A user identity authentication method, device, apparatus and storage medium

What is AI technical title?
AI technical title is built by PatSnap AI team. It summarizes the technical point description of the patent document.
By receiving the first network topology map from the authentication terminal of the user to be authenticated to the network anchor server, and combining similarity calculation and terminal attribute information for identity authentication, the problem of low security and high cost of user identity authentication in the prior art is solved, and secure, convenient and efficient identity authentication is achieved.

CN116418555BActive Publication Date: 2026-06-16DATA SPACE RES INST

View PDF 0 Cites 0 Cited by

Patent Information

Authority / Receiving Office: CN · China
Patent Type: Patents(China)
Current Assignee / Owner: DATA SPACE RES INST
Filing Date: 2023-01-12
Publication Date: 2026-06-16

Application Information

Patent Timeline

12 Jan 2023

Application

16 Jun 2026

Publication

CN116418555B

IPC: H04L9/40; H04L41/12

CPC: H04L63/08; H04L63/0876; H04L41/12; H04L63/107; Y04S40/20

AI Tagging

Application Domain

Securing communication Information technology support system

Explore More Agents

Novelty Search
Search existing technologies and assess novelty
↗
FTO
Analyze whether a product may infringe others' patents
↗
Design FTO
Check prior-design risk for exterior design
↗
Drafting
Draft patent application text based on a technical solution
↗
Find Solutions with TRIZ
Generate feasible solution to solve your technical challenge
↗

Similar Technology Patents

Get free access to AI patent search and analysis

Check patentability, review prior art and ask IP Agent with full patent context.

Smart Images

Figure CN116418555B_ABST

Patent Text Reader

Abstract

The application discloses a user identity authentication method and device, equipment and storage medium, and the method comprises the following steps: receiving the first network topology graph of the authentication terminal of the user to be authenticated to the pre-set network anchor point server, wherein the network anchor point server is used to determine the position of the user in the network space; calculating the similarity value of the first network topology graph and a plurality of pre-stored network topology graphs according to a pre-defined similarity calculation formula; and performing identity credibility authentication on the user to be authenticated according to the similarity value, the attribute information of the terminal where the user to be authenticated is located and received newly, and the attribute information of the terminal where the user to be authenticated is located and associated with the plurality of pre-stored network topology graphs. By adopting the method provided by the application, a safe, convenient and efficient user identity authentication method can be provided without reducing the user operation experience.

Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention belongs to the field of user identity authentication and information security, and specifically relates to a user identity authentication method, apparatus, device and storage medium. Background Technology

[0002] With the development of digital information technologies such as the Internet, the Internet of Things, e-commerce, mobile payment, and social networks, various network system platforms have gradually permeated all aspects of everyone's life, work, and study. The relationship between the Internet and people is becoming increasingly close, bringing a lot of convenience to everyone in various aspects. However, the Internet is also a double-edged sword. While bringing convenience to people, it also brings more and more threats to everyone's privacy and information security.

[0003] In recent years, incidents of stolen online platform accounts leading to the leakage of personal or corporate confidential information and asset losses have been frequent. The main reason is that the commonly used identity authentication method is still based on username + password. Users using weak passwords, not changing passwords for extended periods, and some internet companies having their user account information stolen all contribute to the constant security risks facing users' personal online platform accounts. Some systems use biometric technologies for user authentication, such as fingerprint and facial recognition. These methods require the installation of fingerprint and facial recognition devices and their corresponding drivers on each login device. If a company has a large number of terminals that require fingerprint and facial recognition authentication, it needs to configure fingerprint and facial recognition devices and install corresponding drivers on each terminal, resulting in high hardware, software, and maintenance costs. Some user authentication methods rely on third-party devices, such as mobile phone SMS verification codes. The security of this method depends on the user having the phone in their possession; the system platform cannot detect this risk. Summary of the Invention

[0004] In view of the shortcomings of the prior art described above, the purpose of this invention is to provide a user authentication method, apparatus, device and storage medium based on network topology to solve the above-mentioned technical problems.

