Security authentication method and device, electronic equipment and computer readable storage medium

By combining physical tokens with interactive behavior features, a dual authentication mechanism is established, which solves the problem of insufficient security of traditional identity authentication in high-risk environments and achieves high security and seamless authentication experience for computer systems.

CN122160140APending Publication Date: 2026-06-05INSPUR (SHANDONG) COMPUTER TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
INSPUR (SHANDONG) COMPUTER TECH CO LTD
Filing Date
2026-03-13
Publication Date
2026-06-05

Smart Images

  • Figure CN122160140A_ABST
    Figure CN122160140A_ABST
Patent Text Reader

Abstract

The application discloses a security authentication method and device, electronic equipment and a computer readable storage medium, which are applied to a computer system. The method comprises the following steps: obtaining token information of a physical token corresponding to an authentication object, and performing bidirectional authentication on the token information and the physical token; when the bidirectional authentication is passed, obtaining an interactive behavior data stream of the authentication object about the computer system, and generating an interactive behavior feature sequence of the authentication object according to the interactive behavior data stream; determining an interactive behavior feature code corresponding to each interactive behavior feature in the interactive behavior feature sequence by using an interactive behavior clustering code corresponding to the authentication object, so as to generate an interactive behavior feature code sequence; processing the interactive behavior feature code sequence by using an interactive behavior sequence model corresponding to the authentication object, to obtain a compliance probability of the interactive behavior data stream; and determining a security authentication result of the authentication object according to the compliance probability. The present scheme can realize more secure and effective identity authentication, and further ensure the security performance of the computer system.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of computer security technology, and in particular to a security authentication method, as well as a security authentication device, electronic device, and computer-readable storage medium. Background Technology

[0002] With increasing informatization, traditional one-time, static authentication mechanisms (such as username / password, one-time tokens, etc.) are no longer sufficient to cope with increasingly complex network threats, especially in high-risk environments or sensitive operations. Therefore, how to achieve more secure and effective authentication to ensure system security is a problem that urgently needs to be solved by those skilled in the art. Summary of the Invention

[0003] The purpose of this application is to provide a secure authentication method that can achieve more secure and effective identity authentication, further ensuring the security performance of computer systems; another purpose of this application is to provide a secure authentication device, electronic device, computer-readable storage medium, and computer program product, all of which have the above-mentioned beneficial effects.

[0004] Firstly, this application provides a security authentication method applied to a computer system, comprising:

[0005] Obtain the token information corresponding to the physical token of the authentication object, and perform two-way authentication with the physical token using the token information;

[0006] When two-way authentication is successful, the interaction behavior data stream of the authenticated object with respect to the computer system is obtained, and the interaction behavior feature sequence of the authenticated object is generated based on the interaction behavior data stream;

[0007] The interaction behavior feature code corresponding to each interaction behavior feature in the interaction behavior feature sequence is determined by using the interaction behavior clustering codebook corresponding to the authentication object, so as to generate an interaction behavior feature code sequence.

[0008] The interaction behavior feature code sequence is processed using the interaction behavior sequence model corresponding to the authentication object to obtain the compliance probability of the interaction behavior data stream;

[0009] The security authentication result of the authentication object is determined based on the compliance probability.

[0010] Optionally, the training process of the interaction behavior clustering codebook includes:

[0011] Obtain interaction behavior data samples of the authentication object with respect to the computer system, and generate an interaction behavior feature sample sequence of the authentication object based on the interaction behavior data samples;

[0012] Each interactive behavior feature sample in the interactive behavior feature sample sequence is standardized to obtain each standard feature sample.

[0013] Clustering algorithms are used to cluster the standard feature samples to obtain multiple cluster centers;

[0014] A unique discrete code is assigned to each of the cluster centers to obtain the cluster codebook for the interaction behavior.

[0015] Optionally, the training process of the interaction behavior sequence model includes:

[0016] The interactive behavior feature sample sequence is divided into multiple interactive behavior feature sample sub-sequences;

[0017] The interaction behavior clustering codebook is used to determine the interaction behavior feature code sample corresponding to each interaction behavior feature sample in each interaction behavior feature sample subsequence, so as to generate the interaction behavior feature code sample subsequence corresponding to each interaction behavior feature sample subsequence.

[0018] Construct a hidden Markov model that includes hidden states of various interactive behaviors;

[0019] By combining the Hidden Markov Model parameter estimation algorithm, the Hidden Markov Model is trained using the sample subsequences of each interaction behavior feature code to obtain the interaction behavior sequence model.

[0020] Optionally, two-way authentication is performed using the token information and the physical token, including:

[0021] When the token information matches the preset whitelist, the token information and the physical token are used for two-way authentication.

[0022] When the token information does not match the preset whitelist, a security authentication failure message is output.

[0023] Optionally, two-way authentication is performed using the token information and the physical token, including:

[0024] The system internal dedicated driver corresponding to the token information is determined, and the first random number and the second random number are generated using the system internal dedicated driver;

[0025] The first random number and the second random number are sent to the physical token, so that the physical token performs a signature process on the first random number to obtain a signature result, and performs a hash operation on the second random number to obtain a random password;

[0026] The system receives the signature result and the random password fed back by the physical token. When the signature result is verified, the system uses the random password to perform the initial login to the computer system.

[0027] Optionally, acquiring the interaction behavior data stream of the authentication object with respect to the computer system, and generating the interaction behavior feature sequence of the authentication object based on the interaction behavior data stream, includes:

[0028] Acquire the data stream of the authentication object's interactive behavior with the computer system within a preset time period;

[0029] Generate the interaction behavior characteristics of the authenticated object within multiple time windows based on the interaction behavior data stream;

[0030] The interaction behavior feature sequence is generated using the interaction behavior features within each time window;

[0031] The time windows are all of equal length, and the number of time windows is the ratio between the length of the preset time period and the length of the time window.

[0032] Optionally, determining the security authentication result of the authentication object based on the compliance probability includes:

[0033] The compliance probability is converted into an initial trust score using preset conversion rules;

[0034] The initial trust score is smoothed to obtain the target trust score;

[0035] The security authentication result of the authentication object is determined based on the comparison result between the target trust score and the security threshold range.

