includes multiple special characteristics, and, risk behavior identification model is according to multiple special characteristic to userNetwork behavior the risk score value given a mark of degree of risk, in multiple special characteristic, being also labeled with causesThe target signature of the risk score value;When training pattern, every group of sample data is input to the mind established based on Shapley Value methodIt is trained through network model, after parameters training convergence in a model, the model that obtained training is completed is attributionAnalysis model.
As it can be seen that can be chosen in each special characteristic by classification, Reasons model makes network behavior quilt in the present embodimentIt is determined as the target signature of risk behavior, so that the Authentication Questions for subsequent determining user are prepared, avoids the body of userAuthentication process itself safety is low caused by part validation problem immobilizes, is easy the problem of being cracked, and improves user identity and testsThe safety of card.
In above-mentioned steps S206, the Authentication Questions of user are determined according to target signature, specifically: what is pre-establishedAuthentication Questions corresponding with target signature are searched in problem base, using the Authentication Questions found as the body of userPart validation problem.Wherein, record has the corresponding Authentication Questions of each special characteristic, the body recorded in problem base in problem basePart validation problem is constructed based on the knowledge mapping of the user.
In the present embodiment, due to be previously provided with feature extraction rule, can predefine extract it is eachThe type of special characteristic, therefore the corresponding identity of each special characteristic can be recorded in problem base in advance by artificial modeValidation problem.The Authentication Questions recorded in problem base can knowledge mapping structure by artificial mode based on above-mentioned userIt builds.
Knowledge mapping (knowledge-based authentication, KBA) is explicit knowledge's development process and structureA series of a variety of different figures of relationship, describe knowledge resource and its carrier with visualization technique, excavate, analyze, construct, drawSystem and explicit knowledge and connecting each other between them.Manually the knowledge mapping based on user is that each special characteristic constructs identityWhen validation problem, Constructed wetlands can be with are as follows: when determining that each special characteristic is target signature, network behavior be risk behavior canEnergy reason, constructs the corresponding Authentication Questions of the special characteristic based on the reason.Such as: it is directed to IP feature, due to IP featureThe main reason for causing network behavior to be judged as risk behavior, includes " different-place login ", " more exchange device " etc., therefore constructProblem can be " your birthplace is which is saved? ", " you the model of mobile phone are once? ";Correspondingly, for transaction amount spyThe main reason for levying, causing network behavior to be judged as risk behavior due to transaction amount feature includes " stranger's transaction ", " goldVolume is excessive " etc., therefore the problem of constructing, can be " you and payee had record of transferring accounts? ", " the product that you buy in the recent periodFor? ".Corresponding Authentication Questions are constructed for other special characteristics no longer to illustrate here.When constructing Authentication Questions,It needs the knowledge mapping based on user to construct, can be obtained from the knowledge mapping of user with guaranteeing problem answers.One toolIn the embodiment of body, the real-time knowledge mapping of user can be generated, real-time knowledge mapping Construct question is based on, to useAll information at family quickly can be positioned and be inquired.
Therefore, in above-mentioned steps S206, identity corresponding with target signature is searched in library the problem of pre-establishing and is testedCard problem using the Authentication Questions found as the Authentication Questions of user, and shows user's by user terminalAuthentication Questions, so that the identity to user is verified.
In above-mentioned steps S206, authentication is carried out to user based on the Authentication Questions of user, specifically: pass through useThe Authentication Questions of family terminal display user, and the answer data that user is directed to Authentication Questions are obtained, from knowing for userThe correct option that the Authentication Questions are obtained in knowledge map confirms if the answer data of user match with correct optionIt is verified, conversely, confirmation verifying does not pass through.
In one situation, the quantity of target signature is multiple, at least corresponding Authentication Questions of each target signature,Then in above-mentioned steps S206, authentication is carried out to user based on the Authentication Questions of user, specifically:
(c1) according to the corresponding target signature of each Authentication Questions, each Authentication Questions are ranked up;
(c2) Authentication Questions are shown to user by user terminal according to sequence, and obtains user for authenticationThe answer data of problem;
(c3) according to the knowledge mapping for answering data and user, authentication is carried out to user.