[0005] To achieve the above and other related objectives, the present invention provides a user authentication method based on a network topology graph, comprising:

[0006] A first network topology map is obtained by receiving the authentication terminal of the user to be authenticated to a pre-set network anchor server, wherein the network anchor server is used to determine the user's location in the network space;

[0007] The similarity value between the first network topology graph and several pre-stored network topology graphs is calculated according to a predefined similarity calculation formula.

[0008] The identity credibility of the user to be authenticated is verified based on the similarity value, the attribute information of the newly received terminal of the user to be authenticated, and the attribute information of the terminal of the user to be authenticated associated with the pre-stored network topology maps.

[0009] In an optional embodiment of the present invention, the step of performing identity credibility authentication on the user to be authenticated based on the similarity value, the newly received attribute information of the terminal where the user to be authenticated is located, and the attribute information of the terminal where the user to be authenticated is located associated with the pre-stored plurality of network topology maps specifically includes:

[0010] The maximum value among the aforementioned similarity values is selected as the confidence level for the current authentication action;

[0011] The confidence level of the current authentication behavior is compared with a predefined confidence threshold. When the confidence level of the current authentication behavior is greater than the predefined confidence threshold:

[0012] The attribute information of the newly received terminal of the user to be authenticated is compared with the attribute information of the terminal of the user to be authenticated associated with the second network topology map. If the comparison results are consistent, the authentication of the user to be authenticated is considered credible. The second network topology map is the one with the highest similarity to the first network topology map among several pre-stored network topology maps.

[0013] In an optional embodiment of the present invention, the step of performing identity credibility authentication on the user to be authenticated based on the similarity value, the newly received attribute information of the terminal where the user to be authenticated is located, and the attribute information of the terminal where the user to be authenticated is located associated with the pre-stored plurality of network topology maps specifically includes:

[0014] The maximum value among the aforementioned similarity values is selected as the confidence level for the current authentication action;

[0015] The confidence level of the current authentication behavior is compared with a predefined confidence threshold. When the confidence level of the current authentication behavior is less than or equal to the predefined confidence threshold:

[0016] The attribute information of the terminal where the newly received user to be authenticated is located is compared with the attribute information of the terminal where the user to be authenticated is located associated with the second network topology map. The second network topology map is the one with the highest similarity to the first network topology map among several pre-stored network topology maps.

[0017] When the comparison results are consistent, and when the user to be authenticated passes multi-factor authentication, the first network topology map is marked as trustworthy, and the first network topology map is associated with and stored with the attribute information of the terminal where the newly received user to be authenticated is located.

[0018] In an optional embodiment of the present invention, the process of obtaining the first network topology map specifically includes:

[0019] The authenticated terminal uses a tracing routing tool to initiate a network probe to the anchor server in order to obtain the first network topology map.

[0020] In an optional embodiment of the present invention, the method further includes: when the current authentication is initiated by a user for the first time, using a multi-factor authentication method to authenticate the user to be authenticated;

[0021] If authentication is successful, the authentication server marks the first network topology map as trustworthy and associates and stores the first network topology map with the attribute information of the terminal of the newly received user to be authenticated.

[0022] In an optional embodiment of the present invention, the information of the user's terminal includes IP address, MAC address and operating system information.

[0023] In an optional embodiment of the present invention, the predefined similarity formula is:

[0024]

[0025] Where α, β, γ, θ0, θ1, and θ2 are all parameters.

[0026] This is a distance calculation function based on the Autonomous System Number (ASN) of the IP address.

[0027] This is a distance calculation function based on the geographical location corresponding to an IP address.

[0028] This is a distance calculation function based on the network address corresponding to the IP address.

[0029] This is a distance calculation function based on the address of the relationships between nodes in the topology graph.

[0030] v i yes Middle node, v j yes Middle node.

[0031] To achieve the above and other related objectives, the present invention also provides a user authentication device, comprising:

[0032] The topology receiving module is used to receive a first network topology map from the authentication terminal of the user to be authenticated to a pre-set network anchor server, wherein the network anchor server is used to determine the user's location in the network space.

[0033] The similarity calculation module is used to calculate the similarity value between the first network topology graph and several pre-stored network topology graphs according to a predefined similarity calculation formula.