[0036] Secondly, this application discloses a security authentication device applied to a computer system, comprising:

[0037] The two-way authentication module is used to obtain the token information of the physical token corresponding to the authentication object, and to perform two-way authentication with the physical token using the token information;

[0038] The data acquisition module is used to acquire the interaction behavior data stream of the authentication object with respect to the computer system when the two-way authentication is successful, and to generate the interaction behavior feature sequence of the authentication object based on the interaction behavior data stream;

[0039] The feature matching module is used to determine the interaction behavior feature code corresponding to each interaction behavior feature in the interaction behavior feature sequence by using the interaction behavior clustering codebook corresponding to the authentication object, so as to generate an interaction behavior feature code sequence.

[0040] The model processing module is used to process the interaction behavior feature code sequence using the interaction behavior sequence model corresponding to the authentication object to obtain the compliance probability of the interaction behavior data stream.

[0041] The result determination module is used to determine the security authentication result of the authentication object based on the compliance probability.

[0042] Thirdly, this application discloses an electronic device, including:

[0043] Memory, used to store computer programs;

[0044] A processor for executing the computer program to implement any of the security authentication methods described above.

[0045] Fourthly, this application discloses a computer-readable storage medium storing a computer program that, when executed by a processor, implements the steps of any of the security authentication methods described above.

[0046] Fifthly, this application discloses a computer program product, including a computer program / instructions, which, when executed by a processor, implement the steps of any of the security authentication methods described above.

[0047] This application provides a security authentication method applied to a computer system, comprising: obtaining token information of a physical token corresponding to an authentication object; performing two-way authentication using the token information and the physical token; when the two-way authentication is successful, obtaining an interaction behavior data stream of the authentication object with respect to the computer system, and generating an interaction behavior feature sequence of the authentication object based on the interaction behavior data stream; determining the interaction behavior feature code corresponding to each interaction behavior feature in the interaction behavior feature sequence using an interaction behavior clustering codebook corresponding to the authentication object, thereby generating an interaction behavior feature code sequence; processing the interaction behavior feature code sequence using an interaction behavior sequence model corresponding to the authentication object to obtain the compliance probability of the interaction behavior data stream; and determining the security authentication result of the authentication object based on the compliance probability.

[0048] Applying the technical solution provided in this application, a dual authentication mechanism combining physical token authentication and interactive behavior feature authentication is offered for computer system login scenarios. First, the authentication target, i.e., the login target of the computer system, can perform two-way authentication with the computer system using a physical token. After successful two-way authentication, the authentication target's initial login to the computer system is achieved. Then, the interaction behavior data stream between the authentication target and the computer system is collected to extract the interaction behavior feature sequence of the authentication target. A two-layer modeling method of "interaction behavior clustering codebook + interaction behavior sequence model" is used to achieve the authentication of the interaction behavior feature of the authentication target, effectively improving the accuracy of interaction behavior feature authentication. Therefore, this technical solution, employing a dual authentication mechanism combining physical token authentication and interactive behavior feature authentication, achieves secure authentication in computer system login scenarios, effectively ensuring the security performance of the computer system. Furthermore, this secure authentication process is completely imperceptible to the authentication target, achieving a truly seamless authentication experience while maintaining a high level of security.

[0049] In one embodiment of this application, a combination of signature technology and random password generation technology is used in the two-way authentication process between the computer system and the physical token. This approach can effectively ensure the accuracy of the two-way authentication process, thereby achieving more secure and effective identity authentication and further guaranteeing the security performance of the computer system.

[0050] The security authentication device, electronic device, computer-readable storage medium, and computer program product provided in this application also have the above-mentioned technical effects, and will not be described in detail here. Attached Figure Description

[0051] To more clearly illustrate the technical solutions in the prior art and the embodiments of this application, the accompanying drawings used in the description of the prior art and the embodiments of this application will be briefly introduced below. Of course, the accompanying drawings described below with respect to the embodiments of this application are only a part of the embodiments in this application. For those skilled in the art, other drawings can be obtained based on the provided drawings without creative effort, and such other drawings also fall within the protection scope of this application.

[0052] Figure 1 A flowchart illustrating a security authentication method provided in this application;

[0053] Figure 2 A flowchart illustrating another security authentication method provided in this application;

[0054] Figure 3 A schematic diagram of a security authentication device provided in this application;

[0055] Figure 4This is a schematic diagram of the structure of an electronic device provided in this application. Detailed Implementation

[0056] The core of this application is to provide a secure authentication method that can achieve more secure and effective identity authentication, further ensuring the security performance of computer systems; another core aspect of this application is to provide a secure authentication device, electronic device, computer-readable storage medium, and computer program product, all of which have the aforementioned beneficial effects.

[0057] To provide a clearer and more complete description of the technical solutions in the embodiments of this application, the technical solutions in the embodiments of this application will be described below with reference to the accompanying drawings. Obviously, the described embodiments are only a part of the embodiments of this application, and not all of them. All other embodiments obtained by those skilled in the art based on the embodiments of this application without creative effort are within the scope of protection of this application.

[0058] This application provides a security authentication method.

[0059] Please refer to Figure 1 , Figure 1 This is a flowchart illustrating a security authentication method provided in this application, which may include the following steps S101 to S105.

[0060] S101: Obtain the token information corresponding to the physical token of the authentication object, and use the token information to perform two-way authentication with the physical token.

[0061] This step aims to achieve two-way authentication between the physical token of the authentication object and the computer system, enabling the initial login of the authentication object to the computer system. Specifically, the authentication object can insert its physical token into the computer system's USB port to establish a connection. The computer system can then detect the connection information and obtain the token information, thereby using this token information to achieve two-way authentication between the physical token and the computer system.

[0062] In one embodiment of this application, two-way authentication using token information and physical token may include: when the token information matches a preset whitelist, performing two-way authentication using the token information and physical token; when the token information does not match the preset whitelist, outputting a security authentication failure message.