Firstly, in movement (c1), according to the corresponding target signature of each Authentication Questions, to each Authentication QuestionsIt is ranked up, specifically, obtains the side for determining that obtained each target signature is directed to risk score value by classification, Reasons modelContribute desired value in border, wherein classification, Reasons model is established based on Shapley Value method, and risk score value is risk behavior identification modelAccording to the fractional value that degree of risk of each special characteristic to network behavior is given a mark, according to the side of each target signatureThe sequence that border contributes desired value descending, is ranked up each Authentication Questions.
For example, target signature includes M1 and M2, wherein M1 correspondence problem N1 and N2, M2 correspondence problem N3 and N4 are then acted(c1) in, the contributrion margin desired value for determining that obtained feature M1 is directed to risk score value by classification, Reasons model is obtained, withAnd obtain the contributrion margin desired value for determining that obtained feature M2 is directed to risk score value by classification, Reasons model, it is assumed that M1Contributrion margin desired value be greater than M2 contributrion margin desired value, it is determined that problem sequence are as follows: N1, N2, N3, N4.Wherein, sameThe corresponding multiple problems of a target signature can be randomly ordered.
It acts in (c2), Authentication Questions is shown to user by user terminal according to sequence, and obtain user and be directed toThe answer data of Authentication Questions.Such as showing problem N1 first, and user is being got for the answer data of problem N1Afterwards, it shows next problem, to successively show each problem, and obtains the answer data that user is directed to each problem.This realityIt applies in example, user can submit answer data by way of selection answer or write-in answer.
It acts in (c3), the correct option of each Authentication Questions is obtained from the knowledge mapping of user, if according to justTrue answer determines that the ratio for the quantity that the quantity for answering correct topic accounts for shown Authentication Questions reaches default ratioExample, it is determined that subscriber authentication passes through, otherwise determines that authentication does not pass through.
In one specific embodiment, after every one Authentication Questions of displaying to user, user is obtained for this problemAnswer data, and obtain from the knowledge mapping of user the correct option of the problem, and user is judged according to the correct optionWhether answer correctly, the score of user is calculated according to judging result.If after having answered all Authentication Questions, the score of userReaching preset fraction threshold value, it is determined that authentication passes through, alternatively, without showing whole Authentication Questions to user, ifThe quantity that user continuously answers correct problem reaches certain amount, it is determined that authentication passes through.And stop remaining problemIt shows.
Fig. 3 is the schematic diagram for the authentication that one embodiment of the application provides, as shown in figure 3, in the login for determining userWhen behavior is risk behavior, determines that target signature is IP feature, determine that Authentication Questions include: that " which your birthplace isSave ", " you are how many at the frequency in birth province ".By user terminal to user show first Authentication Questions, withAfter first Authentication Questions has been answered at family, second Authentication Questions is shown.User can pass through the side of selection answerFormula, which is submitted, answers data.If determining that user's both of these problems are all answered correctly according to the knowledge mapping of user, it is determined that Yong HushenPart is verified, and user is allowed to log in.
To sum up, through this embodiment in method, can determine that the network behavior for making user is judged as risk behaviorTarget signature, and Authentication Questions are determined based on target signature and authentication is carried out to user, to reach flexible determinationAuthentication Questions and the effect that authentication is carried out to user solve Authentication Questions and immobilize caused authenticationProcess safety is low, is easy the problem of being cracked, and improves the safety of subscriber authentication.
Fig. 4 is the module composition schematic diagram for the authentication means that one embodiment of the application provides, as shown in figure 4, the dressIt sets and includes:
Module 41 is obtained, for obtaining the behavioural information of the network behavior of user and associated with the behavioural informationNetwork environment information and/or user equipment information, and according to preset feature extraction rule, it is extracted from the information of acquisition specificFeature;
Analysis module 42, if for passing through risk behavior identification model according to each special characteristic judgement extractedNetwork behavior is risk behavior, then being chosen in each special characteristic by classification, Reasons model makes the network behavior quiltIt is determined as the target signature of risk behavior;
Authentication module 43 is based on the body for determining the Authentication Questions of the user according to the target signaturePart validation problem carries out authentication to the user.