[0034] The user identity authentication module is used to authenticate the identity credibility of the user to be authenticated based on the similarity value, the attribute information of the newly received terminal of the user to be authenticated, and the attribute information of the terminal of the user to be authenticated associated with the pre-stored network topology graphs.

[0035] This application also provides an electronic device, the electronic device comprising:

[0036] One or more processors;

[0037] A storage device for storing one or more programs that, when executed by one or more processors, cause the electronic device to implement the user authentication method as described in any of the preceding descriptions.

[0038] This application also provides a storage medium storing a computer program thereon, which, when executed by a computer's processor, causes the computer to perform the user authentication method as described in any one of the above descriptions.

[0039] As described above, this application provides a user authentication method, apparatus, device, and storage medium, which has the following beneficial effects:

[0040] This application first receives a first network topology map from the authentication terminal of the user to be authenticated to a pre-set network anchor server, wherein the network anchor server is used to determine the user's location in cyberspace; then, it calculates the similarity value between the first network topology map and several pre-stored network topology maps according to a predefined similarity calculation formula; finally, it performs identity credibility authentication on the user to be authenticated based on the similarity value, the newly received attribute information of the terminal of the user to be authenticated, and the attribute information of the terminal of the user to be authenticated associated with the several pre-stored network topology maps. Using the authentication method provided by this application, a secure, convenient, and efficient user identity authentication method can be provided without degrading the user's operating experience. Attached Figure Description

[0041] The accompanying drawings, which are incorporated in and form part of this specification, illustrate embodiments consistent with this application and, together with the description, serve to explain the principles of this application. It is obvious that the drawings described below are merely some embodiments of this application, and those skilled in the art can obtain other drawings based on these drawings without any inventive effort. In the drawings:

[0042] Figure 1 This is a flowchart illustrating a user authentication method provided for an exemplary embodiment of this application.

[0043] Figure 2 A block diagram of a user authentication apparatus provided for an exemplary embodiment of this application.

[0044] Figure 3 This is a schematic diagram of the structure of a computer device provided for an exemplary embodiment of this application. Detailed Implementation

[0045] The following specific examples illustrate the implementation of the present invention. Those skilled in the art can easily understand other advantages and effects of the present invention from the content disclosed in this specification. The present invention can also be implemented or applied through other different specific embodiments, and various details in this specification can also be modified or changed based on different viewpoints and applications without departing from the spirit of the present invention.

[0046] It should be noted that the illustrations provided in this embodiment are only schematic representations of the basic concept of the present invention. Therefore, the drawings only show the components related to the present invention and are not drawn according to the actual number, shape and size of the components in the actual implementation. In the actual implementation, the form, quantity and proportion of each component can be arbitrarily changed, and the layout of the components may also be more complex.

[0047] Please see Figure 1 As shown, Figure 1 This is a flowchart illustrating a user authentication method provided in an embodiment of this application. Specifically, in an exemplary embodiment, as shown... Figure 1 As shown, this embodiment provides a user authentication method, which includes the following steps:

[0048] S110, receiving the first network topology map from the authentication terminal of the user to be authenticated to a pre-set network anchor server, wherein the network anchor server is used to determine the user's location in the network space.

[0049] In this embodiment, the anchor server is fixed in the network space and is used to determine the location of the user to be authenticated in the network space. When the user's network environment changes, the user's relative position with respect to the anchor server also changes.

[0050] In an exemplary embodiment of this application, the process of setting up the network anchor server is as follows:

[0051] Set up N network anchor servers in the public network space, with IP addresses IP_Anchor_01, IP_Anchor_02...IP_Anchor_N respectively, and any IP_Anchor can reach the authentication terminal Auth_Client of the user to be authenticated.