[0063] To effectively improve security authentication efficiency and thus enhance the efficiency of computer system login for authenticated entities, the computer system can perform device authentication on the physical token before conducting two-way authentication with the physical token. This involves determining whether the physical token inserted into the computer system is legitimate. This process can be achieved using whitelist matching technology. When the token information matches a preset whitelist, the subsequent two-way authentication process can be performed using the token information and the physical token. If the token information does not match the preset whitelist, a security authentication failure message can be output. In one possible implementation, the token information may include, but is not limited to, the physical token's vendor ID (VID), product ID (PID), serial number, etc.

[0064] In one embodiment of this application, two-way authentication using token information and a physical token may include: determining the system-internal dedicated driver corresponding to the token information, and generating a first random number and a second random number using the system-internal dedicated driver; sending the first random number and the second random number to the physical token, so that the physical token performs signature processing on the first random number to obtain a signature result, and performs hash operation on the second random number to obtain a random password; receiving the signature result and the random password fed back by the physical token, and when the signature result is verified, using the random password to realize the initial login of the computer system.

[0065] Specifically, the system's internal dedicated driver, corresponding to the token information, generates two random numbers (a first random number and a second random number) and sends them to the physical token. The physical token then uses its internal, unreadable private key to digitally sign the first random number, obtaining a signature result. Simultaneously, it performs a hash operation on the second random number to generate a fixed-length random password. The signature result and the random password are then sent together to the computer system. The computer system can then use the public key corresponding to the aforementioned private key to verify the signature result. Upon successful verification, the random password enables the authenticated user to initially log in to the computer system. Conversely, if the signature verification fails, the authenticated user is not allowed to log in to the computer system, and the computer system will output a security authentication failure message.

[0066] Therefore, it can be seen that the implementation method of combining signature technology and random password generation technology in the two-way authentication process between the computer system and the physical token can effectively ensure the accuracy of the two-way authentication process, thereby achieving more secure and effective identity authentication and further ensuring the security performance of the computer system.

[0067] S102: When two-way authentication is successful, obtain the data stream of the authentication object's interaction behavior with the computer system, and generate the interaction behavior feature sequence of the authentication object based on the data stream.

[0068] This step aims to collect the interactive behavior data stream of the authenticated object after successful two-way authentication. This interactive behavior data stream refers to the interaction behavior data between the authenticated object and the computer system, such as raw input data from peripherals like the keyboard and mouse. Then, a sequence of interactive behavior features of the authenticated object is obtained through feature extraction. It can be understood that this sequence of interactive behavior features is intended to enable the subsequent authentication process of the computer system based on the interactive behavior features of the authenticated object. In one possible implementation, each interactive behavior feature in the sequence can specifically be a four-dimensional feature vector containing the average and standard deviation of keyboard key (press) time intervals and the average and standard deviation of mouse acceleration.

[0069] In one embodiment of this application, obtaining the interaction behavior data stream of the authentication object with respect to the computer system and generating the interaction behavior feature sequence of the authentication object based on the interaction behavior data stream may include: obtaining the interaction behavior data stream of the authentication object with respect to the computer system within a preset time period; generating the interaction behavior features of the authentication object within multiple time windows based on the interaction behavior data stream; and generating the interaction behavior feature sequence using the interaction behavior features within each time window; wherein, the time length of each time window is equal, and the number of time windows is the ratio between the time length of the preset time period and the time length of the time window.

[0070] For example, after the authentication object completes the initial login to the computer system, the observation period can be set to 3 minutes, that is, the preset time period is 3 minutes, and the time window is set to 10 seconds. Thus, the 3-minute interactive behavior data stream can be divided into 18 interactive behavior data sub-streams based on 10-second time windows, and the corresponding interactive behavior features can be extracted based on each interactive behavior data sub-stream, generating an interactive behavior feature sequence containing 18 interactive behavior features.

[0071] S103: Use the interaction behavior clustering codebook corresponding to the authentication object to determine the interaction behavior feature code corresponding to each interaction behavior feature in the interaction behavior feature sequence, so as to generate the interaction behavior feature code sequence.

[0072] This step aims to achieve effective matching of interactive behavior features in an interactive behavior feature sequence based on an interactive behavior clustering codebook, in order to obtain the interactive behavior feature code corresponding to each interactive behavior feature, and thus obtain an interactive behavior feature code sequence composed of these interactive behavior feature codes. Specifically, an interactive behavior clustering codebook corresponding to the authentication object can be pre-created. The core idea of ​​the clustering codebook is to divide the data into several clusters using a clustering algorithm. The center point of each cluster corresponds to a unique discrete code, and the unique discrete codes corresponding to the center points of all clusters form the clustering codebook, thereby achieving effective representation and compression of the data. Based on this, when an interactive behavior feature in the interactive behavior feature sequence matches a certain cluster (is closest to the center point of that cluster), the unique discrete code corresponding to the center point of that cluster is the interactive behavior feature code corresponding to that interactive behavior feature.

[0073] In one embodiment of this application, the training process of the interaction behavior clustering codebook may include: obtaining interaction behavior data samples of the authentication object with respect to the computer system, and generating an interaction behavior feature sample sequence of the authentication object based on the interaction behavior data samples; standardizing each interaction behavior feature sample in the interaction behavior feature sample sequence to obtain each standard feature sample; clustering each standard feature sample using a clustering algorithm to obtain multiple cluster centers; and setting a unique discrete code for each cluster center to obtain the interaction behavior clustering codebook.

[0074] This application provides a method for training an interactive behavior clustering codebook. First, sample data is collected and features are extracted, specifically, interactive behavior data samples of the authentication object related to the computer system are obtained, and corresponding interactive behavior feature sample sequences are obtained through feature extraction. Further, to effectively ensure accuracy and ease of subsequent data processing, each interactive behavior feature sample in the interactive behavior feature sample sequence can be standardized first. Then, a clustering algorithm is used to cluster all standard feature samples, obtaining the center points (cluster centers) of multiple clusters. Finally, by adding a unique discrete code to each cluster center, the interactive behavior clustering codebook corresponding to the authentication object can be obtained.