Optionally, described device further includes judgment module, is used for:
By risk behavior identification model trained in advance, according to each special characteristic extracted to the network behaviorDegree of risk give a mark;
If obtained risk score value of giving a mark is more than score threshold, it is determined that the network behavior is risk behavior.
Optionally, the analysis module 42 is specifically used for:
By classification, Reasons model, determine that each special characteristic it is expected for the contributrion margin of risk score value respectivelyValue;Wherein, the classification, Reasons model is established based on Shapley Value method;The risk score value is that the risk behavior identifies mouldThe fractional value that type gives a mark to the degree of risk of the network behavior according to each special characteristic;
By in each special characteristic, the contributrion margin desired value is greater than the feature of default desired value threshold value as instituteState target signature.
Optionally, the analysis module 42 also particularly useful for:
By classification, Reasons model, gradually based on every N number of feature in each special characteristic, to the network behaviorDegree of risk give a mark, obtain per the corresponding N fractional value of N number of special characteristic;
Wherein, the N is the positive integer of the total quantity more than or equal to 1, less than or equal to each special characteristic, is gradually beatenThe value of timesharing, the N gradually adds 1;
According to each fractional value that marking obtains, determine each special characteristic for the risk score value respectivelyContributrion margin desired value.
Optionally, the authentication module 43 is specifically used for:
Authentication Questions corresponding with the target signature are searched in library the problem of pre-establishing;
Using the Authentication Questions found as the Authentication Questions of the user;
Wherein, record has the corresponding Authentication Questions of each special characteristic, described problem library in described problem libraryThe Authentication Questions of middle record are constructed based on the knowledge mapping of the user.
Optionally, the quantity of the target signature is multiple, and each target signature at least corresponds to an identityValidation problem;The authentication module 43 is specifically used for:
According to the corresponding target signature of each Authentication Questions, each Authentication Questions are carried outSequence;
The Authentication Questions are shown to the user by user terminal according to the sequence, and obtain the userFor the answer data of the Authentication Questions;
According to the knowledge mapping for answering data and the user, authentication is carried out to the user.
Optionally, the authentication module 43 also particularly useful for:
Obtain the marginal tribute for determining that obtained each target signature is directed to risk score value by classification, Reasons modelOffer desired value;Wherein, the classification, Reasons model is established based on Shapley Value method;The risk score value is the risk behaviorThe fractional value that identification model gives a mark to the degree of risk of the network behavior according to each special characteristic;
According to the sequence that the contributrion margin desired value of each target signature is descending, to each identityValidation problem is ranked up.
As it can be seen that through this embodiment, can determine the target signature for making the network behavior of user be judged as risk behavior,And Authentication Questions are determined based on target signature and authentication is carried out to user, flexibly determine that authentication is asked to reachThe effect for inscribing and carrying out to user authentication solves authentication process itself safety caused by Authentication Questions immobilizeIt is low, be easy the problem of being cracked, improve the safety of subscriber authentication.
It should be noted that the authentication means in the present embodiment can be realized each mistake of aforementioned auth methodJourney, and reach identical effect and function, it is not repeated herein.
Fig. 5 is the structural schematic diagram for the identity-validation device that one embodiment of the application provides, as shown in figure 5, authenticationEquipment can generate bigger difference because configuration or performance are different, may include one or more 901 He of processorMemory 902 can store one or more storage application programs or data in memory 902.Wherein, memory902 can be of short duration storage or persistent storage.The application program for being stored in memory 902 may include one or more mouldsBlock (diagram is not shown), each module may include to the series of computation machine executable instruction in identity-validation device.More intoOne step, processor 901 can be set to communicate with memory 902, and one in memory 902 is executed on identity-validation deviceFamily computer executable instruction.Identity-validation device can also include one or more power supplys 903, one or one withUpper wired or wireless network interface 904, one or more input/output interfaces 905, one or more keyboards 906Deng.