[0052] In this embodiment, the authentication terminal Auth_Client obtains the first network topology map through a tracing route tool, which can be traceroute (called tracepath in Linux systems and tracert in Windows systems). Specifically:

[0053] The authentication terminal constructs a UDP packet with a TTL of 1 and sends it to IP_Anchor_01. When this UDP packet passes through the first-layer route, the router node Router_Vertex_Step_01 decrements the TTL by 1. This causes the TTL of the probe packet to become 0, so the router discards the UDP packet and sends back an ICMP message indicating that IP_Anchor_01 is unreachable to the authentication terminal. When the authentication terminal receives the ICMP message from the router node Router_Vertex_Step_01, the authentication terminal Auth_Client records the IP address of the router node Router_Vertex_Step_01 and the round-trip time Timecost_Auth_Client_Router_Vertex_Step_01. Similarly, the authentication terminal will construct a UDP packet with a TTL of 2 and repeat the above operation until Router_Vertex_Step_N is the network anchor server IP_Anchor_01. The same operation will be repeated for N network anchor servers, thereby obtaining the network topology state where the authentication terminal Auth_Client is located when this login behavior is initiated, which is the first network topology graph topology_cur from the authentication terminal Auth_Client to the N network anchor servers.

[0054] Once the authentication terminal Auth_Client obtains the first network topology map, it sends the first network topology map to the authentication server Auth_Server.

[0055] S120, calculate the similarity value between the first network topology graph and several pre-stored network topology graphs according to a predefined similarity calculation formula.

[0056] First, it should be noted that the pre-stored network topology maps refer to multiple network topology maps from the authentication terminal of the user to be authenticated to the anchor server, which were previously collected.

[0057] In this embodiment, the authentication server will compare the newly received first network topology graph topology_cur with several network topology graphs topology_i stored in the authentication server for the user's authentication terminal to the anchor server one by one to obtain the topology_i_max among the topology_i that has the highest similarity to the first network topology graph topology_cur.

[0058] In an exemplary embodiment of this application, the predefined similarity calculation formula is:

[0059]

[0060] Where α, β, γ, θ0, θ1, and θ2 are all parameters.

[0061] This is a distance calculation function based on the Autonomous System Number (ASN) of the IP address.

[0062] This is a distance calculation function based on the geographical location corresponding to an IP address.

[0063] This is a distance calculation function based on the network address corresponding to the IP address.

[0064] This is a distance calculation function based on the address of the relationships between nodes in the topology graph.

[0065] v i yes Middle node, yes Middle node.

[0066] S130, the identity credibility authentication of the user to be authenticated is performed based on the similarity value, the attribute information of the newly received terminal of the user to be authenticated, and the attribute information of the terminal of the user to be authenticated associated with the pre-stored network topology maps.

[0067] First, it should be noted that in this embodiment, the attribute information of the user's terminal includes: IP address, MAC address, and operating system (OS) information. When the user initiates a login authentication request to the service address IP_Service for the first time using the authentication terminal Auth_Client, the authentication terminal Auth_Client sends the collected IP address, MAC address, and OS information of the user's terminal to the authentication server Auth_Server. On Windows systems, the authentication terminal can obtain the IP address and MAC address using the ipconfig command; on Linux systems, the authentication terminal can obtain the IP address and MAC address using tools such as ifconfig and ip. On Windows, wmic cpu is used to obtain the OS; on Linux systems, lscpu is used.

[0068] In an exemplary embodiment of this application, the identity credibility authentication of the user to be authenticated is performed based on the similarity value, the newly received attribute information of the terminal where the user to be authenticated is located, and the attribute information of the terminal where the user to be authenticated is located associated with the pre-stored plurality of network topology maps. Specifically, this includes:

[0069] The maximum value among the aforementioned similarity values is selected as the confidence level for the current authentication action;

[0070] The confidence level of the current authentication behavior is compared with a predefined confidence threshold. When the confidence level of the current authentication behavior is less than or equal to the predefined confidence threshold:

[0071] The attribute information of the newly received terminal of the user to be authenticated is compared with the attribute information of the terminal of the user to be authenticated associated with the second network topology map. The second network topology map is the one with the highest similarity to the first network topology map among several pre-stored network topology maps.

[0072] When the comparison results are consistent, and when the user to be authenticated passes the multi-factor authentication, the first network topology map is marked as trustworthy, and the first network topology map is associated with and stored with the attribute information of the terminal where the newly received user to be authenticated is located.