[0075] The training process of the interaction behavior clustering codebook will be described in detail below, taking a four-dimensional feature vector containing the average and standard deviation of keyboard key (press) time intervals and the average and standard deviation of mouse acceleration as an example.

[0076] First, in a secure environment, authorized users can work as usual. During this process, the computer system can silently record low-level data through the RAWINPUT API (a low-level programming interface provided by the operating system that allows applications to bypass the standard input processing flow and directly access raw input data from keyboard and mouse devices). Specifically, this can involve collecting 24 hours of data, covering various work states of the user, to form a rich log of normal behavior.

[0077] Furthermore, using 10-second intervals as a time window, the recorded data is summarized in the following manner:

[0078] 1. Calculate key intervals: Within a time window, record the time interval between "releasing the previous key" and "pressing the next key," excluding data with intervals greater than 2 seconds, and then calculate the key intervals for all keys within the current time window:

[0079] (1) Average value: Represents the average typing speed of the authorized person;

[0080] (2) Standard deviation: represents the stability of the authorizing person's typing rhythm;

[0081] 2. Calculate mouse acceleration: Based on the mouse movement trajectory, first calculate the instantaneous velocity, then calculate the instantaneous acceleration (the rate of change of velocity), and finally calculate the instantaneous acceleration of all instantaneous accelerations within the current time window.

[0082] (1) Average value: Represents the overall speed or smoothness of mouse movement;

[0083] (2) Standard deviation: represents the degree of variability in the mode of movement.

[0084] Therefore, by summing up all the calculation results, a set of four numbers is obtained every 10 seconds (a time window), which is a four-dimensional feature vector.

[0085] Finally, based on the above summary results, the implementation process of training the interaction behavior clustering codebook is as follows:

[0086] 1. Standardization Processing: Based on all the above four-dimensional feature vectors, calculate the global mean of the average key spacing, the global mean of the standard deviation of key spacing, the global mean of the average mouse acceleration, and the global mean of the standard deviation of mouse acceleration. Then, use the following Z-Score standardization formula "New feature value = (Original value - Global mean of average value) / Global mean of standard deviation" to process all four-dimensional feature vectors.

[0087] 2. Clustering: Using the K-Means algorithm, all the above four-dimensional feature vectors are divided into 20 classes (20 clusters), and the 20 most representative "centroids" in the data are identified.

[0088] (1) Initialization: The algorithm randomly selects 20 sample points from the standardized four-dimensional feature vector set as the initial cluster centers (centroids), denoted as {μ1, μ2, ..., μ...} 20 These centroids define the initial 20 subspace seeds.

[0089] (2) Allocation process: Iterate through each sample point x in the set i Calculate its Euclidean distance to all 20 centroids: d ij = ||x i - μ j ||², for each sample point x i Assigned to the nearest centroid μ j Cluster C j .

[0090] (3) Update processing: Recalculate C for each cluster j The center of mass μ j The new centroid is the mean vector of all sample points in the cluster:

[0091] (4) Iteration and convergence: Repeat the allocation and update processing steps until the following convergence condition is met: the change in the position of the centroid is less than the preset threshold of 0.0001. Thus, 20 stable centroids are finally obtained, which are the most representative behavioral prototypes mined from the data distribution.

[0092] 3. Forming the cluster codebook (essentially a lookup table or mapping table used to map input data to a finite set of discrete symbols (discrete codes): The above 20 centroids constitute the cluster codebook. Each centroid is assigned a symbol (unique discrete code), such as {A, B, C, ..., T}. Therefore, any newly generated behavioral feature (four-dimensional feature vector) will be compared with the 20 centroids in the cluster codebook, finding the closest centroid and marking it as the corresponding symbol (discrete code).

[0093] S104: Process the interaction behavior feature code sequence using the interaction behavior sequence model corresponding to the authentication object to obtain the compliance probability of the interaction behavior data stream.

[0094] This step aims to effectively process the interaction behavior feature code sequence of the authentication object based on the interaction behavior sequence model, in order to obtain the compliance probability of the authentication object's interaction behavior data stream. Clearly, the compliance probability of the authentication object's interaction behavior data stream characterizes the trustworthiness of the authentication object; that is, the higher the compliance probability of the interaction behavior data stream, the more compliant the authentication object's interaction behavior; the lower the compliance probability of the interaction behavior data stream, the more abnormal the authentication object's interaction behavior.

[0095] In one embodiment of this application, the training process of the interaction behavior sequence model may include: dividing the interaction behavior feature sample sequence into multiple interaction behavior feature sample subsequences; using the interaction behavior clustering codebook to determine the interaction behavior feature code sample corresponding to each interaction behavior feature sample in each interaction behavior feature sample subsequence, so as to generate the interaction behavior feature code sample subsequence corresponding to each interaction behavior feature sample subsequence; constructing a Hidden Markov Model (HMM model) containing multiple interaction behavior hidden states; and using the Hidden Markov Model parameter estimation algorithm to train the Hidden Markov Model using each interaction behavior feature code sample subsequence to obtain the interaction behavior sequence model.

[0096] This application provides a training method for an interactive behavior sequence model. Specifically, the Hidden Markov Model (HMM) is a probabilistic graphical model used to model time series data. It assumes that the system is a doubly stochastic process: an invisible (hidden) sequence of states and a visible sequence of observations.

[0097] First, the hidden states of interactive behaviors in the HMM model are set to include the following three states: State 1 (focused typing), State 2 (browsing and thinking), and State 3 (menu operation). Then, the following three core parameters are automatically learned by the Baum-Welch algorithm (an expectation maximization algorithm and a parameter estimation algorithm for hidden Markov models): (1) State transition matrix A: the probability of switching from one state to another; (2) Observation probability matrix B: the probability of generating 20 behaviors in each state; (3) Initial state distribution π: the probability of entering one of the three states when starting to operate.