In a specific embodiment, identity-validation device includes memory and one or more journeySequence, perhaps more than one program is stored in memory and one or more than one program may include one for one of themOr more than one module, and each module may include to the series of computation machine executable instruction in identity-validation device, andBe configured to be executed this by one or more than one processor or more than one program include by carry out it is following based onCalculation machine executable instruction:
Obtain user network behavior behavioural information and network environment information associated with the behavioural information and/Or user equipment information, and according to preset feature extraction rule, special characteristic is extracted from the information of acquisition;
If determining that the network behavior is risk according to each special characteristic extracted by risk behavior identification modelBehavior, then being chosen in each special characteristic by classification, Reasons model makes the network behavior be judged as risk behaviorTarget signature;
The Authentication Questions of the user are determined according to the target signature, based on the Authentication Questions to describedUser carries out authentication.
Optionally, computer executable instructions are when executed, further includes:
By risk behavior identification model trained in advance, according to each special characteristic extracted to the network behaviorDegree of risk give a mark;
If obtained risk score value of giving a mark is more than score threshold, it is determined that the network behavior is risk behavior.
Optionally, computer executable instructions when executed, by classification, Reasons model in each special characteristicIt is middle to choose the target signature for making the network behavior be judged as risk behavior, comprising:
By classification, Reasons model, determine that each special characteristic it is expected for the contributrion margin of risk score value respectivelyValue;Wherein, the classification, Reasons model is established based on Shapley Value method;The risk score value is that the risk behavior identifies mouldThe fractional value that type gives a mark to the degree of risk of the network behavior according to each special characteristic;
By in each special characteristic, the contributrion margin desired value is greater than the feature of default desired value threshold value as instituteState target signature.
Optionally, computer executable instructions when executed, by classification, Reasons model, determine each spy respectivelyDetermine the contributrion margin desired value that feature is directed to risk score value, comprising:
By classification, Reasons model, gradually based on every N number of feature in each special characteristic, to the network behaviorDegree of risk give a mark, obtain per the corresponding N fractional value of N number of special characteristic;
Wherein, the N is the positive integer of the total quantity more than or equal to 1, less than or equal to each special characteristic, is gradually beatenThe value of timesharing, the N gradually adds 1;
According to each fractional value that marking obtains, determine each special characteristic for the risk score value respectivelyContributrion margin desired value.
Optionally, computer executable instructions when executed, the identity of the user are determined according to the target signatureValidation problem, comprising:
Authentication Questions corresponding with the target signature are searched in library the problem of pre-establishing;
Using the Authentication Questions found as the Authentication Questions of the user;
Wherein, record has the corresponding Authentication Questions of each special characteristic, described problem library in described problem libraryThe Authentication Questions of middle record are constructed based on the knowledge mapping of the user.
Optionally, when executed, the quantity of the target signature is multiple, each mesh to computer executable instructionsIt marks feature and at least corresponds to the Authentication Questions;Identity is carried out to the user based on the Authentication Questions to testCard, comprising:
According to the corresponding target signature of each Authentication Questions, each Authentication Questions are carried outSequence;
The Authentication Questions are shown to the user by user terminal according to the sequence, and obtain the userFor the answer data of the Authentication Questions;
According to the knowledge mapping for answering data and the user, authentication is carried out to the user.
Optionally, computer executable instructions are when executed, corresponding described according to each Authentication QuestionsTarget signature is ranked up each Authentication Questions, comprising:
Obtain the marginal tribute for determining that obtained each target signature is directed to risk score value by classification, Reasons modelOffer desired value;Wherein, the classification, Reasons model is established based on Shapley Value method;The risk score value is the risk behaviorThe fractional value that identification model gives a mark to the degree of risk of the network behavior according to each special characteristic;
According to the sequence that the contributrion margin desired value of each target signature is descending, to each identityValidation problem is ranked up.