[0073] If the comparison results are inconsistent and / or the user fails multi-factor authentication, the authentication will fail.

[0074] In another exemplary embodiment of this application, the identity credibility authentication of the user to be authenticated is performed based on the similarity value, the attribute information of the newly received terminal of the user to be authenticated, and the attribute information of the terminal of the user to be authenticated associated with the pre-stored plurality of network topology maps. Specifically, this includes:

[0075] The maximum value among the aforementioned similarity values is selected as the confidence level for the current authentication action;

[0076] The confidence level of the current authentication behavior is compared with a predefined confidence threshold. When the confidence level of the current authentication behavior is less than or equal to the predefined confidence threshold:

[0077] The attribute information of the newly received terminal of the user to be authenticated is compared with the attribute information of the terminal of the user to be authenticated associated with the second network topology map. The second network topology map is the one with the highest similarity to the first network topology map among several pre-stored network topology maps.

[0078] When the comparison results are consistent, and when the user to be authenticated passes the multi-factor authentication, the first network topology map is marked as trustworthy, and the first network topology map is associated with and stored with the attribute information of the terminal where the newly received user to be authenticated is located.

[0079] If the comparison results are inconsistent and / or the user fails multi-factor authentication, the authentication will fail.

[0080] In this embodiment, the multi-factor authentication includes SMS verification code verification, email verification, fingerprint verification, and facial recognition verification.

[0081] Finally, it should be noted that in one embodiment of this application, when the current authentication is initiated by the user for the first time, the user authentication method further includes:

[0082] A multi-factor authentication method is used to authenticate users.

[0083] If authentication is successful, the authentication server marks the first network topology map as trusted, associates it with the attribute information of the terminal where the user to be authenticated is located, and stores the first network topology map and the attribute information of the terminal where the user to be authenticated is located associated with the first network topology map.

[0084] In summary, the user authentication method provided in this application first receives a first network topology map from the authentication terminal of the user to be authenticated to a pre-defined network anchor server, wherein the network anchor server is used to determine the user's location in the network space; then, it calculates the similarity value between the first network topology map and several pre-stored network topology maps according to a predefined similarity calculation formula; finally, it performs identity trustworthiness authentication on the user to be authenticated based on the similarity value, the attribute information of the user's terminal associated with the first network topology map, and the attribute information of the user's terminal associated with the several pre-stored network topology maps. Using the authentication method provided in this application, a secure, convenient, and efficient user authentication method can be provided without degrading the user's operating experience.

[0085] This application embodiment also provides a user authentication device 200, which includes: a topology map receiving module 201, a similarity calculation module 202, and a user authentication module 203. The topology map receiving module 201 receives a first network topology map from the authentication terminal of the user to be authenticated to a pre-set network anchor server, wherein the network anchor server is used to determine the user's location in the network space. The similarity calculation module 202 calculates the similarity value between the first network topology map and several pre-stored network topology maps according to a predefined similarity calculation formula. The user authentication module 203 authenticates the user's identity based on the similarity value, newly received attribute information of the terminal of the user to be authenticated, and attribute information of the terminal of the user to be authenticated associated with the several pre-stored network topology maps.

[0086] It should be noted that the user authentication device and the user authentication method provided in the above embodiments belong to the same concept. The specific ways in which each module and unit performs its operations have been described in detail in the method embodiments and will not be repeated here. In practical applications, the user authentication device provided in the above embodiments can be assigned to different functional modules as needed, that is, the internal structure of the device can be divided into different functional modules to complete all or part of the functions described above. This is not a limitation here.

[0087] This application also provides a computer device, which may include: one or more processors; and one or more machine-readable media storing instructions thereon, which, when executed by the one or more processors, cause the device to perform... Figure 1 The method described. Figure 3 A schematic diagram of the structure of a computer device 300 is shown. (See also...) Figure 3As shown, the computer device 300 includes: a processor 310, a memory 320, a power supply 330, a display unit 340, and an input unit 360.

