User access control method and apparatus, storage medium, and program product

By acquiring user operation behavior and device environment parameters in real time, constructing behavior feature vectors and combining them with policy path graphs, the problem of elastic adjustment of user access control methods in complex environments in existing technologies is solved. This enables accurate identification and dynamic response to abnormal access behavior, thereby improving the system's security protection capabilities.

CN122197052APending Publication Date: 2026-06-12BOE TECHNOLOGY GROUP CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
BOE TECHNOLOGY GROUP CO LTD
Filing Date
2026-04-22
Publication Date
2026-06-12

AI Technical Summary

Technical Problem

Existing user access control methods based on behavior recognition are difficult to make flexible adjustments when facing different business scenarios or multi-level risk states. This can lead to the system accidentally triggering overly strong policies or misjudging normal situations in "gray risk" scenarios, affecting user experience and leaving security vulnerabilities. In particular, it is difficult to effectively manage high-concurrency access and potential attacks in complex business systems.

Method used

By acquiring user operation behavior data and device environment parameter information in real time, a behavior feature vector is constructed. Combined with the behavior baseline model and policy path map, the behavior deviation parameters are dynamically identified and adaptive access control policies are determined. Device environment features are introduced to enhance risk identification capabilities, thereby achieving accurate identification and dynamic response.

Benefits of technology

It achieves accurate identification and dynamic response to abnormal access behavior, improves the system's ability to detect risky behavior early, has high identification accuracy and flexible response security protection capabilities, and is suitable for complex access environments.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122197052A_ABST
    Figure CN122197052A_ABST
Patent Text Reader

Abstract

The present disclosure provides a user access control method, device, storage medium and program product. The method comprises: in response to an access request of a target user, obtaining operation behavior data and device environment parameter information of the target user in a current access process; obtaining a target behavior feature vector based on the operation behavior data and the device environment parameter information; determining a behavior deviation parameter of the current access based on the target behavior feature vector and a corresponding behavior baseline representation unit in a behavior baseline model; and determining a target access control strategy path from a pre-constructed strategy path atlas based on the behavior deviation parameter and executing the target access control strategy path, wherein the determination of the target access control strategy path comprehensively considers the behavior deviation parameter and a control cost factor of each access control strategy action node, and the control cost factor is used to represent an intervention degree of the access control strategy action on the current access.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This disclosure relates to the field of information security technology, and in particular to a user access control method, device, storage medium, and program product. Background Technology

[0002] Mini / Micro-LED (Mini / Micro Light Emitting Diode) mainly involves miniaturizing, arraying, and thinning traditional LED chips using micro-process technology, then mass-transferring the LED crystal thin film to a driver backplane in batches using mass transfer technology, creating a protective layer using physical deposition, and finally completing the encapsulation.

[0003] Currently, user access control based on behavioral pattern recognition has become one of the important research directions in the field of computer system security. Compared with traditional control methods that rely on static authentication and role-based permission allocation, behavioral pattern recognition mechanisms can continuously monitor the characteristics of user operation behavior in the system, such as access frequency, resource call path, device fingerprint and interaction rhythm, etc., to build user behavior profiles and dynamically identify abnormal behaviors, thereby enhancing the system's ability to defend against identity theft, permission abuse and spoofing attacks. This method is particularly suitable for systems with complex business environments, variable user access paths or distributed access characteristics, such as cloud service platforms, financial data systems or government data centers.

[0004] Existing behavior-based access control systems generally suffer from insufficient rigidity in their policy response structure. Current mainstream user access control processes establish a static one-to-one mapping between identified behavioral risk levels and control actions. This makes it difficult to make flexible adjustments when facing different business scenarios or multi-level risk states. Especially in "gray risk" situations where behavior deviates but does not reach a severe abnormality, the system either mistakenly triggers overly strong policies (such as forced logout or account freezing), harming the user experience; or it misjudges the behavior as normal, allowing potential risks and leaving security vulnerabilities. Particularly when business systems expand and user behavior becomes more diverse, this structural defect will lead to sluggish, unbalanced, or ineffective access control systems, making it difficult to effectively manage high-concurrency access and potential attacks. Summary of the Invention

[0005] The technical problem to be solved by this disclosure is to provide a user access control method, device, storage medium, and program product.

[0006] To address the aforementioned technical problems, the embodiments of this disclosure provide the following technical solutions:

[0007] On the one hand, a user access control method is provided, including: In response to the access request of the target user, the system obtains the target user's operation behavior data and device environment parameter information during the current access process. The operation behavior data includes at least one of page resource click data, page jump path, interaction dwell time, input interval time, and function call sequence. The device environment parameter information includes at least one of device type, operating system version, browser type, hardware unique identifier, network access method, and location information. Based on the operational behavior data and equipment environmental parameter information, obtain the target behavior feature vector; Based on the target behavior feature vector and the behavior baseline model, the behavior deviation parameters of the current access are determined. The behavior baseline model includes multiple behavior baseline representation units, each with a time label and a business label, and contains a baseline behavior feature vector and a feature distribution boundary. The feature distribution boundary indicates the maximum allowable deviation range of the behavior baseline representation unit from the baseline behavior feature vector. Determining the behavior deviation parameters of the current access includes: obtaining the target context state information of the current access, which includes a time label and a business label; based on the target context state information, determining a target behavior baseline representation unit adapted to the current access from the multiple behavior baseline representation units; and determining the behavior deviation parameters of the current access based on the target behavior feature vector, the baseline behavior feature vector of the target behavior baseline representation unit, and the feature distribution boundary. Based on the behavior deviation parameters, a target access control policy path is determined and executed from a pre-constructed policy path graph. The policy path graph includes multiple access control policy action nodes and their attribute information, as well as directed edges connecting two access control policy action nodes. The attribute information includes the control action type and control strength coefficient of each access control policy action node. The directed edge represents the transferable conditions and constraints between the two connected access control policy action nodes. The directed edge has an edge weight parameter, which indicates the degree of adaptation for jumping from the previous node to the next node connected by the directed edge. The edge weight parameter is adapted to the behavior deviation parameters of the current access and / or the target context state information. The determination of the target access control policy path comprehensively considers the behavior deviation parameters and the control cost factors of each access control policy action node. The control cost factors represent the degree of intervention of the access control policy action on the current access.

[0008] On the one hand, a user access control device is provided, comprising: The first acquisition module is configured to respond to the access request of the target user and acquire the target user's operation behavior data and device environment parameter information during the current access process. The operation behavior data includes at least one of page resource click data, page jump path, interaction dwell time, input interval time, and function call sequence. The device environment parameter information includes at least one of device type, operating system version, browser type, hardware unique identifier, network access method, and location information. The second acquisition module is configured to acquire a target behavior feature vector based on the operation behavior data and device environment parameter information; A determination module is configured to determine the behavior deviation parameters of the current access based on the target behavior feature vector and the behavior baseline model. The behavior baseline model includes multiple behavior baseline representation units, each with a time label and a business label, and contains a baseline behavior feature vector and a feature distribution boundary. The feature distribution boundary indicates the maximum allowable deviation range of the behavior baseline representation unit from the baseline behavior feature vector. Determining the behavior deviation parameters of the current access includes: acquiring target context state information of the current access, including a time label and a business label; determining a target behavior baseline representation unit adapted to the current access from the multiple behavior baseline representation units based on the target context state information; and determining the behavior deviation parameters of the current access based on the target behavior feature vector, the baseline behavior feature vector of the target behavior baseline representation unit, and the feature distribution boundary. An execution module is configured to determine and execute a target access control policy path from a pre-built policy path graph based on the behavior deviation parameters. The policy path graph includes multiple access control policy action nodes and their attribute information, as well as directed edges connecting two access control policy action nodes. The attribute information includes the control action type and control strength coefficient of each access control policy action node. The directed edge represents the transferable conditions and constraints between the two connected access control policy action nodes. The directed edge has an edge weight parameter, which indicates the degree of adaptation for jumping from the previous node to the next node connected by the directed edge. The edge weight parameter is adapted to the behavior deviation parameters of the current access and / or the target context state information. The determination of the target access control policy path comprehensively considers the behavior deviation parameters and the control cost factors of each access control policy action node. The control cost factors represent the degree of intervention of the access control policy action on the current access.

[0009] On one hand, an electronic device is provided, comprising: at least one processor; and a memory connected to the at least one processor, wherein the memory stores computer instructions that, when executed by the at least one processor, enable the implementation of the above-described method.

[0010] On the one hand, a non-transitory computer-readable storage medium is provided that stores computer instructions, wherein the computer instructions are executed by at least one processor to implement the above-described method.

[0011] On the one hand, a computer program product is provided, including computer instructions, wherein the computer instructions are executed by at least one processor to implement the above-described method.

[0012] The embodiments disclosed herein have the following beneficial effects: In the above solution, user operation behavior data and device environment parameter information are acquired in real time during user access. Based on this data, a user behavior feature vector is constructed to identify whether the user is engaging in risky behavior. Therefore, by introducing device environment features on top of operation behavior characteristics to identify whether user access deviates from normal behavior, potential abnormal fluctuations at the device level can be effectively captured, enhancing the early detection capability of risky behavior. This enables accurate identification and dynamic response to abnormal access behavior. Simultaneously, access control based on control cost factors ensures the effectiveness and minimal intervention of control measures, thus possessing advantages such as high behavior recognition accuracy, flexible response strategies, and adaptive control intervention, making it more suitable for dynamic security protection needs in complex access environments. Attached Figure Description

[0013] Figure 1 This is a flowchart illustrating a user access control method in some embodiments of this disclosure; Figure 2 This is a schematic flowchart illustrating a method for obtaining target user's operational behavior data and device environment parameter information during the current access process, as described in some embodiments of this disclosure. Figure 3 This is a flowchart illustrating a method for determining behavioral deviation parameters of the current access in some embodiments of this disclosure; Figure 4 This is a flowchart illustrating a method for determining behavioral deviation parameters of the current access in some embodiments of this disclosure; Figure 5 The first row is a schematic flowchart of the method for constructing the baseline model in some embodiments of this disclosure; Figure 6 This is a flowchart illustrating a method for obtaining the baseline feature vector and feature distribution boundary of each first row sample subset in some embodiments of this disclosure; Figure 7 This is a schematic flowchart illustrating a method for executing corresponding target response control strategies based on behavioral deviation parameters in some embodiments of this disclosure; Figure 8 This is a flowchart illustrating a method for obtaining a target access control policy path from a policy path graph in some embodiments of this disclosure; Figure 9 This is a flowchart illustrating a method for obtaining a target access control policy path from a policy path graph in some embodiments of this disclosure; Figure 10 This is a block diagram of user access control components in some embodiments of this disclosure; Figure 11 This is a block diagram of the electronic device in some embodiments of this disclosure. Detailed Implementation

[0014] To make the objectives, technical solutions, and advantages of the embodiments of this disclosure clearer, the technical solutions of the embodiments of this disclosure will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some, not all, of the embodiments of this disclosure. All other embodiments obtained by those skilled in the art based on the described embodiments of this disclosure are within the scope of protection of this disclosure.

[0015] Unless otherwise defined, the technical or scientific terms used in this disclosure shall have the ordinary meaning understood by one of ordinary skill in the art to which this disclosure pertains. The terms “first,” “second,” and similar terms used in this disclosure do not indicate any order, quantity, or importance, but are merely used to distinguish different components. Terms such as “comprising,” “having,” and “including,” and any variations thereof, mean that the element or object preceding the word encompasses the element or object listed following the word and its equivalents, without excluding other elements or objects. Terms such as “connected” or “linked” are not limited to physical or mechanical connections, but can include electrical connections, whether direct or indirect. Terms such as “upper,” “lower,” “left,” and “right” are used only to indicate relative positional relationships; when the absolute position of the described object changes, the relative positional relationship may also change accordingly. In embodiments of this disclosure, unless otherwise specified, “multiple” refers to two or more.

[0016] Currently, user access control based on behavioral pattern recognition has become one of the important research directions in the field of computer system security. Behavioral pattern recognition mechanisms can continuously monitor user operational behavior characteristics, such as access frequency, resource access paths, device fingerprints, and interaction rhythms, to build user behavior profiles and dynamically identify abnormal behaviors. This enhances the system's ability to defend against identity theft, privilege abuse, and spoofing attacks. This method is particularly suitable for systems with complex business environments, variable user access paths, or distributed access characteristics, such as cloud service platforms, financial data systems, or government data centers.

[0017] In some embodiments, the user access control process establishes a static one-to-one mapping between identified behavioral risk levels and control actions. This lack of diversity and configurability in response processes makes it difficult to make flexible adjustments when facing different business scenarios or multi-level risk states. Especially in the case of "gray risk" where there is behavioral deviation but not serious abnormality, the system may either mistakenly trigger overly strong policies (such as forced logout or account freezing), damaging the user experience, or misjudge it as normal, allowing potential risks and leaving security vulnerabilities. Especially when the scale of the business system expands and the diversity of user behavior increases, this structural defect will cause the access control system to respond slowly, become unbalanced, or fail, making it difficult to support the effective management of high-concurrency access and potential attacks.