[0098] Furthermore, in the initial state, the probability of switching from one state to another, the probability of generating each behavior in each state, and the probability of entering various hidden states at the beginning of the operation can be set to be equal. The duration of continuous observation is set to 3 minutes (that is, the interactive behavior feature sample sequence under the three-minute observation period is divided into multiple interactive behavior feature sample subsequences according to the 10-second time window). During this process, the above three core parameters are calculated by the Baum-Welch algorithm.

[0099] The Baum-Welch algorithm is the core algorithm for training Hidden Markov Models (HMMs). It belongs to "unsupervised learning," and its core task is to automatically learn the HMM model parameters (A, B, π) that best explain the hidden state sequence, based solely on existing observation data, without the ability to directly observe it. The Baum-Welch algorithm operates within the classic expectation-maximization framework, approximating the optimal solution through iterative iterations in the following two steps:

[0100] 1. Expectation Step (E-Step): Based on the currently guessed parameters, the data is "soft-labeled," meaning that given the current model and the entire observation sequence, at each time step:

[0101] (1) The probability that the system is in a certain hidden state (state occupancy probability γ).

[0102] (2) The probability of the system transitioning from one state to another (state transition expectation ξ).

[0103] This step makes full use of the contextual information of the entire sequence (computed via a forward-backward algorithm), rather than looking at a single time point in isolation.

[0104] 2. Maximization Step (M-Step): Using the state occupancy probability γ and state transition expectation ξ calculated in the expectation step as weighting criteria, the model parameters (A, B, π) are re-estimated and updated, making the overall probability of the new model generating the entire observation sequence greater.

[0105] (1) Update π: When the sequence begins, see which state the system is most likely to start from;

[0106] (2) Update A: See how the states switch most frequently;

[0107] (3) Update B: See which observation symbols are most frequently generated in each hidden state.

[0108] Therefore, after training, the HMM model containing the (A, B, π) parameters becomes the unique "digital behavioral fingerprint" of the authorized person, that is, the interaction behavior sequence model corresponding to the authorized person.

[0109] S105: Determine the security authentication result of the authentication object based on the compliance probability.

[0110] This step aims to achieve security authentication based on the compliance probability of interactive behavior data streams. As mentioned above, the higher the compliance probability of the interactive behavior data stream, the more compliant the interactive behavior of the current authentication object is; the lower the compliance probability of the interactive behavior data stream, the more abnormal the interactive behavior of the current authentication object is. Based on this, in one possible implementation, determining the security authentication result of the authentication object based on the compliance probability may include: when the compliance probability exceeds a preset probability value, the security authentication result of the authentication object is determined to be successful; when the compliance probability does not exceed the preset probability value, the security authentication result of the authentication object is determined to be unsuccessful.

[0111] In another possible implementation, determining the security authentication result of the authentication object based on the compliance probability may include: converting the compliance probability into an initial trust score using a preset conversion rule; smoothing the initial trust score to obtain a target trust score; and determining the security authentication result of the authentication object based on the comparison result between the target trust score and the security threshold range.

[0112] To further improve the accuracy of security authentication results, this application embodiment performs trust score conversion processing on the compliance probability of interactive behavior data stream, and uses smoothing processing to avoid the problem of trust score drop caused by accidental actions, so as to obtain a stable and reliable final trust score.

[0113] The process of converting compliance probability into an initial trust score using preset conversion rules may include: performing logarithmic calculation on the compliance probability to obtain the logarithmic probability; calculating the deviation between the logarithmic probability and the preset benchmark value corresponding to the certified object; and using compression mapping and linear mapping to process the deviation to obtain the initial trust score.

[0114] Understandably, the compliance probability P is extremely small and fluctuates wildly. To ensure accuracy, we can first assess the deviation between the logarithmic probability and the dynamic benchmark:

[0115] (1) Calculate the logarithmic probability log(P): convert the minimum probability into a negligible negative number;

[0116] (2) Compare with dynamic benchmark: Obtain a normal log(P) benchmark value (a dynamically updated moving average) from the daily behavior of the authorized person, and calculate the deviation Δ=log(P)-benchmark value.

[0117] Clearly, when Δ≈0, it can be determined that the authorizing person's behavior is normal; when Δ<<0, it can be determined that the authorizing person's behavior is abnormal.

[0118] Furthermore, by using the tanh(Δ / scaling factor) function and setting the scaling factor to 10, the deviation Δ is compressed to the interval [-1, 1], and then linearly mapped to [0, 100] points to obtain the initial trust score.

[0119] In addition, the implementation process of smoothing the initial trust score is as follows: exponential smoothing of the above initial trust score: target trust score = a × initial trust score + (1-a) × previous target trust score), a = 0.3.

[0120] Finally, in determining the security authentication result of the authentication object based on the comparison between the target trust score and the security threshold range, a multi-level and appropriate risk handling strategy can be adopted. For example, when the target trust score is >85, it is determined that the authorized person's interaction behavior is highly consistent and can be allowed to proceed without being noticed; when 75 < target trust score ≤85, it is determined that there is an identifiable deviation, and the system will activate the preset reinforcement measures without being noticed, such as automatically encrypting the clipboard content; when the target trust score ≤75, it is judged as a serious anomaly, and the screen is immediately locked and the computer system is locked.

[0121] As can be seen, the security authentication method provided in this application, for computer system login scenarios, offers a dual authentication mechanism combining physical token authentication and interactive behavior feature authentication. First, the authentication object, i.e., the login object of the computer system, can use a physical token to perform two-way authentication with the computer system. After successful two-way authentication, the authentication object achieves initial login to the computer system. Then, the interaction behavior data stream between the authentication object and the computer system is collected to extract the interaction behavior feature sequence of the authentication object. A two-layer modeling method of "interaction behavior clustering codebook + interaction behavior sequence model" is used to achieve the authentication of the interaction behavior feature of the authentication object, effectively improving the accuracy of interaction behavior feature authentication. Therefore, this technical solution, employing a dual authentication mechanism combining physical token authentication and interactive behavior feature authentication, achieves secure authentication in computer system login scenarios, effectively ensuring the security performance of the computer system. Furthermore, this security authentication process is completely imperceptible to the authentication object, meaning that while ensuring a high level of security, it achieves a truly seamless authentication experience.