[0088] Processor 310 is the control center of computer device 300. It connects various components via interfaces and lines, and executes various functions of computer device 300 by running or executing software programs and / or data stored in memory 320, thereby providing overall monitoring of computer device 300. In this embodiment, when processor 310 calls a computer program stored in memory 320, it executes... Figure 1 The method described herein. Optionally, processor 310 may include one or more processing units; preferably, processor 310 may integrate an application processor and a modem processor, wherein the application processor mainly handles the operating system, user interface, and applications, and the modem processor mainly handles wireless communication. In some embodiments, the processor and memory may be implemented on a single chip; in some embodiments, they may also be implemented on separate chips.

[0089] The memory 320 may primarily include a program storage area and a data storage area. The program storage area may store the operating system, various applications, etc.; the data storage area may store data created based on the use of the computer device 300, etc. In addition, the memory 320 may include high-speed random access memory, and may also include non-volatile memory, such as at least one disk storage device, flash memory device, or other volatile solid-state storage device.

[0090] The computer device 300 also includes a power supply 330 (such as a battery) that supplies power to various components. The power supply can be logically connected to the processor 310 through a power management system, thereby enabling the management of charging, discharging, and power consumption.

[0091] The display unit 340 can be used to display information input by the user or information provided to the user, as well as various menus of the computer device 300. In this embodiment, it is mainly used to display the display interfaces of various applications in the computer device 300, and the text, pictures, and other objects displayed on the display interfaces. The display unit 340 may include a display panel 350. The display panel 350 may be configured in the form of a liquid crystal display (LCD), an organic light-emitting diode (OLED), or the like.

[0092] The input unit 360 can be used to receive information such as numbers or characters input by the user. The input unit 360 may include a touch panel 370 and other input devices 380. The touch panel 370, also known as a touch screen, can collect touch operations on or near the touch panel 370 by the user (such as operations performed by the user using a finger, stylus, or any suitable object or accessory on or near the touch panel 370).

[0093] Specifically, the touch panel 370 can detect user touch operations and the signals generated by these operations, convert them into touch point coordinates, send them to the processor 310, and receive and execute commands from the processor 310. Furthermore, the touch panel 370 can be implemented using various types of sensors, including resistive, capacitive, infrared, and surface acoustic wave sensors. Other input devices 380 can include, but are not limited to, one or more of the following: a physical keyboard, function keys (such as volume control buttons, power buttons, etc.), a trackball, a mouse, and a joystick.

[0094] Of course, the touch panel 370 can cover the display panel 350. When the touch panel 370 detects a touch operation on or near it, it transmits the information to the processor 310 to determine the type of touch event. Subsequently, the processor 310 provides corresponding visual output on the display panel 350 based on the type of touch event. Although in Figure 3 In this embodiment, the touch panel 370 and the display panel 350 are two separate components to realize the input and output functions of the computer device 300. However, in some embodiments, the touch panel 370 and the display panel 350 can be integrated to realize the input and output functions of the computer device 300.

[0095] The computer device 300 may also include one or more sensors, such as pressure sensors, gravity acceleration sensors, proximity sensors, etc. Of course, depending on the specific application requirements, the computer device 300 may also include other components such as cameras.

[0096] This application also provides a computer-readable storage medium storing instructions that, when executed by one or more processors, enable the device to perform the functions described in this application. Figure 1 The method described.

[0097] It will be understood by those skilled in the art that Figure 3 This is merely an example of a computer device and does not constitute a limitation on the device. The device may include more or fewer components than illustrated, or a combination of certain components, or different components. For ease of description, the above sections are divided into modules (or units) according to their functions and described separately. Of course, in implementing this application, the functions of each module (or unit) can be implemented in one or more software or hardware components.

[0098] Those skilled in the art will understand that this application may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code. This application is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of this application, and should be understood to be achievable by computer program instructions for each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams. These computer program instructions may be applied to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate instructions for implementing the flowchart illustrations and / or block diagrams. Figure 1 One or more processes and / or boxes Figure 1 The computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The functions specified in one or more boxes. These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable apparatus for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.