[0018] Based on this, this disclosure provides a user access control method that acquires user operation behavior data and device environment parameter information in real time during user access. A user behavior feature vector is constructed based on the operation behavior data and device environment parameter information to identify whether the user is engaging in risky behavior. Therefore, by introducing device environment features on top of operation behavior features to identify whether user access deviates from normal behavior, potential abnormal fluctuation factors at the device level can be effectively captured, enhancing the early perception capability of risky behavior, thereby enabling accurate identification and dynamic response to abnormal access behavior.

[0019] The solutions disclosed in this embodiment can be applied, for example, to enterprise office scenarios, where a dynamic access control platform can be built to identify and control risks associated with employee access to sensitive documents, intranet management pages, etc., and to achieve flexible permission adjustments based on behavioral deviation parameters. The solutions disclosed in this embodiment can also be applied to industries with extremely high data security requirements, such as finance, government affairs, and healthcare. In these cases, the user access control method can be embedded as a behavior-aware protection engine into the identity authentication system to achieve fine-grained access supervision, such as dynamically adjusting verification strength in scenarios like remote work and access from uncommon devices. The solutions disclosed in this embodiment can also be applied to cloud computing and SaaS (Software as a Service) platforms, where the user access control method can be encapsulated as an access risk scoring service component to provide access context assessment for other services. Furthermore, the solutions disclosed in this embodiment can also serve as a key support module in a zero-trust architecture, providing data support and a dynamic response mechanism for the generation and execution of fine-grained access policies, thereby improving overall network security protection capabilities.

[0020] The technical methods of this disclosure will now be described in detail with reference to the accompanying drawings and specific embodiments.

[0021] The solutions in this disclosure are applicable to systems including at least one terminal device and a server, wherein the at least one terminal device and the terminal device and the server can be connected via a communication network. The terminal device can be configured to execute one or more applications and provide an interface for interaction with a user, receiving and outputting information to the user through the interface. The terminal device can be various types of computer devices, such as general-purpose computers, wearable devices, mobile phones, tablets, personal digital assistants, etc., and can run applications and various operating systems. The server can be configured to execute one or more applications, perform corresponding operations in response to requests from the terminal devices, and analyze and merge feedback data and / or updated data received from at least one terminal device. The server can run applications and various operating systems, and can be a distributed system server, a blockchain server, a cloud server, etc. The communication network can be a local area network (LAN), Ethernet, a wide area network (WAN), the Internet, a blockchain network, an wireless network, etc. The system can also include one or more databases for storing data, such as audio data, video data, and image data. The database can be stored on the terminal device, an edge computing device, or a server. The database can store, update, or retrieve data in response to requests.

[0022] According to some embodiments of this disclosure, a user access control method is provided, which can be applied to a server. For example... Figure 1 As shown, the method includes: Step S110: In response to the access request of the target user, obtain the target user's operation behavior data and device environment parameter information during the current access process. The operation behavior data includes at least one of page resource click data, page jump path, interaction dwell time, input interval time, and function call sequence. The device environment parameter information includes at least one of device type, operating system version, browser type, hardware unique identifier, network access method, and location information. Step S120: Obtain the target behavior feature vector based on the operation behavior data and device environment parameter information; Step S130: Based on the target behavior feature vector and the behavior baseline model, determine the behavior deviation parameters of the current access; wherein, the behavior baseline model includes multiple behavior baseline representation units, each behavior baseline representation unit has a time label and a business label, and includes a baseline behavior feature vector and a feature distribution boundary, the feature distribution boundary being used to indicate the maximum allowable deviation range of the behavior baseline representation unit from the baseline behavior feature vector; determining the behavior deviation parameters of the current access includes: obtaining the target context state information of the current access, the target context state information including a time label and a business label; based on the target context state information, determining the target behavior baseline representation unit adapted to the current access from the multiple behavior baseline representation units; and determining the behavior deviation parameters of the current access based on the target behavior feature vector, and the baseline behavior feature vector and feature distribution boundary of the target behavior baseline representation unit. Step S140: Based on the behavior deviation parameters, determine and execute the target access control policy path from the pre-constructed policy path graph; wherein, the policy path graph includes multiple access control policy action nodes and their attribute information, as well as directed edges connecting two access control policy action nodes, the attribute information includes the control action type and control strength coefficient of the second node, the directed edge represents the transferable conditions and constraint relationships between the two connected access control policy action nodes, the edge weight parameter is used to indicate the degree of adaptation from the previous node connected by the directed edge to the next node, the edge weight parameter is adapted to the behavior deviation parameters of the current access and / or the target context state information, the determination of the target access control policy path comprehensively considers the behavior deviation parameters and the control cost factors of each access control policy action node, the control cost factors are used to characterize the degree of intervention of the access control policy action on the current access.

[0023] Therefore, by introducing device environment parameter information on top of operational behavior data, it is possible to identify whether user access deviates from normal behavior. While capturing whether there are abnormalities in user operation behavior, it can also effectively capture potential abnormal fluctuation factors at the device level, enhance the early perception capability of risky behavior, and thus achieve accurate identification and dynamic response to abnormal access behavior.

[0024] In step S110, user operation behavior data and device environment parameter information during the access process can be collected in real time on the terminal device side and reported to the server side.

[0025] For example, page resource click data can include clicks on settings, submit, and back buttons. Page navigation paths could be from the homepage to order management and then to the payment interface. Interaction dwell time can be the duration a user continuously browses a page, such as more than 30 seconds. Input interval time could be the average time between two keyboard inputs. Function call sequence could be the order in which functional modules are called during the user's access, such as the order in which query, download, and edit modules are triggered. This operational behavior data not only reflects the user's access habits but also reveals the consistency between their operational intentions and behaviors, thereby enabling the identification of any anomalies in the user's operational behavior.

[0026] For example, device type can be the brand and model of a PC, Android device, iOS device, etc. Operating system version can be the version number and kernel information of Windows 10, macOS, Linux, etc. Browser type can be the major version number of Chrome, Firefox, or Edge. Unique hardware identifier can be the MAC address, device serial number, or IMEI. Network access methods include, but are not limited to, WiFi connection, cellular mobile network (4G / 5G), virtual private network, proxy services (such as HTTP proxy or SOCKS5 proxy), etc. Location information can be latitude and longitude coordinates obtained through IP positioning or GPS, area code, etc. For example, if a user usually logs into the system in a certain area using a PC via a company dedicated line, but suddenly switches to a mobile device and accesses it from a different location via public WiFi, the change in device environment parameters will become important evidence of potential behavioral deviation. As another example, within a certain time period, if the page navigation path is normal but the network access changes multiple times, and the device identifier (such as device type, operating system version, browser type) changes abruptly, even if the operational behavior does not show obvious abnormalities, the system can issue a warning based on the device environment parameters, thereby building a more sensitive and accurate behavior recognition method.

[0027] The system can use the start time of the access session as a unified time reference and merge all collected information according to timestamps to ensure the alignment and consistency of operation behavior data and device environment parameter information in the time dimension.

[0028] In some embodiments, such as Figure 2 As shown, step S110, in response to the target user's access request, obtains the target user's operational behavior data and device environment parameter information during the current access process, including: Step S111: In response to the access request of the target user, obtain the operation behavior data and device environment parameter information in each of the multiple consecutive time windows during the current access process; Step S112: Based on the operational behavior data and device environment parameter information within each time window, generate a behavior status recording unit; and Step S113: Assemble the behavior status record units of multiple time windows in chronological order to form a joint time sequence of the entire current access process.

[0029] In this case, step S120, obtaining the target behavior feature vector based on the operation behavior data and device environment parameter information, includes: The target behavior feature vector is obtained based on the joint time series sequence. The aforementioned method divides the access process into multiple time windows of fixed length, such as 30 or 60 seconds per segment. By acquiring the operational behavior data and device environment parameter information for each time window, it can reflect the behavioral evolution trend during the access process. Furthermore, through structured processing, the joint time series sequence possesses temporal continuity and clear parameter semantics, supporting subsequent feature extraction and serving as the original basis for retrospective analysis of abnormal user operation behavior. It exhibits scalability and high expressiveness.

[0030] It should be noted that this joint time series is not composed of only behavioral actions, but integrates two dimensions: user operation behavior and device environment. It can effectively characterize the stability of user behavior and the evolution of access status in different scenarios, providing a data foundation for subsequent deviation identification and control strategies.

[0031] The behavior collection mechanism is activated upon the start of each access session, periodically collecting user operation behavior data and device environment parameter information. The joint time sequence includes operation behavior data and device environment parameter information within each time window, which can generate structured behavior state record units through structured processing. The behavior state record unit can include joint information from multiple dimensions such as page resource click event vectors, page jump path graph summaries, operation rhythm feature groups, current device identifiers, and network status tags. As the time window slides forward, multiple behavior state record units are spliced ​​together in chronological order to form the joint time sequence of the user throughout the entire access process. The sequence length (i.e., the time window duration) can be dynamically adjusted to cover the entire access cycle.

[0032] In some embodiments, the target behavior feature vector may include access path features, operation rhythm features, and device location features. These three features are three key behavioral features in the access process, which can effectively determine whether there are any abnormalities in user behavior.

[0033] For example, based on the analysis of the joint time series, three key behavioral features of the user within multiple consecutive time windows during each access process can be extracted: access path features, operation rhythm features, and device location features. These three features can be integrated into a behavioral feature vector using a unified encoding method for subsequent deviation detection. Since the access path features, operation rhythm features, and device location features each constitute a set of time series features, they can represent the continuity, stability, and interaction efficiency of user operation behavior at the micro level, as well as the continuity and stability of the device environment at the micro level.

[0034] In some embodiments, access path characteristics include the current access path depth, loop count, and average jump interval. The path depth is the maximum number of jump levels traversed from the entry page to the current page; the loop count is the frequency of repeatedly accessing the same page in the access path; and the average jump interval is the time difference between two jump events. These metrics reflect the complexity of the access path and the stability of the access rhythm, and can be used to determine whether there are jump anomalies or detours in the current access.

[0035] In terms of extracting access path features, the user's page navigation behavior in the current access session is analyzed to extract the starting page and target page involved in each access behavior, establishing a resource navigation sequence. Access path features can be obtained based on the resource navigation sequence.

[0036] In some embodiments, the resource jump sequence can be, but is not limited to, a directed access graph. In this case, a directed access graph can be constructed based on the page resource click data and page jump path, with the page resource as the first node and the jump relationship as the directed edge. Based on the directed access graph, the path depth, loop count, and average jump interval of the current access can be obtained.

[0037] For example, if a user's access path is "homepage to search page to results page to details page to payment page," the system abstracts this redirection behavior as a set of directed edges, constructing a directed graph with page resources as the first node and redirection relationships as edges. In this access graph, the system tracks the following three key metrics: the current access path depth (the maximum number of redirects from the entry page to the current page); the number of loops (whether there are repeated visits to the same page within the access path, counting the frequency of these loops); and the average redirect interval (the time difference between two redirect events, calculated, for example, by dividing the access duration by the number of redirects). For instance, if an access lasts 60 seconds and involves 4 redirects, the average redirect interval is 15 seconds.

[0038] In some embodiments, the operation rhythm characteristics include the number of consecutive operations, the standard deviation of the input interval, and the operation response delay value. The number of consecutive operations is the number of times the target user performs an input operation without interruption. The standard deviation of the input interval is the standard deviation of the time interval between two adjacent input operations. The operation response delay value is the time delay experienced from when the target user initiates an input operation to when the system responds. These indicators reflect the stability of the access rhythm and can be used to determine whether there are any operation anomalies or redirection anomalies in the current access.

[0039] Regarding the extraction of operation rhythm features, based on the operation behavior data, sub-operation rhythm features can be extracted from each of multiple consecutive time windows in the current access process. These sub-operation rhythm features include the number of consecutive operations, the standard deviation of the input interval, and the operation response delay value. The multiple sub-operation rhythm features from the multiple time windows are then concatenated to form the overall operation rhythm feature.

[0040] Specifically, the rhythm of user actions within each time window during the access process can be statistically analyzed to obtain the number of consecutive operations, the standard deviation of input intervals, and the operation response latency within that time window. The number of consecutive operations refers to the number of times a user performs an operation without interruption within each time window; for example, if a user performs 5 consecutive inputs or clicks within 30 seconds, it is counted as 5 times. The standard deviation of input intervals measures the temporal regularity of user input behavior. It is calculated by recording the time interval sequence between two adjacent input operations and calculating the standard deviation of this sequence; a larger standard deviation indicates a more unstable user input rhythm. The operation response latency refers to the time delay from when a user initiates an operation (such as clicking "submit") to the system's response (such as a pop-up or redirect). This value can be obtained by comparing front-end and back-end logs. These operation rhythm indicators constitute a set of time series features used to represent the continuity, stability, and interaction efficiency of user actions at the micro-level.

[0041] In some embodiments, device location characteristics include device identifier consistency ratio, frequency of changes in access geographic location, and number of network access handovers. The device identifier consistency ratio is the ratio of the number of identical device identifier parameters in the current device identifier parameters used by the target user and the historical device identifier parameters used by the target user, to the total number of device identifier parameters. The device identifier parameters include device type, operating system version, browser type, and hardware unique identifier.