As it can be seen that through this embodiment, can determine the target signature for making the network behavior of user be judged as risk behavior,And Authentication Questions are determined based on target signature and authentication is carried out to user, flexibly determine that authentication is asked to reachThe effect for inscribing and carrying out to user authentication solves authentication process itself safety caused by Authentication Questions immobilizeIt is low, be easy the problem of being cracked, improve the safety of subscriber authentication.
It should be noted that the identity-validation device in the present embodiment can be realized each mistake of aforementioned auth methodJourney, and reach identical effect and function, it is not repeated herein.
Further, the embodiment of the present application also provides a kind of storage medium, for storing computer executable instructions, oneIn kind specific embodiment, which can be USB flash disk, CD, hard disk etc., and the computer of storage medium storage is executableInstruction is able to achieve following below scheme when being executed by processor:
Obtain user network behavior behavioural information and network environment information associated with the behavioural information and/Or user equipment information, and according to preset feature extraction rule, special characteristic is extracted from the information of acquisition;
If determining that the network behavior is risk according to each special characteristic extracted by risk behavior identification modelBehavior, then being chosen in each special characteristic by classification, Reasons model makes the network behavior be judged as risk behaviorTarget signature;
The Authentication Questions of the user are determined according to the target signature, based on the Authentication Questions to describedUser carries out authentication.
Optionally, the computer executable instructions of storage medium storage are when being executed by processor, further includes:
By risk behavior identification model trained in advance, according to each special characteristic extracted to the network behaviorDegree of risk give a mark;
If obtained risk score value of giving a mark is more than score threshold, it is determined that the network behavior is risk behavior.
Optionally, the computer executable instructions of storage medium storage pass through classification, Reasons when being executed by processorModel chooses the target signature for making the network behavior be judged as risk behavior in each special characteristic, comprising:
By classification, Reasons model, determine that each special characteristic it is expected for the contributrion margin of risk score value respectivelyValue;Wherein, the classification, Reasons model is established based on Shapley Value method;The risk score value is that the risk behavior identifies mouldThe fractional value that type gives a mark to the degree of risk of the network behavior according to each special characteristic;
By in each special characteristic, the contributrion margin desired value is greater than the feature of default desired value threshold value as instituteState target signature.
Optionally, the computer executable instructions of storage medium storage pass through classification, Reasons when being executed by processorModel determines that each special characteristic is directed to the contributrion margin desired value of risk score value respectively, comprising:
By classification, Reasons model, gradually based on every N number of feature in each special characteristic, to the network behaviorDegree of risk give a mark, obtain per the corresponding N fractional value of N number of special characteristic;
Wherein, the N is the positive integer of the total quantity more than or equal to 1, less than or equal to each special characteristic, is gradually beatenThe value of timesharing, the N gradually adds 1;
According to each fractional value that marking obtains, determine each special characteristic for the risk score value respectivelyContributrion margin desired value.
Optionally, the computer executable instructions of storage medium storage are when being executed by processor, according to the targetFeature determines the Authentication Questions of the user, comprising:
Authentication Questions corresponding with the target signature are searched in library the problem of pre-establishing;
Using the Authentication Questions found as the Authentication Questions of the user;
Wherein, record has the corresponding Authentication Questions of each special characteristic, described problem library in described problem libraryThe Authentication Questions of middle record are constructed based on the knowledge mapping of the user.
Optionally, the computer executable instructions of storage medium storage are when being executed by processor, the target signatureQuantity be it is multiple, each target signature at least correspond to the Authentication Questions;It is asked based on the authenticationTopic carries out authentication to the user, comprising:
According to the corresponding target signature of each Authentication Questions, each Authentication Questions are carried outSequence;
The Authentication Questions are shown to the user by user terminal according to the sequence, and obtain the userFor the answer data of the Authentication Questions;
According to the knowledge mapping for answering data and the user, authentication is carried out to the user.