[0099] The above description is merely a preferred embodiment of this application and an explanation of the technical principles used. Those skilled in the art should understand that the scope involved in this application is not limited to the technical solutions formed by a specific combination of the above-mentioned technical features, but should also cover other technical solutions formed by any combination of the above-mentioned technical features or their equivalent features without departing from the inventive concept. For example, technical solutions formed by replacing the above-mentioned features with technical features with similar functions disclosed in this application (but not limited to) each other.

[0100] Apart from the technical features described in the specification, the other technical features are known to those skilled in the art. To highlight the innovative features of this invention, the other technical features will not be described in detail here.

Claims

1. A user authentication method, characterized in that, include: A first network topology map is obtained by receiving the authentication terminal of the user to be authenticated to a pre-set network anchor server, wherein the network anchor server is used to determine the user's location in the network space; The similarity value between the first network topology graph and several pre-stored network topology graphs is calculated according to a predefined similarity calculation formula, wherein the predefined similarity formula is: in, , , , , , All are parameters. This is a distance calculation function based on the Autonomous System Number (ASN) of the IP address. This is a distance calculation function based on the geographical location corresponding to an IP address. This is a distance calculation function based on the network address corresponding to the IP address. This is a distance calculation function based on the address of the relationships between nodes in the topology graph. yes node, yes Middle node; The identity credibility authentication of the user to be authenticated is performed based on the similarity value, the attribute information of the newly received terminal of the user to be authenticated, and the attribute information of the terminal of the user to be authenticated associated with several pre-stored network topology maps. Specifically, this includes: The maximum value among the aforementioned similarity values is selected as the confidence level for the current authentication action; The confidence level of the current authentication behavior is compared with a predefined confidence threshold: When the confidence level of the current authentication behavior is greater than the predefined confidence level threshold, the attribute information of the terminal where the newly received user to be authenticated is located is compared with the attribute information of the terminal where the user to be authenticated is located associated with the second network topology map. When the comparison results are consistent, the authentication of the user to be authenticated is trustworthy. The second network topology map is the one with the highest similarity to the first network topology map among several pre-stored network topology maps. When the confidence level of the current authentication behavior is less than or equal to a predefined confidence threshold, the attribute information of the terminal of the newly received user to be authenticated is compared with the attribute information of the terminal of the user to be authenticated associated with the second network topology map. The second network topology map is the one with the highest similarity to the first network topology map among several pre-stored network topology maps. When the comparison results are consistent, and when the user to be authenticated passes multi-factor authentication, the first network topology map is marked as trustworthy, and the first network topology map is associated with and stored with the attribute information of the terminal of the newly received user to be authenticated.

2. The user authentication method according to claim 1, characterized in that, The process of obtaining the first network topology map specifically includes: The authenticated terminal uses a tracing routing tool to initiate a network probe to the anchor server in order to obtain the first network topology map.

3. The user authentication method according to claim 1, characterized in that, The method further includes: when the current authentication is initiated by a user for the first time, using a multi-factor authentication method to authenticate the user to be authenticated; If authentication is successful, the authentication server marks the first network topology map as trustworthy and associates and stores the first network topology map with the attribute information of the terminal of the newly received user to be authenticated.

4. The user authentication method according to claim 3, characterized in that, The attribute information of the terminal where the user to be authenticated is located includes IP address, MAC address, and operating system information.

5. A user authentication device for implementing the method as described in claim 1, characterized in that, include: The topology receiving module is used to receive a first network topology map from the authentication terminal of the user to be authenticated to a pre-set network anchor server, wherein the network anchor server is used to determine the user's location in the network space. The similarity calculation module is used to calculate the similarity value between the first network topology graph and several pre-stored network topology graphs according to a predefined similarity calculation formula. The user identity authentication module is used to authenticate the identity credibility of the user to be authenticated based on the similarity value, the attribute information of the newly received terminal of the user to be authenticated, and the attribute information of the terminal of the user to be authenticated associated with the pre-stored network topology graphs.

6. A device, characterized in that, include: processor; and, A computer-readable medium storing instructions that, when executed by the processor, cause the device to perform the method as described in any one of claims 1 to 4.

7. A storage medium, characterized in that, It stores instructions that are loaded by a processor and executed as described in any one of claims 1 to 4.