[0042] Device location features can represent the stability and location changes of the user terminal initiating the access and its access environment, used to characterize whether the user accesses the site under familiar devices, areas, and network conditions. Introducing device location features into the process of identifying deviations in user access behavior can effectively capture potential abnormal fluctuations at the device level, enhancing the system's early detection capability for risky behaviors. It is particularly suitable for scenarios such as account sharing detection, proxy access identification, and device spoofing behavior identification, and has engineering applicability and security control value.

[0043] The current device used for the current access is not necessarily the same as or different from the historical devices in the user's access history, but rather partially consistent. For example, the user may have changed their browser version, updated their operating system, replaced their network card leading to a change in the hardware unique identifier, or mobile privacy policies may have resulted in missing identifiers. In such cases, simply using "yes / no" would misclassify many normal changes as abnormal. For instance, in implementation, four fields (device identifier parameters) can be used as comparison items: device type, operating system version, browser type, and hardware unique identifier. First, find the historical device record that is closest to the current device (the historical device with the most identical entries among the four types of device identifier parameters). Then, calculate the proportion of matching fields out of all fields as the consistency ratio. For example, if the device type, operating system version, and browser type are consistent, but the hardware unique identifier is different, the consistency ratio is 0.75, meaning the device identifier consistency ratio can be a continuous value between 0 and 1.

[0044] In other words, the device identifier consistency ratio indicates whether the current device used for the current access is consistent with the historical devices in the user's historical access records. For example, it can be calculated by comparing the current device identifier parameters (such as device type, operating system version, browser type, hardware unique identifier) ​​used by the user for the current access with the closest historical device in the set of historical devices used by the user for the past access. If the matching parameter ratio is 80%, then the device identifier consistency ratio is 0.8.

[0045] The frequency of geographic location changes indicates how often a user's geographic location changes during a visit. For example, if the location information changes three times during a single visit session, and the session duration is 30 minutes, the geographic location change frequency can be recorded as once every 10 minutes.

[0046] Network access switching count refers to the total number of times a user switches between network connection types (such as WiFi, cellular network, VPN, etc.) during a single access process. This metric is used to reflect the stability of the network environment.

[0047] In some embodiments, the three parameters—device identifier consistency ratio, frequency of geographical location changes, and number of network access handovers—can be standardized to form a three-dimensional device stability vector, which represents the device location characteristics. Standardizing these three device location characteristics ensures their comparability under the same dimensions. The standardization process can, for example, employ linear normalization, compressing each parameter according to its minimum and maximum values ​​in the user's historical access records, normalizing it to between 0 and 1, thus preventing any single parameter from dominating the overall judgment due to its excessively large absolute value. After standardization, for example, the three values ​​can be merged into a vector according to a fixed order of device identifier consistency ratio, frequency of geographical location changes, and number of network access handovers, thus forming the device stability vector. This vector will be fused with other dimensional features (various dimensions of operational behavior features) during the behavior feature vector generation stage to comprehensively evaluate the stability and reliability of the current access behavior.

[0048] In a specific embodiment, the device stability vector (i.e., device location characteristics) can be directly expressed as a three-dimensional vector: Device Stability Vector = [Standardized value of device identifier consistency ratio, Standardized value of access location change frequency, Standardized value of network access switching count]. The three dimensions are arranged in a fixed order to ensure that the semantics of the feature dimensions do not drift when encoding subsequent behavioral feature vectors. For example, in a certain access session, the device identifier consistency ratio is 0.25 (inconsistent with most of the identifier parameters of historical devices in historical access records), the access location change frequency changes significantly 4 times within 20 minutes (which is relatively high), and the number of network access switching counts is 2. After mapping the three values ​​to a unified interval of 0 to 1 according to the numerical range of the user's historical access records or similar scenario access records, the resulting device stability vector can be, for example, [0.25, 0.80, 0.60], where 0.25 indicates weak device continuity, 0.80 indicates abnormally high location changes, and 0.60 indicates an unstable access environment. This device stability vector is then used as part of the behavioral feature vector in deviation analysis.

[0049] In some embodiments, during the calculation of the historical device identifier consistency ratio, the current device identifier parameter used by the user during the current access can be obtained. The current device identifier parameter may include the following four types of information: device type (such as mobile phone brand and model), operating system version (such as Android version number and kernel information), browser type (such as the major version number of Chrome, Firefox or Edge), and hardware unique identifier (such as MAC address, device serial number or IMEI, etc.).

[0050] For example, the four types of parameters mentioned above can be automatically reported to the server and recorded by the user's terminal device through the client when the access is initiated. Then, the current device identifier parameters reported in the current access session are compared one by one with the historical device identifier parameters in the user's historical access records to calculate the matching situation of each type of parameter. For example, if there are five access records in the historical access records, and three of these records have the same device type, operating system version, and browser type as the current device, while there are two matching MAC addresses, then the device identifier consistency ratio can be calculated by dividing the number of matching parameters by the total number of parameters. In this process, to ensure the representativeness of the device identifier consistency ratio, a reasonable backtracking window can be set for the historical access records (such as the last 30 accesses or records within the last 30 days) to avoid introducing noise due to an excessively large time span.

[0051] In some embodiments, the process of obtaining the frequency of location changes can involve the system continuously acquiring the location information reported by the user terminal through the client during each access session. This location information can be represented, for example, but is not limited to, latitude and longitude coordinates, along with a timestamp. After the access session ends, the number of coordinate changes of the reported location during that session is counted. A change is considered valid when two consecutive reported coordinate changes exceed a preset minimum geographic unit (e.g., 50 meters). The total time interval between the first and last location report in each access session is then calculated, and the number of location changes is divided by this total time interval (e.g., in minutes or hours) to obtain the location change frequency per unit time. For example, if four valid location changes occur during a 20-minute access session, the change frequency is once every five minutes. The location change frequency indicator can effectively reflect whether user behavior is accompanied by unreasonable location migration and can be used to identify proxy spoofing or shared account behavior.

[0052] In some embodiments, the network access switching count can be obtained by monitoring the user's network connection status in real time during the user's access process. The system records every network access method and its changes from the start of the access to the end of the access. Network access methods may include, but are not limited to, WiFi connection, cellular mobile network (4G / 5G), virtual private network, proxy services (such as HTTP proxy or SOCKS5 proxy), etc. Each time the user's network environment changes (e.g., from WiFi to cellular network), it is counted as a network access switching event. The duration of each network access method can also be recorded to facilitate subsequent analysis of network environment stability and the rationality of access strategies. For example, if a user experiences three different network types during an access session, lasting 5 minutes, 10 minutes, and 8 minutes respectively, the network access switching count is 2. A higher network access switching count is more likely to be associated with abnormal access, tunnel forwarding, or malicious behavior.

[0053] After constructing the target user's target behavior feature vector based on real-time acquired operation behavior data and device environment parameter information, step S130 can be executed to determine the behavior deviation parameter of the current visit based on the target behavior feature vector and the behavior baseline model.

[0054] The behavioral baseline model provides the criteria for normal access and the permissible deviation range. Within the deviation range, the access behavior can be considered normal and no intervention is required. Furthermore, when access behavior deviates from the permissible deviation range, the behavioral baseline model can determine the degree of deviation and generate an appropriate target response control strategy based on the degree of deviation, thus implementing intervention control.

[0055] For example, behavioral deviation parameters may include behavioral deviation scores and / or behavioral deviation levels. The behavioral deviation level of the current behavior can be determined based on the position of the behavioral deviation score within the overall score range, combined with a predefined score range (e.g., no deviation, slight deviation, moderate deviation, high deviation, etc.). The overall score range corresponding to the behavioral deviation score can be determined according to the actual needs and scenarios, for example, it can be, but is not limited to, the range [0, 100]. A behavioral deviation score of no more than 60 can be determined as no deviation, not affecting the user's specific access; a behavioral deviation score of more than 60 can be determined as deviation, and the behavioral deviation score within the range (60, 100) can be divided into slight deviation, moderate deviation, and high deviation according to the actual scenario. When the behavioral deviation parameter includes a behavioral deviation level, a response level label can be assigned to the current access. The response level label can serve as an input reference parameter for subsequent response control strategies to ensure differentiated processing and resource allocation for behavioral deviations of different severity.

[0056] According to some embodiments of this disclosure, the behavior baseline model may include multiple behavior baseline representation units, each having a time label and a business label. Each behavior baseline representation unit includes a baseline behavior feature vector and a feature distribution boundary, the feature distribution boundary indicating the maximum permissible deviation of the behavior baseline representation unit from the baseline behavior feature vector. In other words, different standard reference boundaries for access behaviors are formed for different scenarios, effectively supporting subsequent judgment and response control strategy formulation for behavior deviations, improving the targeting and dynamic adaptability of access control, and is particularly suitable for key application scenarios such as abnormal behavior identification, identity impersonation prevention, and high-sensitivity operation strategy generation.

[0057] In this case, such as Figure 3 As shown, step S130, based on the target behavior feature vector and the behavior baseline model, determines the behavior deviation parameters of the current visit, including: Step S131: Obtain the target context status information of the currently accessed target, wherein the target context status information includes a time tag and a service tag; Step S132: Based on the target context state information, determine the target behavior baseline representation unit that is compatible with the current access from the plurality of behavior baseline representation units; Step S133: Based on the target behavior feature vector, the baseline behavior feature vector and feature distribution boundary of the target behavior baseline representation unit, determine the behavior deviation parameter of the current visit.

[0058] Therefore, by establishing standard reference boundaries for user behavior for different access scenarios (including time periods and business types), the standard reference boundaries for the corresponding access scenario can be selected during the process of judging behavior deviations. This can effectively support the judgment and response strategy formulation of behavior deviations, avoid misjudgments or inappropriate response strengths, and avoid affecting user experience.

[0059] In this embodiment of the disclosure, the access scenario can be determined by both time and business. For example, time can be divided into weekdays, weekends, mornings, and nights, with the access time determining the corresponding time period. Business activities may include, for example, login, payment, or configuration modification. By invoking the standard reference boundary for the corresponding access scenario, false alarms due to behavioral deviations, such as comparing the normal rhythm of nighttime payments with the normal rhythm of daytime queries, can be avoided. This also prevents the execution of control strategies with inappropriate response strengths based on behavioral deviation parameters calculated from such comparisons.

[0060] In some embodiments, the behavior deviation parameters include a behavior deviation score and a behavior deviation level, and the target behavior feature vector includes multiple dimensional features (such as the aforementioned access path features, operation rhythm features, and device location features). In this case, as... Figure 4 As shown, step S133, based on the target behavior feature vector and the baseline behavior feature vector and feature distribution boundary of the target behavior baseline representation unit, determines the behavior deviation parameter of the current access, including: Step S1331: For each dimension feature, calculate the feature deviation value between the target behavior feature vector and the baseline behavior feature vector; Step S1332: Determine the risk response threshold of the target behavior baseline representation unit based on the baseline behavior feature vector and feature distribution boundary of the target behavior baseline representation unit; Step S1333: Based on the multiple feature deviation values ​​corresponding to multiple dimensions of features, and the feature influence factors corresponding to each of the multiple dimensions of features, determine the behavioral deviation score value of the current visit; Step S1334: Based on the behavioral deviation score and the risk response threshold, determine whether there is behavioral deviation in the current visit; Step S1335: In response to the existence of behavioral deviation in the current visit, determine the behavioral deviation level of the current visit based on the behavioral deviation score and the risk response threshold.

[0061] Therefore, in the process of calculating the behavior deviation parameter, each feature dimension in the behavior feature vector is compared with the corresponding feature dimension (or dimensional feature) in the benchmark behavior feature vector, and its feature deviation value is calculated according to the set distance function. Furthermore, a feature influence factor is introduced to assess the contribution of each feature dimension to the behavior deviation, and the feature deviation values ​​of multiple feature dimensions are fused to obtain the behavior deviation score for the current visit, thus improving the rationality and accuracy of the behavior deviation parameter calculation.

[0062] The distance function used to calculate the feature deviation value for each feature dimension can be a non-negative numerical function that quantifies the difference between two scalar values. For example, it can take the form of an absolute difference function or a standard deviation normalized difference function. For instance, when calculating the behavioral deviation of the access path depth feature, the feature deviation value can be the absolute value of the difference between the current access path depth and the path depth of the baseline behavioral feature vector in the corresponding access scenario.

[0063] For example, after calculating the deviations for all feature dimensions, the feature deviation values ​​for each feature dimension can be normalized to ensure that they fall within a uniform numerical range, typically between zero and one, to avoid excessive deviations affecting the judgment of behavioral deviations. The normalization process can, for example, use, but is not limited to, linear mapping based on the minimum and maximum value ranges of the corresponding dimensions in the baseline model, or it can employ a non-linear method based on the proportion of the deviation range.

[0064] By introducing the importance weight parameters of each feature dimension in the behavioral feature vector, i.e. the pre-set feature influence factor, it is possible to consider the degree of influence of each feature dimension on behavioral deviation, and avoid feature dimensions with small influence having large feature deviation values, resulting in large behavioral deviation scores, which in turn affect the accuracy of behavioral deviation judgment.