[0122] Based on the above embodiments, this application provides a security authentication method.

[0123] Please refer to Figure 2 , Figure 2 The flowchart of another security authentication method provided in this application can include the following steps.

[0124] I. Login and Continuous Authentication.

[0125] 1. Token activation: Temporary users insert the dedicated physical token provided by the authorizing person into the target computer's USB port.

[0126] 2. Silent authentication: The physical token completes two-way authentication with the computer system (proving the token's legitimacy) and silently sends a signal to the computer system, notifying it to "now enter the 'behavioral authentication proxy login' mode".

[0127] 3. Initial login without password: The computer system automatically enters a one-time strong password based on the credentials of the physical token to complete the initial login (this password is dynamically generated by the physical token and is only valid for this insertion).

[0128] Specifically, the system reads the Vendor ID (VID), Product ID (PID), and Serial Number of the physical token via the SetupAPI, and checks the physical token whitelist to see if the read VID / PID is allowed. If not, access is stopped; if so, the system uses the read VID / PID to find the corresponding driver to generate random number 1 and random number 2. The computer system then sends random number 1 and random number 2 to the physical token's security chip via USB. Further, the security chip uses its internal, unreadable private key to digitally sign random number 1 and hash random number 2 to obtain a fixed-length password, returning the signature and password to the computer system. Finally, the computer system holds the public key corresponding to the physical token's private key, uses this public key to verify the digital signature, and logs in to the computer system using the password if verification is successful; otherwise, login is denied.

[0129] II. Real-time behavior flow comparison.

[0130] After successful initial login, the computer system immediately starts a background monitoring process to continuously collect real-time keyboard and mouse data from the current user.

[0131] Specifically, the computer system acquires keyboard and mouse data every 10 seconds and packages this raw data stream into a behavior observation vector. This vector describes the user's overall behavioral pattern over the past 10 seconds. This vector is input into the Hidden Markov Model (HMM), whose core output is the probability (P) that the current behavior observation vector was generated by the user's habitual pattern. A lower probability P indicates a more unusual behavior and a greater deviation from the user's habits. Furthermore, the probability P undergoes a trust score transformation, and a smoothing process is used to avoid trust score drops due to accidental actions, resulting in a stable and reliable final trust score. Finally, the user's security authentication can be performed based on this final trust score.

[0132] Therefore, the security authentication method provided in this application has the following technical effects:

[0133] (1) By providing an undeniable initial identity anchor through hardware tokens, the trust problem of cold start in the interaction behavior sequence model is solved;

[0134] (2) It realizes the precision and gradual approach to security response. Based on the dynamic trust score-based non-intrusive response mechanism, it transforms the traditional binary "interception / allowance" into a multi-level and appropriate risk handling mechanism, and takes invisible protection (encrypted clipboard) in the early stage of threat, which greatly reduces false alarm interference.

[0135] (3) Improved the accuracy of behavior recognition. The innovative “K-Means codebook + HMM” dual-layer modeling method can learn stable high-order behavior patterns of users from low-dimensional raw data, which has good adaptability to changes in work scenarios and reduces the risk of false negatives.

[0136] This application provides a security authentication device.

[0137] Please refer to Figure 3 , Figure 3 This application provides a schematic diagram of a security authentication device, which is applied to a computer system and may include:

[0138] Two-way authentication module 1 is used to obtain the token information of the physical token corresponding to the authentication object, and to perform two-way authentication with the physical token using the token information;

[0139] Data acquisition module 2 is used to acquire the data stream of the authentication object’s interaction behavior with the computer system when the two-way authentication is successful, and to generate the interaction behavior feature sequence of the authentication object based on the data stream of the interaction behavior.

[0140] Feature matching module 3 is used to determine the interaction behavior feature code corresponding to each interaction behavior feature in the interaction behavior feature sequence by using the interaction behavior clustering codebook corresponding to the authentication object, so as to generate an interaction behavior feature code sequence.

[0141] Model processing module 4 is used to process the interaction behavior feature code sequence using the interaction behavior sequence model corresponding to the authentication object to obtain the compliance probability of the interaction behavior data stream.

[0142] Result determination module 5 is used to determine the security authentication result of the authentication object based on the compliance probability.

[0143] As can be seen, the security authentication device provided in this application embodiment offers a dual authentication mechanism combining physical token authentication and interactive behavior feature authentication for computer system login scenarios. First, the authentication target, i.e., the login target of the computer system, can use a physical token to perform two-way authentication with the computer system. After successful two-way authentication, the authentication target achieves initial login to the computer system. Then, the interaction behavior data stream between the authentication target and the computer system is collected to extract the interaction behavior feature sequence of the authentication target. A two-layer modeling method of "interaction behavior clustering codebook + interaction behavior sequence model" is used to achieve interaction behavior feature authentication of the authentication target, effectively improving the accuracy of interaction behavior feature authentication. Therefore, this technical solution, employing a dual authentication mechanism combining physical token authentication and interactive behavior feature authentication, achieves secure authentication in computer system login scenarios, effectively ensuring the security performance of the computer system. Furthermore, this security authentication process is completely imperceptible to the authentication target, meaning that while ensuring a high level of security, it achieves a truly seamless authentication experience.

[0144] In one embodiment of this application, the security authentication device may further include a first training module, configured to acquire interactive behavior data samples of the authentication object with respect to the computer system, and generate an interactive behavior feature sample sequence of the authentication object based on the interactive behavior data samples; standardize each interactive behavior feature sample in the interactive behavior feature sample sequence to obtain each standard feature sample; cluster each standard feature sample using a clustering algorithm to obtain multiple cluster centers; and assign a unique discrete code to each cluster center to obtain an interactive behavior clustering codebook.