Optionally, the computer executable instructions of storage medium storage are when being executed by processor, according to each describedThe corresponding target signature of Authentication Questions, is ranked up each Authentication Questions, comprising:
Obtain the marginal tribute for determining that obtained each target signature is directed to risk score value by classification, Reasons modelOffer desired value;Wherein, the classification, Reasons model is established based on Shapley Value method;The risk score value is the risk behaviorThe fractional value that identification model gives a mark to the degree of risk of the network behavior according to each special characteristic;
According to the sequence that the contributrion margin desired value of each target signature is descending, to each identityValidation problem is ranked up.
As it can be seen that through this embodiment, can determine the target signature for making the network behavior of user be judged as risk behavior,And Authentication Questions are determined based on target signature and authentication is carried out to user, flexibly determine that authentication is asked to reachThe effect for inscribing and carrying out to user authentication solves authentication process itself safety caused by Authentication Questions immobilizeIt is low, be easy the problem of being cracked, improve the safety of subscriber authentication.
It should be noted that the storage medium in the present embodiment can be realized each process of aforementioned auth method,And reach identical effect and function, it is not repeated herein.
In the 1990s, the improvement of a technology can be distinguished clearly be on hardware improvement (for example,Improvement to circuit structures such as diode, transistor, switches) or software on improvement (improvement for method flow).SoAnd with the development of technology, the improvement of current many method flows can be considered as directly improving for hardware circuit.Designer nearly all obtains corresponding hardware circuit by the way that improved method flow to be programmed into hardware circuit.CauseThis, it cannot be said that the improvement of a method flow cannot be realized with hardware entities module.For example, programmable logic device(Programmable Logic Device, PLD) (such as field programmable gate array (Field Programmable GateArray, FPGA)) it is exactly such a integrated circuit, logic function determines device programming by user.By designerVoluntarily programming comes a digital display circuit " integrated " on a piece of PLD, designs and makes without asking chip makerDedicated IC chip.Moreover, nowadays, substitution manually makes IC chip, this programming is also used instead mostly " is patrolledVolume compiler (logic compiler) " software realizes that software compiler used is similar when it writes with program development,And the source code before compiling also write by handy specific programming language, this is referred to as hardware description language(Hardware Description Language, HDL), and HDL is also not only a kind of, but there are many kind, such as ABEL(Advanced Boolean Expression Language)、AHDL(Altera Hardware DescriptionLanguage)、Confluence、CUPL(Cornell University Programming Language)、HDCal、JHDL(Java Hardware Description Language)、Lava、Lola、MyHDL、PALASM、RHDL(RubyHardware Description Language) etc., VHDL (Very-High-Speed is most generally used at presentIntegrated Circuit Hardware Description Language) and Verilog.Those skilled in the art also answerThis understands, it is only necessary to method flow slightly programming in logic and is programmed into integrated circuit with above-mentioned several hardware description languages,The hardware circuit for realizing the logical method process can be readily available.
Controller can be implemented in any suitable manner, for example, controller can take such as microprocessor or processingThe computer for the computer readable program code (such as software or firmware) that device and storage can be executed by (micro-) processor canRead medium, logic gate, switch, specific integrated circuit (Application Specific Integrated Circuit,ASIC), the form of programmable logic controller (PLC) and insertion microcontroller, the example of controller includes but is not limited to following microcontrollerDevice: ARC 625D, Atmel AT91SAM, Microchip PIC18F26K20 and Silicone Labs C8051F320 are depositedMemory controller is also implemented as a part of the control logic of memory.It is also known in the art that in addition toPure computer readable program code mode is realized other than controller, can be made completely by the way that method and step is carried out programming in logicController is obtained to come in fact in the form of logic gate, switch, specific integrated circuit, programmable logic controller (PLC) and insertion microcontroller etc.Existing identical function.Therefore this controller is considered a kind of hardware component, and to including for realizing various in itThe device of function can also be considered as the structure in hardware component.Or even, it can will be regarded for realizing the device of various functionsFor either the software module of implementation method can be the structure in hardware component again.