[0065] For example, the normalized feature deviation values ​​can be multiplied by their respective feature influence factors, and then the results can be summed to obtain the overall behavior deviation score of the target behavior feature vector for the current visit. The larger the behavior deviation score of the current visit, the more significant the deviation between the current visit and the baseline behavior feature vector in the corresponding visit scenario.

[0066] For example, the feature influence factors of a feature dimension can be set based on business experience and the contribution of the feature dimension to behavioral deviations. For instance, a higher weight can be assigned to the loop count feature in the access path feature, while a lower weight can be assigned to the device identifier consistency ratio feature.

[0067] After obtaining the behavioral deviation score for the current visit, it is compared with the risk response threshold of the selected target behavioral baseline representation unit to determine whether a behavioral deviation exists. This risk response threshold can be determined based on the baseline behavioral feature vector and feature distribution boundary of the target behavioral baseline representation unit. This feature distribution boundary can be, for example, a fixed boundary set by combining behavioral deviation samples and safe access samples from historical visits within the corresponding visit scenario, used to delineate the boundary between normal fluctuations and suspicious anomalies. When the behavioral deviation score exceeds the risk response threshold for the corresponding visit scenario, it is determined to be a behavioral deviation event, and the process proceeds to the subsequent response control stage.

[0068] In some embodiments, the target behavior feature vector includes access path features, operation rhythm features, and device location features. In this case, step S133, based on the target behavior feature vector, and the baseline behavior feature vector and feature distribution boundary vector of the target behavior baseline representation unit, determines the behavior deviation parameter of the current access, including: Calculate the first feature deviation value of the access path feature of the target behavior feature vector relative to the access path feature of the baseline behavior feature vector; Calculate the second feature deviation value of the operation rhythm feature of the target behavior feature vector relative to the operation rhythm feature of the benchmark behavior feature vector; Calculate the third feature deviation value of the device position feature of the target behavior feature vector relative to the device position feature of the reference behavior feature vector; Based on the first feature deviation value, the second feature deviation value, and the third feature deviation value, as well as their respective feature influence factors, the behavior deviation parameters of the current visit are determined.

[0069] Therefore, it is possible to calculate the corresponding feature deviation values ​​for the three key feature dimensions of the target behavior baseline representation unit, and then calculate the overall behavior deviation parameters of the current visit based on the feature deviation values ​​of the three key feature dimensions. For details, please refer to the calculation method in the above content.

[0070] The technical solution disclosed herein determines the behavioral deviation parameters of the current access based on a behavioral baseline model, and thereby judges whether there is a behavioral deviation in the current access. The behavioral baseline model includes multiple behavioral baseline representation units corresponding to multiple access scenarios, thereby providing a standard reference benchmark for different access scenarios.

[0071] According to some embodiments of this disclosure, the behavioral baseline model may include a personalized first behavioral baseline model for each user, which is constructed based on each user's historical access records.

[0072] In some embodiments, such as Figure 5 As shown, a personalized first behavior baseline model can be built for the target user through the following steps: Step S510: Obtain multiple first behavior feature vector samples of the target user in normal access state from the target user's historical access data. The first behavior feature vector samples include access path feature samples, operation rhythm feature samples and device location feature samples. The first behavior feature vector samples have time tags and business tags. Step S520: Classify the multiple first row feature vector samples based on time tags and business tags to obtain multiple first row sample subsets; Step S530: Obtain the baseline feature vector and feature distribution boundary of each first row of sample subsets; Step S540: Construct the baseline representation unit of the first row using the baseline feature vector and feature distribution boundary of each first row of sample subsets; Step S550: Construct the first behavior baseline model based on multiple first behavior baseline representation units.

[0073] Therefore, it is possible to provide a standard reference based on users' historical access records, which is more in line with users' access habits and further improves the accuracy of judging behavioral deviations.

[0074] The first row of feature vector samples includes features in three dimensions: access path feature samples, operation rhythm feature samples, and device location feature samples. For example, the first row of feature vector samples can be a structured storage structure by concatenating the three feature dimensions within multiple consecutive time windows in historical accesses, so as to facilitate one-to-one comparison of multiple feature dimensions of the target behavior feature vector of the current access.

[0075] The time tag and business tag of the first row of feature vector samples define their corresponding access scenarios, such as weekdays, weekends, mornings, afternoons, and nights, and business tags such as login, query, submission, and payment. These time tags and business tags can be parsed from access session metadata. For example, based on these two tags, multiple first row feature vector samples can be classified at multiple levels, grouping samples with similar access time tags and the same business tags into the same first row sample subset, ensuring that each first row sample subset has consistency in access scenarios in terms of behavioral attributes.

[0076] In each first row of the sample subset, the average jump depth, loop count, and average jump interval representing the access path feature dimension can be extracted; the number of consecutive operations, input interval standard deviation, and operation response delay value representing the operation rhythm feature dimension can be extracted; and the device identifier consistency ratio, access geographical location change frequency, and network access switching count representing the device location feature dimension can be extracted. These parameters can be directly accessed and obtained through the aforementioned first row of feature vector samples.

[0077] In some embodiments, such as Figure 6 As shown, step S530, obtaining the baseline feature vector and feature distribution boundary of each first row sample subset, includes: Step S531: Use a clustering algorithm to divide the multiple first row feature vector samples contained in each first row sample subset into at least one cluster. The similarity of each dimension of the multiple first row feature vectors contained in each cluster is less than or equal to a preset value. Step S532: Obtain the cluster center vector and feature distribution boundary of each cluster, and use the cluster center vector as the baseline behavior feature vector.

[0078] Specifically, the first-row baseline representation unit is constructed using the baseline feature vector and feature distribution boundary of each first-row sample subset, including: The first row baseline representation unit is constructed using the cluster center vector and feature distribution boundary of at least one cluster of each first row sample subset.

[0079] Therefore, clustering algorithms can group typical behavioral patterns within the same time period and business scenario that have similar access path complexity, similar operational rhythm stability, and similar device stability levels. In other words, samples belonging to the same cluster are similar in key feature dimensions, while different clusters have stable differences in at least one key dimension. This allows for the formation of interpretable and executable first behavioral baseline representation units.

[0080] For example, in a scenario where users log in and then search on a weekday morning, three common clusters may form: Cluster A consists of samples from commonly used office computers, shallow jump levels, and stable operation rhythms, i.e., high device identification consistency, few network switching, and relatively stable jump intervals; Cluster B consists of samples from mobile devices that quickly view content, with shallower jump levels but shorter dwell times, i.e., medium device identification consistency, stable location, and faster operation rhythms; and Cluster C consists of samples from remote access where behavior remains stable, i.e., locations may differ but change in frequency, network is stable, and the path and operation rhythm remain regular.

[0081] In some embodiments, when calculating the behavior deviation parameter subsequently, at least one first behavior baseline representation unit with the same time and business label as the current visit can be selected. Based on the target behavior feature vector of the current visit and each of the selected first behavior baseline representation units, at least one behavior deviation parameter is calculated. The behavior deviation parameter with the smallest value among the at least one behavior deviation parameters is used as the final behavior deviation parameter for subsequent response strategies. This is because the smallest behavior deviation parameter makes the current visit and the corresponding cluster sample closer in key feature dimensions, ensuring the rationality and accuracy of the behavior deviation determination.

[0082] For example, a similarity metric function can be introduced to calculate the behavioral distance between samples of the first-order feature vector, thereby measuring the degree of behavioral similarity between samples. The chosen metric for behavioral similarity can include, but is not limited to, Euclidean distance and cosine similarity. For instance, when the feature dimensions of the sample space have uniform dimensions and good distribution continuity, Euclidean distance can be used. When focusing on the direction of change between samples rather than their absolute magnitude, cosine similarity can be used. During clustering, the similarity metric between samples can be used as the basis for dividing the sample distribution.

[0083] After clustering, a cluster center vector (i.e., baseline behavior feature vector) is generated for each cluster. For example, the average value of all first-behavior feature vector samples within the cluster across each feature dimension can be calculated to generate the cluster center vector, representing the typical behavior pattern under this access scenario. Simultaneously, the maximum deviation range of each cluster across each feature dimension can be extracted as the feature distribution boundary of this behavior pattern, used to determine whether future access behavior deviates from the normal behavior pattern under this access scenario. A normal behavior pattern refers to the deviation between the behavior feature vector of the access session and the cluster center vector under this access scenario not exceeding the feature distribution boundary. The cluster center vector and the corresponding feature distribution boundary form the first-behavior baseline representation unit for that cluster. Finally, the first-behavior baseline representation units constructed from all first-behavior sample subsets are aggregated to form a complete first-behavior baseline model covering different business scenarios and time periods. This first-behavior baseline model will provide a reference for deviation detection and response control strategy generation during the access control process.

[0084] It should be noted that when a new user has no historical access records, access control can be implemented in stages: The first stage is the initialization stage. In the user's initial access sessions, only data is collected to generate and store the joint time sequence and behavioral feature vector. Instead of immediately making strong judgments based on personal standard references, a more conservative response control scheme is adopted, such as access control strategies based on prompts and lightweight verification. At the same time, the devices obtained during the registration and binding process can be used as initial trusted devices to provide temporary references. The second stage is the general baseline stage. When there is insufficient personal historical access record data, the general behavioral baseline model under the same access scenario is called to use historical access record data from multiple sample users to make coarse-grained deviation judgments. This is used to first identify obvious anomalies, such as short-term high-frequency sensitive operations and extremely unstable network switching. The third stage is the individual baseline stage. After accumulating enough personal historical access record data to cover different access scenarios, a personalized first behavior baseline model is built based on the personal historical access record data, and the reliance on the general baseline model is gradually reduced.

[0085] For example, the first 3 access sessions for new users only involve feature collection and light verification; from the 4th to the 10th access sessions, a general baseline model is introduced. If a high-risk scenario occurs, such as high-frequency export from a different location in the early morning, a medium-intensity action is triggered; after accumulating more than 30 times and covering services such as login / query / submission, an individual baseline is then used for fine-grained deviation classification.

[0086] It should be noted that the examples in this disclosure are for ease of understanding only and do not limit the solutions in this disclosure to the implementation methods in the examples given.

[0087] Accordingly, the behavioral baseline model includes a second behavioral baseline model (i.e., a universal baseline model). In some embodiments, the second behavioral baseline model can be constructed through the following steps: From the historical access data of multiple sample users, multiple second behavioral feature vector samples are obtained for the multiple sample users in the normal access state. The second behavioral feature vector samples include access path feature samples, operation rhythm feature samples and device location feature samples. The second behavioral feature vector samples have time tags and business tags. The multiple second-row feature vector samples are classified based on time tags and business tags to obtain multiple subsets of second-row samples. Obtain the baseline feature vector and feature distribution boundary of each second row sample subset; The baseline representation unit of the second row is constructed using the feature vector of the baseline row and the feature distribution boundary of each sample subset of the second row; The second behavior baseline model is constructed based on multiple second behavior baseline representation units.

[0088] Furthermore, based on the target behavior feature vector and the behavior baseline model, the behavior deviation parameters of the current visit are determined, including: In response to the failure to construct the first behavior baseline model, the behavior deviation parameters of the current visit are determined based on the target behavior feature vector and the second behavior baseline model.

[0089] The method for obtaining the baseline feature vector and feature distribution boundary of the second row of the baseline model can be the same as that of the first row of the baseline model, and will not be described in detail here.

[0090] Accordingly, the access control method in this disclosure embodiment also includes: In response to the fact that the target user is a new user, if it is determined that the target user's current access has behavioral deviations, a preset response control strategy is executed. The preset response control strategy can be a more conservative response control scheme, such as an access control strategy based on prompts and lightweight verification, while combining the devices obtained in the registration and binding process as initial trusted devices to provide temporary references.

[0091] The above describes how to determine the behavioral deviation parameters of the current visit based on the target behavioral feature vector and the behavioral baseline model. After determining the behavioral deviation parameters, step S140 can be executed to implement the corresponding target response control strategy based on the behavioral deviation parameters.

[0092] In some embodiments, when the behavior deviation parameter includes a behavior deviation level, step S140, executing a corresponding target response control strategy based on the behavior deviation parameter, includes: In response to a behavioral deviation in the current access, a corresponding target response control strategy is executed based on the level of behavioral deviation.

[0093] Therefore, classifying behavioral deviations into levels simplifies subsequent response control.

[0094] For ease of description and understanding, the following content will describe the implementation process of step S140 in detail using the behavior deviation parameter as the behavior deviation level.

[0095] According to some embodiments of this disclosure, the target response control policy includes a target access control policy path. For example... Figure 7 As shown, step S140, executing the corresponding target response control strategy based on the behavior deviation parameters, includes: Step S141: Based on the behavior deviation parameter and the target context state information of the current access, construct a policy path graph for control scheduling. The policy path graph includes multiple second nodes and their attribute information, as well as directed edges connecting two second nodes. The second node is an access control policy action. The attribute information includes the control action type and control strength coefficient of the second node. The directed edge is used to characterize the transferable conditions and constraint relationships between the two connected second nodes. The directed edge has an edge weight parameter. The edge weight parameter is used to indicate the degree of adaptation from the previous second node connected by the directed edge to the next second node. The edge weight parameter is adapted to the behavior deviation parameter and / or target context state information of the current access. Step S142: Obtain the risk response intensity coefficient for the current access, wherein the risk response intensity coefficient is used to indicate the risk response intensity for the current access; Step S143: Based on the behavior deviation parameter of the current access and the risk response intensity coefficient, obtain the target access control policy path from the policy path map.