[0145] In one embodiment of this application, the security authentication device may further include a second training module, used to divide the interaction behavior feature sample sequence into multiple interaction behavior feature sample subsequences; determine the interaction behavior feature code sample corresponding to each interaction behavior feature sample in each interaction behavior feature sample subsequence using an interaction behavior clustering codebook, so as to generate an interaction behavior feature code sample subsequence corresponding to each interaction behavior feature sample subsequence; construct a hidden Markov model containing multiple interaction behavior hidden states; and train the hidden Markov model using each interaction behavior feature code sample subsequence in conjunction with a hidden Markov model parameter estimation algorithm to obtain an interaction behavior sequence model.

[0146] In one embodiment of this application, the aforementioned two-way authentication module 1 can be specifically used to perform two-way authentication between the token information and the physical token when the token information matches the preset whitelist; and to output a security authentication failure message when the token information does not match the preset whitelist.

[0147] In one embodiment of this application, the aforementioned two-way authentication module 1 can be specifically used to determine the internal dedicated driver corresponding to the token information, and use the internal dedicated driver to generate a first random number and a second random number; send the first random number and the second random number to the physical token, so that the physical token performs signature processing on the first random number to obtain a signature result, and performs hash operation on the second random number to obtain a random password; receive the signature result and random password fed back by the physical token, and when the signature result is verified, use the random password to realize the initial login of the computer system.

[0148] In one embodiment of this application, the data acquisition module 2 described above can be specifically used to acquire the data stream of the authentication object's interactive behavior with respect to the computer system within a preset time period; generate interactive behavior features of the authentication object within multiple time windows based on the interactive behavior data stream; and generate an interactive behavior feature sequence using the interactive behavior features within each time window; wherein, the time length of each time window is equal, and the number of time windows is the ratio between the time length of the preset time period and the time length of the time window.

[0149] In one embodiment of this application, the result determination module 5 can be specifically used to convert the compliance probability into an initial trust score using a preset conversion rule; to smooth the initial trust score to obtain a target trust score; and to determine the security authentication result of the authentication object based on the comparison result between the target trust score and the security threshold range.

[0150] For a description of the apparatus provided in the embodiments of this application, please refer to the above method embodiments; further details will not be repeated here.

[0151] This application provides an electronic device.

[0152] Please refer to Figure 4 , Figure 4 This application provides a schematic diagram of the structure of an electronic device, which may include:

[0153] Memory 11 is used to store computer programs;

[0154] The processor 10 is configured to execute computer programs and implement the steps of any of the security authentication methods described above.

[0155] like Figure 4 The diagram shows the structural composition of an electronic device, which may include a processor 10, a memory 11, a communication interface 12, and a communication bus 13. The processor 10, memory 11, and communication interface 12 all communicate with each other through the communication bus 13.

[0156] In this embodiment, the processor 10 may be a central processing unit (CPU), an application-specific integrated circuit, a digital signal processor, a field-programmable gate array, or other programmable logic devices. The processor 10 may call programs stored in the memory 11; specifically, the processor 10 may execute operations in the embodiments of the security authentication method.

[0157] The memory 11 is used to store one or more programs. The programs may include program code, which includes computer operation instructions. In this embodiment, the memory 11 stores at least a program for implementing the following functions:

[0158] The system retrieves the token information of the physical token corresponding to the authentication object and performs two-way authentication using the token information and the physical token. When the two-way authentication is successful, it retrieves the data stream of the authentication object's interaction behavior with the computer system and generates an interaction behavior feature sequence of the authentication object based on the interaction behavior data stream. It then uses the interaction behavior clustering codebook corresponding to the authentication object to determine the interaction behavior feature code corresponding to each interaction behavior feature in the interaction behavior feature sequence, thereby generating an interaction behavior feature code sequence. Finally, it processes the interaction behavior feature code sequence using the interaction behavior sequence model corresponding to the authentication object to obtain the compliance probability of the interaction behavior data stream. Based on the compliance probability, it determines the security authentication result of the authentication object.

[0159] In one possible implementation, memory 11 may include a program storage area and a data storage area, wherein the program storage area may store the operating system and applications required for at least one function; and the data storage area may store data created during use. Furthermore, memory 11 may include high-speed random access memory, and may also include non-volatile memory, such as at least one disk storage device or other volatile solid-state storage device.

[0160] Communication interface 12 can be an interface for the communication module, used to connect with other devices or systems.

[0161] Of course, it should be noted that, Figure 4 The structure shown does not constitute a limitation on the electronic device in the embodiments of this application. In practical applications, the electronic device may include more than Figure 4 More or fewer components as shown, or combinations of certain components.

[0162] This application provides a computer-readable storage medium.

[0163] The computer-readable storage medium provided in this application embodiment stores a computer program, which, when executed by a processor, can implement the steps of any of the security authentication methods described above.

[0164] The computer-readable storage medium can be any available medium that a computer can store, or a security authentication device such as a server or data center that integrates one or more available media. For example, it can be any medium that can store computer program code, such as magnetic media (e.g., floppy disks, hard disks, magnetic tapes), optical media (e.g., DVDs), or semiconductor media (e.g., solid-state drives).

[0165] For a description of the computer-readable storage medium provided in the embodiments of this application, please refer to the above method embodiments; further details will not be repeated here.

[0166] This application provides a computer program product.

[0167] The computer program product provided in this application includes a computer program / instruction, which, when executed by a processor, can implement the steps of any of the security authentication methods described above.

[0168] Specifically, in the above embodiments, implementation can be achieved, in whole or in part, through software, hardware, firmware, or any combination thereof. When implemented in software, it can be implemented, in whole or in part, in the form of a computer program product.

[0169] The computer program product may include one or more computer programs / instructions, which, when loaded and executed on a computer, can generate all or part of the processes or functions described in the embodiments of this application. The computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device. Computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another. For example, computer instructions may be transmitted from one website, computer, server, or data center to another via wired (e.g., coaxial cable, fiber optic, digital subscriber line, etc.) or wireless (e.g., infrared, wireless, microwave, etc.) means.

[0170] For a description of the computer program products provided in the embodiments of this application, please refer to the above method embodiments; further details will not be repeated here.

[0171] The various embodiments in this specification are described in a progressive manner, with each embodiment focusing on its differences from other embodiments. Similar or identical parts between embodiments can be referred to interchangeably. For the apparatus disclosed in the embodiments, since it corresponds to the method disclosed in the embodiments, the description is relatively simple; relevant parts can be referred to the method section.