System, device, module or the unit that above-described embodiment illustrates can specifically realize by computer chip or entity,Or it is realized by the product with certain function.It is a kind of typically to realize that equipment is computer.Specifically, computer for example may be usedThink personal computer, laptop computer, cellular phone, camera phone, smart phone, personal digital assistant, media playIt is any in device, navigation equipment, electronic mail equipment, game console, tablet computer, wearable device or these equipmentThe combination of equipment.
For convenience of description, it is divided into various units when description apparatus above with function to describe respectively.Certainly, implementing thisThe function of each unit can be realized in the same or multiple software and or hardware when application.
It should be understood by those skilled in the art that, embodiments herein can provide as method, system or computer programProduct.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the applicationApply the form of example.Moreover, it wherein includes the computer of computer usable program code that the application, which can be used in one or more,The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) producesThe form of product.
The application is referring to method, the process of equipment (system) and computer program product according to the embodiment of the present applicationFigure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructionsThe combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programsInstruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produceA raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for realThe device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spyDetermine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates,Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram orThe function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that countingSeries of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer orThe instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram oneThe step of function of being specified in a box or multiple boxes.
In a typical configuration, calculating equipment includes one or more processors (CPU), input/output interface, netNetwork interface and memory.
Memory may include the non-volatile memory in computer-readable medium, random access memory (RAM) and/orThe forms such as Nonvolatile memory, such as read-only memory (ROM) or flash memory (flash RAM).Memory is computer-readable mediumExample.
Computer-readable medium includes permanent and non-permanent, removable and non-removable media can be by any methodOr technology come realize information store.Information can be computer readable instructions, data structure, the module of program or other data.The example of the storage medium of computer includes, but are not limited to phase change memory (PRAM), static random access memory (SRAM), movesState random access memory (DRAM), other kinds of random access memory (RAM), read-only memory (ROM), electric erasableProgrammable read only memory (EEPROM), flash memory or other memory techniques, read-only disc read only memory (CD-ROM) (CD-ROM),Digital versatile disc (DVD) or other optical storage, magnetic cassettes, tape magnetic disk storage or other magnetic storage devicesOr any other non-transmission medium, can be used for storage can be accessed by a computing device information.As defined in this article, it calculatesMachine readable medium does not include temporary computer readable media (transitory media), such as the data-signal and carrier wave of modulation.
It should also be noted that, the terms "include", "comprise" or its any other variant are intended to nonexcludabilityIt include so that the process, method, commodity or the equipment that include a series of elements not only include those elements, but also to wrapInclude other elements that are not explicitly listed, or further include for this process, method, commodity or equipment intrinsic wantElement.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including described wantThere is also other identical elements in the process, method of element, commodity or equipment.
It will be understood by those skilled in the art that embodiments herein can provide as method, system or computer program product.Therefore, complete hardware embodiment, complete software embodiment or embodiment combining software and hardware aspects can be used in the applicationForm.It is deposited moreover, the application can be used to can be used in the computer that one or more wherein includes computer usable program codeThe shape for the computer program product implemented on storage media (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.)Formula.
The application can describe in the general context of computer-executable instructions executed by a computer, such as programModule.Generally, program module includes routines performing specific tasks or implementing specific abstract data types, programs, objects, groupPart, data structure etc..The application can also be practiced in a distributed computing environment, in these distributed computing environments, byTask is executed by the connected remote processing devices of communication network.In a distributed computing environment, program module can be withIn the local and remote computer storage media including storage equipment.
All the embodiments in this specification are described in a progressive manner, same and similar portion between each embodimentDividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for system realityFor applying example, since it is substantially similar to the method embodiment, so being described relatively simple, related place is referring to embodiment of the methodPart explanation.
The above description is only an example of the present application, is not intended to limit this application.For those skilled in the artFor, various changes and changes are possible in this application.All any modifications made within the spirit and principles of the present application are equalReplacement, improvement etc., should be included within the scope of the claims of this application.