[0096] In the above method steps, a policy path graph for access control scheduling is constructed based on the behavior deviation level (behavior deviation parameter) and the context state information of the current access (corresponding access scenario), and the access control policy path that is most suitable for the current access is determined accordingly.

[0097] The second node of the policy path graph represents access control policy actions, such as, but not limited to, raising the authentication level, blocking access to sensitive resources, and delaying response requests.

[0098] For example, four types of control actions for the second node can be defined: N1 = prompt and record, N2 = append CAPTCHA verification, N3 = restrict sensitive operations and limit speed, and N4 = temporarily freeze and force two-factor authentication. Each control action type can be marked with a control strength coefficient. In this example, the control strength coefficients for N1, N2, N3, and N4 can be marked as increasing. It should be noted that this is only an example; the control action types and their control strength coefficients for the second node can be set according to specific application scenarios and requirements.

[0099] A directed edge connecting two second nodes defines the transition relationship from one second node to the other. The edge weight parameter represents the priority or cost of this transition in the current access's behavioral deviation level or context. For example, the edge weight parameter for CAPTCHA followed by rate limiting (N2-N3) is higher than the edge weight parameter for directly freezing the account (N2-N4). By introducing the edge weight parameter of the directed edge, the second nodes reachable by the current access's behavioral deviation level can be determined. For example, if the current access's behavioral deviation level is moderate and the risk response intensity coefficient (described in detail below) is in the medium-high range, the set of reachable second nodes for controlling the current access may be {N2, N3, N4}, and the mutual exclusion constraint relationship of the directed edge prevents access from being allowed and denied simultaneously. If the current access's behavioral deviation level is mild, the set of reachable second nodes only contains {N1, N2}. For example, even with the same level of moderate behavioral deviation, if the context indicates a high-risk access scenario, such as permission configuration, sensitive time periods, or infrequently used areas like the early morning, then the set of reachable policy nodes can be expanded to have stronger control. If the context indicates a low-risk access scenario, such as the help center, or during common time periods, then access is restricted to prompt, record, and lightweight verification nodes. For instance, large fluctuations in the intervals of the same user's input might be considered a high-risk deviation in a payment scenario, but only a minor deviation in an information browsing scenario. This difference can be determined by the context state.

[0100] By introducing a policy path graph, the sequence, dependencies, and constraints between various access control policy actions can be clearly expressed, and the principle of least intervention can be implemented by prioritizing the search of low-intervention paths. Since least intervention means minimal impact on user access control and high security, it can be prioritized for searching low-intervention paths, saving computational resources and serving as a backup.

[0101] In some embodiments, the risk response intensity coefficient of the current access is used to indicate the risk response intensity for the current access, and can be determined based on the resource sensitivity index of the target resource involved in the current access and the session risk score of the current access.

[0102] The resource sensitivity index is used to assess the sensitivity of target resources involved in the current access session. The resource sensitivity index can be related to at least one of the following: the access frequency of the target resource in historical user access, the occurrence frequency of the target resource in historical behavioral deviation access (i.e., the degree of correlation between the target resource and risk events), and the security level configuration information of the target resource. The occurrence frequency of the target resource in historical behavioral deviation access can be obtained based on the number of times the target resource was triggered by sensitive operations (such as abnormal downloads, data tampering, etc.) in historical access behavior; the more frequent the sensitive operations, the more vulnerable the target resource. The security level configuration information of the target resource may include, for example, whether it contains sensitive data or interfaces with high privileges; for example, financial information interfaces or core configuration modules have higher security levels. The resource sensitivity index of the target resource may also be related to the frequency of control policy adjustments for the target resource in historical access, i.e., whether the target resource is frequently adjusted for access permissions due to security issues. The above multiple parameters can be converted and combined using a unified unit method to obtain the resource sensitivity index; the higher the index value, the more stringent the access control required for the target resource.

[0103] For example, taking an access session that is currently configuring user permissions as an example, firstly, the resource sensitivity index of the user permission configuration module is calculated. This user permission configuration is marked as level 4 (the highest being level 5) in the resource security level label, reflecting its high configuration sensitivity. In the historical access records of the past 30 days, this module triggered sensitive operation events 12 times (out of a total access frequency of 20 times), such as unauthorized modification and field injection, indicating that it is frequently used in abnormal paths. At the same time, the access permissions of this target resource are adjusted 8 times in the access control policy (for example, a maximum value of 10 can be set; excessively high access permission adjustment frequency will affect data transmission and also pose a risk of injection attacks. Setting a maximum value can further limit access, and of course, an even higher frequency can be set; this is just an example). For example, role visibility and access rate are restricted multiple times. To unify different dimensions, security level labels, sensitive operation frequency, and policy adjustment frequency are mapped to the [0, 1] interval, respectively. For example, level 4 is converted to 0.8, sensitive operation frequency is converted to 0.6, and policy adjustment frequency is converted to 0.8. Combined with the weights set for each dimension, assuming the security label weight is 0.5, the sensitive operation weight is 0.3, and the policy adjustment weight is 0.2, the resource sensitivity index of the target resource is calculated as: 0.8×0.5+0.6×0.3+0.8×0.2=0.4+0.18+0.16=0.74, indicating that a higher level of access control policy response is required in this access.

[0104] Session risk scoring quantifies the overall risk level of a user's current access behavior. The session risk score may be related to at least one of the following: behavioral deviation parameters of the current access (e.g., behavioral deviation level), the frequency of behavioral deviations by the target user in historical accesses, the device trustworthiness of the target user's current device, and contextual risk labels. The device trustworthiness is determined based on the device identifier consistency ratio and the number of network handovers, while the contextual risk labels are determined based on the current access time, location information, and network environment.

[0105] For example, a sequence of behavioral deviation levels of a target user in historical visits can be constructed. This sequence can be used to determine the frequency of behavioral deviations of the target user in historical visits, thereby enabling the determination of whether the target user's access behavior shows a gradually deviating trend.

[0106] A lower device trust level means the current access is more likely to be considered an abnormal access. Contextual risk labels reflect the overall risk level of the current access session, such as payment operations, configuration modifications, etc., or whether the current access occurred during a sensitive time period, in an unused area, or in a high-risk network environment. These three indicators reflect the overall risk level of the current access session. For example, these three indicators can be weighted and summed according to preset risk impact weights to generate a risk score reflecting the overall risk level of the current access session, and the contextual risk label is determined based on this risk score. Contextual risk labels can include, but are not limited to, low-risk, medium-risk, and high-risk labels. A higher risk score indicates a higher overall risk level for the current access.

[0107] For example, in the current access session, the session risk score is further calculated. The target user's current access behavior deviation level is severe, corresponding to a behavior deviation level label of level 3 (the maximum level is 4), which is converted to a standardized value of 0.75. In the target user's historical access behavior records, there were 4 abnormal behavior events in the past 7 sessions, with an abnormality rate of 57%, which is proportionally mapped to a behavior deviation occurrence frequency of 0.57. The consistency ratio between the new device used in this access and the previously logged-in device identifier is 0.4, the network connection was switched twice, and the device trustworthiness is set to 0.5. The current business operation belongs to permission configuration and is defined as a high-risk scenario, with the context risk label standardized to 0.9. Based on the preset weight allocation, for example, the weight of behavioral deviation level is 0.4, the weight of the frequency of occurrence of historical access behavior deviation is 0.2, the weight of device trustworthiness is 0.2, and the weight of context risk label is 0.2, then the session risk score is: 0.75×0.4+0.57×0.2+0.5×0.2+0.9×0.2=0.3+0.114+0.1+0.18=0.694, indicating that this access behavior has a medium to high level of risk, and it is recommended to implement a strengthened access control strategy in conjunction with resource sensitivity indicators.

[0108] The following examples will illustrate the specific method for obtaining the risk response intensity coefficient in step S142.

[0109] For example, in constructing the resource sensitivity index, assuming the target resource involved in the current access session is the user data export interface, firstly, according to historical log statistics, this interface was accessed 9700 times by all users, while other ordinary pages, such as the help center page, were only accessed 2400 times. This indicates that the user data export interface has a higher access frequency, and its frequency factor is assigned to 0.92 (normalized to the maximum value). Secondly, analysis of historical behavioral deviation events over the past 90 days reveals that the user data export interface was frequently triggered, involving approximately 45 abnormal operations, accounting for 75% of the total 60 historical behavioral deviation events, and its risk association factor is assigned to 0.75. Thirdly, reading the configuration record of this target resource reveals that it has the highest privilege level and involves sensitive data export, so a security level factor of 1 is set. After normalizing the above three factors, the resource sensitivity index is synthesized by weighting them according to preset weights of 0.4 (access frequency), 0.3 (occurrence frequency), and 0.3 (security level configuration). The final resource sensitivity score is: 0.92×0.4+0.75×0.3+1×0.3=0.908. In contrast, ordinary pages such as the Help Center score less than 0.4, indicating that the user data export interface needs to be matched with a higher level of access control policy.

[0110] For example, in constructing a session risk score, assuming the target user initiating the current access has been identified as having a moderate behavioral deviation level 3 times and a severe behavioral deviation level 1 time in their last 5 historical accesses, then the frequency score of behavioral deviation in their historical sequence is set to 0.8 (frequent deviation, value close to 1); the device used for the current access is a new device, inconsistent with the target user's historical devices, with a device identifier consistency ratio of only 0.25, and the network access method changed 4 times in a single session, indicating low device trustworthiness, so the device trustworthiness score is set to 0.3; simultaneously, it is determined that the current access occurred at 2:10 AM, the geographical location is a foreign IP, and the network environment is public WiFi, all matching high-risk context labels, so the context risk factor is set to 0.9. Based on the preset weight allocation: the frequency of behavioral deviation is weighted at 0.4, the device trustworthiness weight at 0.3, and the context risk weight at 0.9, the session risk score is: 0.8 × 0.4 + 0.3 × 0.3 + 0.9 × 0.3 = 0.71. The score is much higher than the set trigger threshold of 0.5. Therefore, it will guide the matching of high-risk policy paths in the subsequent access control policy path generation stage, and activate the medium and high-level access control policy action sorting logic to ensure that access behavior is not abused by high-risk behavior.

[0111] For example, after obtaining the resource sensitivity index and the session risk score, the two index values ​​can be jointly normalized. The normalization process can use the range linear mapping method to map the two index values ​​to a unified range of zero to one. Then, the two normalized values ​​are weighted and fused to obtain the risk response intensity coefficient.

[0112] The joint normalization of resource sensitivity indicators and session risk scores can be achieved by mapping the resource sensitivity indicators and session risk scores to the same scale before joint fusion. The specific implementation process can be as follows: First, determine a reference range for the resource sensitivity index. This could be the minimum and maximum values ​​from all historical access samples in this business scenario, or the lower and upper limits set in the policy configuration. Then, map the current access's resource sensitivity index to 0 to 1 according to this reference range. Similarly, determine a reference range for the session risk score, which can also be the statistical interval or a preset interval from historical access samples. Then, map the current session risk score to 0 to 1 according to this reference range. This yields the normalized values ​​of the resource sensitivity index and the session risk score. These are then weighted according to the fusion weights configured in the policy configuration to generate a risk response strength coefficient.

[0113] For example, in a permission configuration scenario, the resource sensitivity index for this scenario over the past 90 days typically falls between 0.30 and 0.95. If the resource sensitivity index for a particular access session is 0.74, then the normalized value of the mapped resource sensitivity index is approximately (0.74-0.30) / (0.95-0.30)≈0.68. The historical range of the session risk score in this scenario is 0.10 to 0.90. If the session risk score for a particular access session is 0.694, then the normalized value of the mapped session risk score is approximately (0.694-0.10) / (0.90-0.10)≈0.74. Then, by applying a preset fusion weight, such as a fusion weight of 0.4 for the resource sensitivity index and a fusion weight of 0.6 for the session risk score, a weighted calculation of 0.68×0.4+0.74×0.6 is performed, generating a risk response intensity coefficient of approximately 0.72.

[0114] The calculated risk response intensity coefficient will serve as a core reference factor for generating subsequent access control policy paths. A higher value indicates a more stringent access control policy action. Specifically, for the current access session, resource sensitivity indicators and session risk scores are first mapped to the same scale to obtain a session-level risk intensity scalar. This determines which control intensity level intervals' second nodes are reachable and which paths are directly excluded in the policy path graph. For example, when the risk response intensity coefficient is in a high-level range, access control policy paths containing multiple restrictions and blocking of highly sensitive resources will be prioritized; while when the risk response intensity coefficient is in a low-to-medium level range, access control policy paths with suggestive, logging, or lightweight authentication enhancements will be selected. This completes the construction of a set of access control policy paths that match the current behavior deviation level and context state.