[0172] Those skilled in the art will further recognize that the units and algorithm steps of the various examples described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, computer software, or a combination of both. To clearly illustrate the interchangeability of hardware and software, the components and steps of the various examples have been generally described in terms of functionality in the foregoing description. Whether these functions are implemented in hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementation should not be considered beyond the scope of this application.

[0173] The steps of the methods or algorithms described in conjunction with the embodiments disclosed herein can be implemented directly by hardware, a software module executed by a processor, or a combination of both. The software module can be located in random access memory (RAM), main memory, read-only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, removable disk, CD-ROM, or any other form of storage medium known in the art.

[0174] The technical solutions provided in this application have been described in detail above. Specific examples have been used to illustrate the principles and implementation methods of this application. The descriptions of the embodiments above are only for the purpose of helping to understand the methods and core ideas of this application. It should be noted that those skilled in the art can make several improvements and modifications to this application without departing from the principles of this application, and these improvements and modifications also fall within the protection scope of this application.

Claims

1. A security authentication method, characterized in that, Applied to computer systems, including: Obtain the token information corresponding to the physical token of the authentication object, and perform two-way authentication with the physical token using the token information; When two-way authentication is successful, the interaction behavior data stream of the authenticated object with respect to the computer system is obtained, and the interaction behavior feature sequence of the authenticated object is generated based on the interaction behavior data stream; The interaction behavior feature code corresponding to each interaction behavior feature in the interaction behavior feature sequence is determined by using the interaction behavior clustering codebook corresponding to the authentication object, so as to generate an interaction behavior feature code sequence. The interaction behavior feature code sequence is processed using the interaction behavior sequence model corresponding to the authentication object to obtain the compliance probability of the interaction behavior data stream; The security authentication result of the authentication object is determined based on the compliance probability.

2. The security authentication method according to claim 1, characterized in that, The training process of the interaction behavior clustering codebook includes: Obtain interaction behavior data samples of the authentication object with respect to the computer system, and generate an interaction behavior feature sample sequence of the authentication object based on the interaction behavior data samples; Each interactive behavior feature sample in the interactive behavior feature sample sequence is standardized to obtain each standard feature sample. Clustering algorithms are used to cluster the standard feature samples to obtain multiple cluster centers; A unique discrete code is assigned to each of the cluster centers to obtain the cluster codebook for the interaction behavior.

3. The security authentication method according to claim 2, characterized in that, The training process of the interaction behavior sequence model includes: The interactive behavior feature sample sequence is divided into multiple interactive behavior feature sample sub-sequences; The interaction behavior clustering codebook is used to determine the interaction behavior feature code sample corresponding to each interaction behavior feature sample in each interaction behavior feature sample subsequence, so as to generate the interaction behavior feature code sample subsequence corresponding to each interaction behavior feature sample subsequence. Construct a hidden Markov model that includes hidden states of various interactive behaviors; By combining the Hidden Markov Model parameter estimation algorithm, the Hidden Markov Model is trained using the sample subsequences of each interaction behavior feature code to obtain the interaction behavior sequence model.

4. The security authentication method according to claim 1, characterized in that, Using the token information to perform two-way authentication with the physical token includes: When the token information matches the preset whitelist, the token information and the physical token are used for two-way authentication. When the token information does not match the preset whitelist, a security authentication failure message is output.

5. The security authentication method according to any one of claims 1 to 4, characterized in that, Using the token information to perform two-way authentication with the physical token includes: The system internal dedicated driver corresponding to the token information is determined, and the first random number and the second random number are generated using the system internal dedicated driver; The first random number and the second random number are sent to the physical token, so that the physical token performs a signature process on the first random number to obtain a signature result, and performs a hash operation on the second random number to obtain a random password; The system receives the signature result and the random password fed back by the physical token. When the signature result is verified, the system uses the random password to perform the initial login to the computer system.

6. The security authentication method according to claim 1, characterized in that, Acquiring the interaction behavior data stream of the authentication object with respect to the computer system, and generating the interaction behavior feature sequence of the authentication object based on the interaction behavior data stream, including: Acquire the data stream of the authentication object's interactive behavior with the computer system within a preset time period; Generate the interaction behavior characteristics of the authenticated object within multiple time windows based on the interaction behavior data stream; The interaction behavior feature sequence is generated using the interaction behavior features within each time window; The time windows are all of equal length, and the number of time windows is the ratio between the length of the preset time period and the length of the time window.

7. The security authentication method according to claim 1, characterized in that, Determining the security authentication result of the authentication object based on the compliance probability includes: The compliance probability is converted into an initial trust score using preset conversion rules; The initial trust score is smoothed to obtain the target trust score; The security authentication result of the authentication object is determined based on the comparison result between the target trust score and the security threshold range.

8. A security authentication device, characterized in that, Applied to computer systems, including: The two-way authentication module is used to obtain the token information of the physical token corresponding to the authentication object, and to perform two-way authentication with the physical token using the token information; The data acquisition module is used to acquire the interaction behavior data stream of the authentication object with respect to the computer system when the two-way authentication is successful, and to generate the interaction behavior feature sequence of the authentication object based on the interaction behavior data stream; The feature matching module is used to determine the interaction behavior feature code corresponding to each interaction behavior feature in the interaction behavior feature sequence by using the interaction behavior clustering codebook corresponding to the authentication object, so as to generate an interaction behavior feature code sequence. The model processing module is used to process the interaction behavior feature code sequence using the interaction behavior sequence model corresponding to the authentication object to obtain the compliance probability of the interaction behavior data stream. The result determination module is used to determine the security authentication result of the authentication object based on the compliance probability.

9. An electronic device, characterized in that, include: Memory, used to store computer programs; A processor for executing the computer program to implement the steps of the security authentication method as described in any one of claims 1 to 7.

10. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores a computer program that, when executed by a processor, implements the steps of the security authentication method as described in any one of claims 1 to 7.