[0115] According to some embodiments of this disclosure, such as Figure 8 As shown, step S143, based on the behavior deviation parameter of the current access and the risk response intensity coefficient, obtains the target access control policy path from the policy path graph, including: Step S1431: Based on the behavior deviation parameter of the current access, traverse the policy path graph to obtain multiple control paths; Step S1432: Based on the risk response intensity coefficient and the node selection rule table, a set of access control policy paths is selected from the multiple control paths. The set of access control policy paths includes multiple access control policy paths. The node selection rule table is used to limit the preset constraints that must be met to generate the access control policy path. Step S1433: Obtain the response strength factor for each access control policy path, wherein the response strength factor is used to indicate the degree of risk matching between the current access and the access control policy path; Step S1434: Based on the corresponding response strength factors of the multiple access control policy paths, determine at least one target access control policy path from the access control policy path set.

[0116] In the above method, constructing a response intensity factor means that after obtaining the set of reachable paths, a score with the highest risk adaptability is calculated for each candidate policy path. The constructed response intensity factor is no longer just the resource sensitivity index and session risk score itself, but rather a fusion of the obtained risk response intensity coefficient and the path's own attributes to form an evaluation metric for whether this path is suitable for the current risk. By traversing all reachable policy path sets in the policy path graph and matching the response intensity factor with the path control intensity level, the policy path with the highest risk adaptability can be selected as the target access control policy path set.

[0117] In some embodiments, in step S1431, the edge weight parameters of the directed edges between each second node (access control policy action) in the policy path graph can be parsed. These edge weight parameters reflect the priority, cost, or adaptability of transitioning from one policy action to another at a specific risk response level. For example, on the directed edge between the two second nodes, multi-factor authentication and account locking, a higher cost or lower priority can be assigned to avoid directly executing high-intervention actions in cases of low-level deviation. Based on the currently identified behavioral deviation level, the search scope in the policy path graph can be limited, retaining only the set of policy action nodes (second nodes) reachable by the current behavioral deviation level, forming an initial response policy candidate set. Multiple control paths can be obtained based on this initial response policy candidate set.

[0118] The risk response level can be determined, for example, based on the risk response intensity coefficient of the current visit, or based on the behavioral deviation parameters of the current visit. For instance, after determining the risk response level, a risk response level label can be added to the current visit for use in subsequent response control strategies.

[0119] In other embodiments, in step S1431, the current access behavior deviation level node can be used as the starting point (corresponding to the second node on the policy path graph). All control paths originating from this starting point are traversed in the policy path graph to form a set of effective control paths. Each control path represents a logically feasible chain of access control policy actions. Each node on the control path represents a specific access control policy action, such as enhanced device verification, resource access delay, behavior log recording, or temporary permission freezing. The directed edges on the control path represent the transferable conditions and constraints between nodes. During the traversal, each downstream access control policy action node is identified, and its bound control action type and control strength coefficient are extracted (e.g., a control level label determined based on the control strength coefficient, such as account freezing belonging to a high-strength control level and CAPTCHA enhancement belonging to a medium-strength control level), providing a candidate pool for subsequent path filtering.

[0120] In some embodiments, in step S1432, a node selection rule table can be constructed based on at least one of the following: the span of control strength level between access control policy actions (i.e., the degree of jump, indicating the degree of jump in control strength between two access control policy actions), the control strength level of access control policy actions, and whether there is a logical mutual exclusion relationship between access control policy actions (e.g., allow access and deny access cannot coexist in the same policy path). The above information is combined to form the constraints of access control policy path combination, ensuring that the generated access control policy path conforms to the integrity and executability of policy execution logic.

[0121] In some embodiments, in step S1433, the response intensity factor can be determined based on the risk response intensity coefficient of the current access and the path attribute information of the access control policy path. Thus, the response intensity factor can be used to measure the degree of risk matching between the current access behavior and the path combination in the policy path map. The higher the value of the factor, the more effectively the policy path can cope with the current risk.

[0122] The specific method for obtaining the risk response intensity coefficient has been described above and will not be repeated here.

[0123] The path attribute information of the access control policy path may include at least one of the following: the control strength coefficient of the multiple second nodes included in the access control policy path, the weight parameter of the directed edge in the access control policy path, the satisfaction status of the mutual exclusion constraints of the multiple second nodes included in the access control policy path, and the control cost factor of the multiple second nodes included in the access control policy path, wherein the control cost factor is used to characterize the degree of intervention of the access control policy action on the current access.

[0124] For example, if the risk response intensity coefficients fall in the medium-high range, path A is from CAPTCHA to speed limit to recording, path B is direct freezing, and path C is only prompting. In this case, among the three behavior deviation levels and / or context state indicators, B and A are allowed, while C may be weaker. The response intensity factor of the path will further determine: A is more in line with the risk response intensity level range and has a lower control cost, so it scores the highest; B can cover the risk but the intervention is too strong and violates the principle of minimum intervention, so the score decreases; C is also reduced due to insufficient coverage. Finally, the response intensity factor of the control path with the highest risk fit is used to select the control path.

[0125] In some embodiments, the attribute information of each second node in the strategy path graph further includes the expected intervention scope and intervention level. The control cost factor of the second node is determined based on at least one of the following: the invasiveness coefficient of executing the second node, the resource overhead required to execute the second node, the response time of executing the second node, and the target user's acceptance of executing the second node. The invasiveness coefficient of executing the second node and the target user's acceptance of executing the second node can be determined based on the expected intervention scope and intervention level of the second node. A control cost factor can be assigned to each second node in the strategy path graph.

[0126] The expected scope of intervention may include, but is not limited to, affecting a single request, a single session, or across sessions. The degree of intervention may include, but is not limited to, qualitative indicators calculated from past user interaction records and subjective feedback tags. Typically, the intensity of intervention is divided into three levels: mild, moderate, and severe, reflecting the degree of inconvenience perceived by the user after executing the access control policy action corresponding to this second node.

[0127] The invasiveness coefficient of executing the second node can refer to the invasiveness of the access control policy action corresponding to the second node. For example, forced logout is highly invasive, while CAPTCHA verification is low-invasive. The resource overhead required to execute the second node can refer to the resources required to execute the access control policy action corresponding to the second node, such as whether an external authentication interface or scheduling log analysis module needs to be loaded. The response time of executing the second node can refer to the average execution time required from triggering to completing the access control policy action corresponding to the second node. The target user's acceptance of executing the second node can be obtained by summarizing and statistically analyzing historical user access behavior and their reactions to the control policy, used to assess the user's tolerance for the type of control action to which the access control policy action belongs in different scenarios.

[0128] For example, the above four indicators can be fused together using a preset function to form the final control cost factor, which serves as the core metric for action sequencing in order to determine the final target access control strategy path.

[0129] For example, the four indicators mentioned above can be standardized to eliminate differences in units and numerical ranges, ensuring they can be integrated on the same scale. For instance, the invasiveness level of executing a second node can be divided into five levels (from prompt only to forced blocking), uniformly mapped to 0.2 to 1.0; the resource overhead required to execute a second node can be converted into a standard score by assessing the required CPU, memory, and IO load; the response time of executing a second node can be normalized by statistically analyzing the response time of second node executions in historical accesses, based on the ratio of average to maximum time; the user acceptability level can be inferred from user feedback or models, also mapped to a value of 0 to 1 (the lower the value, the less acceptable the action is to the user). Next, weight coefficients are set for each indicator, determined by business security policies or derived from historical data training. For example, in scenarios with high business continuity requirements, a higher weight can be given to the user acceptability level; while in emergency response or high-risk environments, the invasiveness and response time indicators are prioritized. Assuming an intrusiveness weight of 0.4, resource overhead of 0.2, response time of 0.2, and acceptability of 0.2, the four standardized metrics are summed according to their weights to generate the final control cost factor. A higher factor value indicates greater user interference, heavier resource burden, longer implementation time, or lower user acceptance of the control action; therefore, it is ranked lower in the execution priority order. Conversely, a lower control cost factor value results in higher priority execution.

[0130] For example, if an access control policy's action is to interrupt the current access, with an intrusiveness level of the highest (1.0), a resource overhead assessment of medium (0.6), a short response time of short (0.3), and extremely low user acceptability of extremely low (0.2), then after weight fusion, the control cost factor is: 1.0×0.4+0.6×0.2+0.3×0.2+0.2×0.2=0.4+0.12+0.06+0.04=0.62.

[0131] For example, another access control policy action is to trigger CAPTCHA verification, which has an intrusiveness level of 0.3, resource cost of 0.1, response time of 0.2, and acceptability of 0.9. The control cost factor calculated using the same method is only 0.29, so it will be executed first in the ranking. This kind of fusion method can quantify and rank actions with different response times to ensure a balance between control execution and risk level, resource status, and user experience.

[0132] According to some embodiments of this disclosure, such as Figure 9 As shown, step S1434, determining at least one target access control policy path from the access control policy path set based on the corresponding response strength factors of each of the multiple access control policy paths, includes:

[0133] Step S14341: Determine multiple target nodes from the access control policy path set, wherein the control strength of the target nodes is adapted to the behavior deviation parameter of the current access;

[0134] Step S14342: Based on the respective control cost factors of the multiple target nodes, determine the execution order of the multiple target nodes to obtain at least one target access control policy path.

[0135] Therefore, multiple target nodes that are more suitable for the current behavior deviation level are further selected from the set of access control policy paths composed of reachable nodes by using behavior deviation parameters (such as behavior deviation level). Then, the execution order is determined based on the control cost factors of multiple target nodes to obtain at least one target access control policy path. This makes the response range of the target access control policy path acceptable and ensures that the sorting range meets the actual risk requirements.

[0136] For example, a corresponding response intensity level range can be set based on the current level of behavioral deviation. This range defines which types of access control policy actions are acceptable. For instance, a minor deviation might allow only low-intrusion and low-cost access control policy actions, a moderate deviation might allow moderate intervention, and a severe deviation might allow the activation of high-intensity control policy actions. Under this constraint, access control policy action nodes exceeding the response intensity level range of the current deviation level are filtered out, ensuring that the sorting range meets actual risk requirements.

[0137] In some embodiments, based on the multiple target nodes obtained through filtering, they can be arranged from low to high according to the value of the control cost factor, and the access control policy action with lower cost and lower impact on users can be selected as the pre-execution scheme for response.

[0138] In the above sorting process, if there are multiple access control policy actions with the same or similar control cost factors, it is necessary to introduce additional sorting indicators to assist in decision-making.

[0139] In some embodiments, when multiple control actions have the same or similar costs, the execution order of the multiple target nodes may be determined based on their respective control cost factors, including: Since the control cost factors of the two target nodes are the same (within the allowable error range), the execution order of the two target nodes is determined based on the context weight and historical execution weight of the target nodes. The context weight is used to indicate the degree of adaptability of the current access business scenario to the execution of the target node, and the historical execution weight is used to indicate the degree of influence of the execution of the target node on the target user's access behavior in the past access.

[0140] Therefore, for access control policy actions with the same control cost, the final execution priority is determined by context weight and historical execution weight (e.g., access control policy actions with a higher combined value of context weight and historical execution weight are executed first). This ranking mechanism ensures that among multiple response policy candidates, actions with high risk adaptability, good intervention effect, and minimal impact on user experience are selected first, achieving the goals of accurate response, security balance, and efficient control. Furthermore, it can provide differentiated intervention strategies even when the control cost factors are the same.

[0141] The context scenario weight represents the adaptability of the current business scenario to the execution of the target node. This weight can be set according to the sensitivity level of the business module, resource type, and user identity level. For example, the weight of authentication-based access control policy actions is higher in a payment scenario. The historical execution weight reflects the response effect of the access control policy action on the target user's behavior returning to baseline in similar behavioral deviation events in the past. This effect can be calculated by statistical indicators such as behavior regression time and the degree of behavior stability recovery. For example, if an access control policy action can quickly bring user behavior back to normal in eight out of the past ten executions, then the weight is higher.

[0142] It should be noted that in the embodiments of this disclosure, some parameters may have the same English letters, but they are explained with different meanings when used.

[0143] As an example, in an enterprise office platform, a target user enters the user data export interface and triggers an export operation in the current access session. The access path of this session is from the homepage to the data center to the export center and then to the user data export interface. The path depth and average jump interval are within the normal range of the target user's behavioral baseline model. However, there are continuous high-frequency clicks and repeated triggering of export requests with short intervals before and after the export, and the input interval fluctuates significantly. At the same time, the terminal device identifier has a low matching degree with the historical records, the location information is inconsistent with the historically frequently used areas, and the network access method is switched multiple times within the session. The behavioral deviation score calculated using the technical solution in this embodiment exceeds the risk response threshold, is identified as a behavioral deviation event, and is marked as a medium-to-high behavioral deviation level based on the behavioral deviation score and the risk response threshold. The target context state information of the current access session is high-sensitivity resource access in a nighttime export scenario, thus allowing the execution of a higher-intensity response control strategy.

[0144] Based on the behavior deviation level and the target context state information of the current access session, a policy path graph is constructed. The policy path graph is defined as a directed structure used for control scheduling. Policy nodes in the graph correspond to specific access control policy actions (referred to as "policy actions" or "control actions"). Directed connections correspond to the transferable conditions and constraints (such as mutual exclusion constraints) between the connected policy actions. The edge weight parameter describes the degree of adaptation (such as transfer priority or transfer action cost) under a given behavior deviation level and context state. In this example, the preset policy actions include risk warning and recording, CAPTCHA verification, multi-factor authentication, reducing export frequency, temporarily freezing export permissions, and forcibly terminating the session. The connections between preset actions include: risk warning and recording can be transferred to CAPTCHA verification or reducing export frequency; CAPTCHA verification can be transferred to multi-factor authentication or reducing export frequency; reducing export frequency can be transferred to temporarily freezing export permissions; and temporarily freezing export permissions can be transferred to forcibly terminating the session. The preset mutual exclusion constraints include: continuing to allow export and freezing export permissions cannot appear simultaneously in the same control path.

[0145] Based on the medium to high level of behavioral deviation, the set of reachable policy nodes obtained after parsing the graph includes risk warning and recording, CAPTCHA verification, multi-factor authentication, reducing export frequency, and temporarily freezing export permissions. Extreme policy actions such as directly forcibly terminating the session are retained as end-stage escalation actions but are not included in the preferred candidate range, thus forming the initial set of reachable policy nodes.

[0146] Subsequently, an access control policy path set (hereinafter referred to as the policy path set) is generated. Specifically, this may include: first, calculating the resource sensitivity index of the target resource involved in the current access (e.g., the user data export interface). The user data export interface belongs to the sensitive data outbound resource category, with a high security level configuration, high correlation of historical deviation events, and high policy adjustment frequency, thus the resource sensitivity index is at a high level; then, calculating the session risk score of the current access session. The target user has recently had multiple behavioral deviation records, the device trust score is low, and it hits nighttime and non-historically frequently used areas, thus the session risk score is also at a high level. After mapping the resource sensitivity index and session risk score to the same dimension interval, they are jointly fused to obtain the risk response intensity coefficient. If this coefficient falls into the medium-high risk response level range, it indicates that the control policy path is allowed to include medium-high intensity control actions such as reducing the export frequency and multi-factor authentication, but the principle of minimum intervention should still be followed to prioritize low-cost action paths. Under the constraint of medium-high risk response level, the policy path graph is enumerated and preset constraints such as mutual exclusion constraints are applied to obtain multiple control paths as a candidate access control policy path set (hereinafter referred to as the "candidate policy path set"). Examples of the candidate strategy path set could be: the first path is risk warning and recording to CAPTCHA verification to reduce export frequency; the second path is CAPTCHA verification to multi-factor authentication; and the third path is CAPTCHA verification to reduce export frequency to temporarily freeze export permissions.

[0147] Then, the candidate strategy path set is screened for risk suitability. Specifically, a response strength factor is used as the path-level scoring metric. The response strength factor incorporates the risk response strength coefficient, the control strength coefficient sequence of multiple strategy nodes in the control path, the weight parameters of directed edges, and the control cost factor into the evaluation. The control cost factor is obtained by fusing the invasiveness coefficient of the control action, resource overhead, execution time, and user acceptability through a unified dimensional mapping. Generally, the control cost factor of CAPTCHA verification and reducing export frequency is lower than that of temporarily freezing export permissions, while multi-factor authentication falls in between. Combining the risk response strength level of the current access session with the principle of minimum intervention, the path from risk warning and recording to CAPTCHA verification to reducing export frequency strikes a better balance between risk coverage and intervention cost. Therefore, its response strength factor is superior, and it is selected as the preferred target access control strategy path.

[0148] The execution phase is implemented step-by-step in order of priority. First, a risk warning is issued and recorded, informing the user of the risk inherent in the current operation and adding it to the audit log. Then, CAPTCHA verification is performed. After successful verification, the behavioral deviation score and export request frequency are monitored within subsequent time windows. If the behavioral deviation score falls back to within the threshold and the export request frequency returns to normal, the restriction on the reduced export frequency is maintained or lifted, and continued access is allowed. If CAPTCHA verification passes but export requests remain high and network switching continues abnormally, the export frequency is reduced, and the number of exports per unit time is limited. If the behavioral deviation score remains high or the behavioral deviation level escalates after reducing the export frequency, the process moves along the policy graph to temporarily freeze export permissions and trigger a review process. If necessary, it further moves to forcibly terminating the session. The strategy path graph is used to express strategy action nodes, transferable conditions, and mutual exclusion constraints. The candidate access control strategy path set is used to generate multiple candidate control paths under the constraints of behavior deviation level and context state. The risk response intensity coefficient is used to limit the multiple candidate control paths and risk response intensity level. The response intensity factor and control cost factor are used to select the target access control strategy path with the highest risk adaptability and the principle of minimum intervention among the multiple candidate control paths.

[0149] According to some embodiments of this disclosure, a user access control device is also provided. For example... Figure 10As shown, the user access control device 100 includes: a first acquisition module 110, configured to acquire, in response to an access request from a target user, operation behavior data and device environment parameter information of the target user during the current access process. The operation behavior data includes at least one of page resource click data, page jump path, interaction dwell time, input interval time, and function call sequence. The device environment parameter information includes at least one of device type, operating system version, browser type, hardware unique identifier, network access method, and location information. A second acquisition module 120 is configured to acquire a target behavior feature vector based on the operation behavior data and device environment parameter information. A determination module 130 is configured to determine the behavior deviation parameters of the current access based on the target behavior feature vector and a behavior baseline model. The behavior baseline model includes multiple behavior baseline representation units, each of which has a time label and a business label, and includes a baseline behavior feature vector and a feature distribution boundary. The feature distribution boundary is used to indicate the maximum allowable deviation range of the behavior baseline representation unit from the baseline behavior feature vector. Determining the behavior deviation parameters of the current access includes: acquiring the target context state information of the current access, the target context state information including a time label. The system includes: signing and business tags; determining a target behavior baseline representation unit adapted to the current access from the plurality of behavior baseline representation units based on the target context state information; determining the behavior deviation parameter of the current access based on the target behavior feature vector, the baseline behavior feature vector and feature distribution boundary of the target behavior baseline representation unit; and executing module 140, configured to execute a corresponding target response control strategy based on the behavior deviation parameter. The strategy path graph includes multiple access control strategy action nodes and their attribute information, as well as directed edges connecting two access control strategy action nodes. The attribute information includes the access control strategy... The control action type and control strength coefficient of the short action node; the directed edge represents the transferable conditions and constraints between the two access control policy action nodes connected; the directed edge has an edge weight parameter, which is used to indicate the degree of adaptation from the previous node to the next node connected by the directed edge; the edge weight parameter is adapted with the behavior deviation parameter of the current access and / or the target context state information; the determination of the target access control policy path comprehensively considers the behavior deviation parameter and the control cost factor of each access control policy action node; the control cost factor is used to characterize the degree of intervention of the access control policy action on the current access.

[0150] The operation of each module of the user access control device is similar to the operation of each step of the user access control method described above, and will not be repeated here.

[0151] According to some embodiments of this disclosure, an electronic device is also provided, comprising: a memory; at least one processor, the memory storing computer instructions that can be executed by the at least one processor to implement the methods described above.

[0152] According to some embodiments of this disclosure, a non-transitory computer-readable storage medium storing computer instructions is also provided, wherein the computer instructions implement the above-described method when executed by at least one processor.

[0153] According to some embodiments of this disclosure, a computer program product is also provided, including computer instructions that, when executed by at least one processor, implement the methods described above.

[0154] See Figure 11 The following description serves as a structural block diagram of the electronic device 1100 of this disclosure, which is an example of a hardware device applicable to various aspects of this disclosure. The electronic device can be different types of computer devices, such as laptop computers, desktop computers, workstations, personal digital assistants, servers, blade servers, mainframe computers, and other suitable computers. The electronic device can also represent various forms of mobile devices, such as personal digital processors, cellular phones, smartphones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions are merely illustrative and are not intended to limit the implementation of the disclosure described and / or claimed herein.

[0155] Figure 11 A block diagram of an electronic device according to an embodiment of the present disclosure is shown. (As follows) Figure 11 As shown, the electronic device 1100 may include at least one processor 1101, working memory 1102, I / O device 1104, display device 1105, storage device 1106 and communication interface 1107 that are capable of communicating with each other via system bus 1103.

[0156] Processor 1101 may be a single processing unit or multiple processing units, and all processing units may include single or multiple computing units or multiple cores. Processor 1101 may be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, state machines, logic circuits, and / or any device that manipulates signals based on operating instructions. Processor 1101 may be configured to acquire and execute computer-readable instructions stored in working memory 1102, storage device 1106, or other computer-readable media, such as program code of operating system 1102a, program code of application program 1102b, etc.

[0157] Working memory 1102 and storage device 1106 are examples of computer-readable storage media for storing instructions executed by processor 1101 to perform the various functions described above. Working memory 1102 may include both volatile and non-volatile memory (e.g., RAM, ROM, etc.). Furthermore, storage device 1106 may include hard disk drives, solid-state drives, removable media including external and removable drives, memory cards, flash memory, floppy disks, optical disks (e.g., CDs, DVDs), storage arrays, network-attached storage, storage area networks, etc. Working memory 1102 and storage device 1106 may be collectively referred to herein as memory or computer-readable storage media, and may be non-transitory media capable of storing computer-readable, processor-executable program instructions as computer program code, which may be executed by processor 1101 as a specific machine configured to perform the operations and functions described in the examples herein.

[0158] I / O device 1104 may include input devices and / or output devices. Input devices may be any type of device capable of inputting information to electronic device 1100, and may include, but are not limited to, a mouse, keyboard, touch screen, trackpad, trackball, joystick, microphone, and / or remote control. Output devices may be any type of device capable of presenting information, and may include, but are not limited to, video / audio output terminals, vibrators, and / or printers.

[0159] The communication interface 1107 allows the electronic device 1100 to exchange information / data with other devices through computer networks such as the Internet and / or various telecommunications networks, and may include, but is not limited to, modems, network cards, infrared communication devices, wireless communication transceivers and / or chipsets, such as Bluetooth™ devices, 802.11 devices, Wi-Fi devices, WiMax devices, cellular communication devices and / or the like.

[0160] The application program 1102b in the working memory 1102 can be loaded to execute the various methods and processes described above, for example... Figure 1 Steps S110-S140 are described above. In some embodiments, part or all of the computer program may be loaded and / or installed on the electronic device 1100 via storage device 1106 and / or communication interface 1107. When the computer program is loaded and executed by processor 1101, one or more steps of the real-time generation method of digital human described above may be performed.

[0161] Various embodiments of the systems and techniques described above herein can be implemented in digital electronic circuit systems, integrated circuit systems, field-programmable gate arrays (FPGAs), application-specific integrated circuits (ASICs), application-specific standard products (ASSPs), systems-on-a-chip (SoCs), payload-programmable logic devices (CPLDs), computer hardware, firmware, software, and / or combinations thereof. These various embodiments may include implementations in one or more computer programs that can be executed and / or interpreted on a programmable system including at least one programmable processor, which may be a dedicated or general-purpose programmable processor, capable of receiving data and instructions from a storage system, at least one input device, and at least one output device, and transmitting data and instructions to the storage system, the at least one input device, and the at least one output device.

[0162] The program code used to implement the methods of this disclosure may be written in any combination of one or more programming languages. This program code may be provided to a processor or controller of a general-purpose computer, special-purpose computer, or other programmable data processing apparatus, such that when executed by the processor or controller, the program code causes the functions / operations specified in the flowcharts and / or block diagrams to be implemented. The program code may be executed entirely on a machine, partially on a machine, as a standalone software package partially on a machine and partially on a remote machine, or entirely on a remote machine or server.

[0163] In the context of this disclosure, a machine-readable medium can be a tangible medium that may contain or store a program for use by or in conjunction with an instruction execution system, apparatus, or device. A machine-readable medium can be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium can be, but is not limited to, electronic, magnetic, optical, electromagnetic, infrared, or semiconductor systems, apparatus, or devices, or any suitable combination of the foregoing. More specific examples of machine-readable storage media include electrical connections based on one or more wires, portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination of the foregoing.

[0164] To provide interaction with a user, the systems and techniques described herein can be implemented on a computer having: a display device for displaying information to the user (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor); and a keyboard and pointing device (e.g., a mouse or trackball) through which the user provides input to the computer. Other types of devices can also be used to provide interaction with the user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user can be received in any form (including sound input, voice input, or tactile input).

[0165] The systems and technologies described herein can be implemented in computing systems that include backend components (e.g., as a data server), or computing systems that include middleware components (e.g., an application server), or computing systems that include frontend components (e.g., a user computer with a graphical user interface or web browser through which a user can interact with implementations of the systems and technologies described herein), or any combination of such backend, middleware, or frontend components. The components of the system can be interconnected via digital data communication of any form or medium (e.g., a communication network). Examples of communication networks include local area networks (LANs), wide area networks (WANs), and the Internet.

[0166] A computing system may include clients and servers. Clients and servers are generally located far apart and typically interact through a communication network. The client-server relationship is created by computer programs running on the respective computers and having a client-server relationship with each other.

[0167] It should be understood that the various forms of processes shown above can be used to rearrange, add, or delete steps. For example, the steps described in this disclosure can be performed in parallel, sequentially, or in a different order, as long as the desired result of the technical solution disclosed in this disclosure can be achieved, and this is not limited herein.

[0168] In the description of the above embodiments, specific features, structures, materials, or characteristics may be combined in any suitable manner in one or more embodiments or examples.

[0169] The above description is merely a specific embodiment of this disclosure, but the scope of protection of this disclosure is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the scope of the technology disclosed in this disclosure should be included within the scope of protection of this disclosure. Therefore, the scope of protection of this disclosure should be determined by the scope of the claims.

Claims

1. A user access control method, comprising: In response to the access request of the target user, the system obtains the target user's operation behavior data and device environment parameter information during the current access process. The operation behavior data includes at least one of page resource click data, page jump path, interaction dwell time, input interval time, and function call sequence. The device environment parameter information includes at least one of device type, operating system version, browser type, hardware unique identifier, network access method, and location information. Based on the operational behavior data and equipment environmental parameter information, obtain the target behavior feature vector; Based on the target behavior feature vector and the behavior baseline model, the behavior deviation parameters of the current access are determined. The behavior baseline model includes multiple behavior baseline representation units, each with a time label and a business label, and contains a baseline behavior feature vector and a feature distribution boundary. The feature distribution boundary indicates the maximum allowable deviation range of the behavior baseline representation unit from the baseline behavior feature vector. Determining the behavior deviation parameters of the current access includes: obtaining the target context state information of the current access, which includes a time label and a business label; based on the target context state information, determining a target behavior baseline representation unit adapted to the current access from the multiple behavior baseline representation units; and determining the behavior deviation parameters of the current access based on the target behavior feature vector, the baseline behavior feature vector of the target behavior baseline representation unit, and the feature distribution boundary. Based on the behavior deviation parameters, a target access control policy path is determined and executed from a pre-constructed policy path graph. The policy path graph includes multiple access control policy action nodes and their attribute information, as well as directed edges connecting two access control policy action nodes. The attribute information includes the control action type and control strength coefficient of each access control policy action node. The directed edge represents the transferable conditions and constraints between the two connected access control policy action nodes. The directed edge has an edge weight parameter, which indicates the degree of adaptation for jumping from the previous node to the next node connected by the directed edge. The edge weight parameter is adapted to the behavior deviation parameters of the current access and / or the target context state information. The determination of the target access control policy path comprehensively considers the behavior deviation parameters and the control cost factors of each access control policy action node. The control cost factors represent the degree of intervention of the access control policy action on the current access.

2. The method according to claim 1, wherein, The target behavior feature vector includes access path features, operation rhythm features, and device location features.

3. The method according to claim 2, wherein, The access path features include the current access path depth, loop count, and average jump interval. The path depth is the maximum number of jump levels from the access entry page to the current page. The loop count is the frequency of repeatedly accessing the same page in the access path. The average jump interval is the time difference between every two jump events. Based on the operational behavior data and device environmental parameter information, a target behavior feature vector is obtained, including: Based on the page resource click data and page jump path, a directed access graph is constructed with page resources as nodes and jump relationships as directed edges; Based on the directed access graph, the path depth, loop count, and average jump interval of the current access are obtained.

4. The method according to claim 2, wherein, The operation rhythm characteristics include the number of consecutive operations, the standard deviation of the input interval, and the operation response delay value. The number of consecutive operations is the number of times the target user performs an input operation without interruption. The standard deviation of the input interval is the standard deviation of the time interval between two adjacent input operations. The operation response delay value is the time delay from when the target user initiates an input operation to when the system responds. Based on the operational behavior data and device environmental parameter information, a target behavior feature vector is obtained, including: Based on the operation behavior data, sub-operation rhythm features are extracted from each of the multiple consecutive time windows of the current access process. The sub-operation rhythm features include the number of consecutive operations, the standard deviation of the input interval, and the operation response delay value. The operation rhythm features are formed by splicing together the sub-operation rhythm features of multiple time windows.

5. The method according to claim 2, wherein, The device location characteristics include device identifier consistency ratio, frequency of changes in access geographical location, and number of network access switching times; The device identifier consistency ratio is the ratio of the number of identical device identifier parameters in the current device identifier parameters used by the target user and the historical device identifier parameters used by the target user to the total number of device identifier parameters. The device identifier parameters include device type, operating system version, browser type, and hardware unique identifier.

6. The method according to claim 2, wherein, Based on the target behavior feature vector, and the baseline behavior feature vector and feature distribution boundary vector of the target behavior baseline representation unit, the behavior deviation parameters of the current access are determined, including: Calculate the first feature deviation value of the access path feature of the target behavior feature vector relative to the access path feature of the baseline behavior feature vector; Calculate the second feature deviation value of the operation rhythm feature of the target behavior feature vector relative to the operation rhythm feature of the benchmark behavior feature vector; Calculate the third feature deviation value of the device position feature of the target behavior feature vector relative to the device position feature of the reference behavior feature vector; Based on the first feature deviation value, the second feature deviation value, and the third feature deviation value, as well as their respective feature influence factors, the behavior deviation parameters of the current visit are determined.

7. The method according to claim 1, wherein, The behavioral deviation parameters include a behavioral deviation score and a behavioral deviation level; The target behavior feature vector includes multiple dimensions of features. Based on the target behavior feature vector and the baseline behavior feature vector of the target behavior baseline representation unit, the behavior deviation parameters of the current access are determined, including: For each dimension feature, calculate the feature deviation value between the target behavior feature vector and the baseline behavior feature vector; The risk response threshold of the target behavior baseline representation unit is determined based on the baseline behavior feature vector and feature distribution boundary of the target behavior baseline representation unit; Based on the deviation values ​​of multiple features corresponding to multiple dimensions and the feature influence factors of each of the multiple dimensions, the behavioral deviation score of the current visit is determined. Based on the behavioral deviation score and the risk response threshold, it is determined whether there is a behavioral deviation in the current visit; In response to the presence of behavioral deviation in the current visit, the behavioral deviation level of the current visit is determined based on the behavioral deviation score and the risk response threshold. Furthermore, the execution of a corresponding target response control strategy based on the behavioral deviation parameters includes: In response to a behavioral deviation in the current access, a corresponding target response control strategy is executed based on the level of behavioral deviation.

8. The method according to claim 1, wherein, Based on the behavior deviation parameters, the target access control policy path is determined from the pre-built policy path graph and executed, including: Obtain the risk response intensity coefficient of the current access, which is determined based on the resource sensitivity index of the target resource involved in the current access and the session risk score of the current access; Based on the behavior deviation parameters, the strategy path graph is traversed to obtain multiple control paths; Based on the risk response intensity coefficient and node selection rule table, a set of access control policy paths is selected from the multiple control paths; Based on the response strength factor of each access control policy path, at least one target access control policy path is determined from the set of access control policy paths, wherein the response strength factor is related to the control cost factor of multiple access control policy actions contained in the access control policy path.

9. The method according to claim 8, wherein, The resource sensitivity index is related to at least one of the following: the access frequency of the target resource in historical user access, the occurrence frequency of the target resource in historical behavioral deviation access, and the security level configuration information of the target resource. The session risk score is related to at least one of the following: behavioral deviation parameters of the current visit, frequency of behavioral deviations of the target user in historical visits, device trustworthiness of the target user's current device, and context risk label; The device trustworthiness is determined based on the device identifier consistency ratio and the number of network switching, while the context risk label is determined based on the current access time, location information, and network environment.

10. The method according to claim 8, wherein, The node selection rule table is used to limit the preset constraints that the access control policy path must meet to generate the access control policy path; the response strength factor is used to indicate the degree of risk matching between the current access and the access control policy path.

11. The method according to claim 10, wherein, The preset constraints are constructed based on at least one of the following: the degree of jump in control strength between two second nodes, the control strength coefficient of the second nodes, and the logical mutual exclusion relationship between the second nodes.

12. The method according to claim 10, wherein, The response intensity factor is determined based on the risk response intensity coefficient of the current access and the path attribute information of the access control policy path. The path attribute information includes the control cost factors of multiple access control policy actions contained in the access control policy path.

13. The method according to claim 12, wherein, The attribute information of the second node also includes the expected scope and degree of intervention, and the control cost factor is determined based on at least one of the following: the invasiveness coefficient of executing the second node, the resource overhead required to execute the second node, the response time of executing the second node, and the target user's acceptance of executing the second node.

14. The method according to claim 12, wherein, Based on the response strength factor corresponding to each access control policy path, at least one target access control policy path is determined from the set of access control policy paths, including: Multiple target nodes are determined from the access control policy path set, and the control strength of the target nodes is adapted to the behavior deviation parameter of the current access. Based on the respective control cost factors of the multiple target nodes, the execution order of the multiple target nodes is determined to obtain at least one target access control policy path.

15. The method according to claim 14, wherein, Based on the respective control cost factors of the multiple target nodes, the execution order of the multiple target nodes is determined, including: Since the control cost factors of the two target nodes are the same, the execution order of the two target nodes is determined based on the context weight and historical execution weight of the target nodes. The context weight is used to indicate the degree of adaptability of the current access business scenario to the execution of the target node, and the historical execution weight is used to indicate the degree of influence of the execution of the target node on the target user's access behavior in the past access.

16. The method according to claim 1, wherein, In response to the target user's access request, obtain the target user's operational behavior data and device environment parameter information during the current access process, including: In response to the access request of the target user, the system acquires operation behavior data and device environment parameter information within each of multiple consecutive time windows during the current access process. Based on the operational behavior data and equipment environment parameter information within each time window, a behavior status recording unit is generated; and The behavior status record units of multiple time windows are spliced ​​together in chronological order to form a joint time sequence of the entire current access process; The process of obtaining a target behavior feature vector based on the operational behavior data and device environmental parameter information includes: The target behavior feature vector is obtained based on the joint time series sequence.

17. The method according to claim 1, wherein, The behavioral baseline model includes a first behavioral baseline model, which is constructed through the following steps: From the historical access data of the target user, obtain multiple first behavioral feature vector samples of the target user in the normal access state. The first behavioral feature vector samples include access path feature samples, operation rhythm feature samples and device location feature samples. The first behavioral feature vector samples have time tags and business tags. Based on time tags and business tags, the multiple first row feature vector samples are classified to obtain multiple first row sample subsets; Obtain the baseline feature vector and feature distribution boundary of each first row of sample subsets; The baseline representation unit of the first row is constructed using the baseline feature vector and feature distribution boundary of each sample subset in the first row; The first behavior baseline model is constructed based on multiple first behavior baseline representation units.

18. The method according to claim 17, wherein, Obtain the baseline feature vector and feature distribution boundary of each first row of sample subsets, including: Clustering algorithms are used to divide the multiple first-row feature vector samples contained in each first-row sample subset into at least one cluster. The similarity of each dimension of the multiple first-row feature vectors contained in each cluster is less than or equal to a preset value. Obtain the cluster center vector and feature distribution boundary of each cluster, and use the cluster center vector as the baseline behavior feature vector; Specifically, the first row baseline representation unit is constructed using the baseline row feature vector and feature distribution boundary of each first row sample subset, including: The first row baseline representation unit is constructed using the cluster center vector and feature distribution boundary of at least one cluster of each first row sample subset.

19. The method according to claim 17, wherein, The behavioral baseline model includes a second behavioral baseline model, which is constructed through the following steps: From the historical access data of multiple sample users, multiple second behavioral feature vector samples are obtained for the multiple sample users in the normal access state. The second behavioral feature vector samples include access path feature samples, operation rhythm feature samples and device location feature samples. The second behavioral feature vector samples have time tags and business tags. The multiple second-row feature vector samples are classified based on time tags and business tags to obtain multiple subsets of second-row samples. Obtain the baseline feature vector and feature distribution boundary of each second row sample subset; The baseline representation unit of the second row is constructed using the feature vector of the baseline row and the feature distribution boundary of each sample subset of the second row; The second behavior baseline model is constructed based on multiple second behavior baseline representation units; Furthermore, based on the target behavior feature vector and the behavior baseline model, the behavior deviation parameters of the current visit are determined, including: In response to the failure to construct the first behavior baseline model, the behavior deviation parameters of the current visit are determined based on the target behavior feature vector and the second behavior baseline model.

20. The method of claim 17, further comprising: In response to the fact that the target user is a new user, if it is determined that the target user's current access has behavioral deviations, a preset response control strategy is executed.

21. A user access control device, comprising: The first acquisition module is configured to respond to the access request of the target user and acquire the target user's operation behavior data and device environment parameter information during the current access process. The operation behavior data includes at least one of page resource click data, page jump path, interaction dwell time, input interval time, and function call sequence. The device environment parameter information includes at least one of device type, operating system version, browser type, hardware unique identifier, network access method, and location information. The second acquisition module is configured to acquire a target behavior feature vector based on the operation behavior data and device environment parameter information; A determination module is configured to determine the behavior deviation parameters of the current access based on the target behavior feature vector and the behavior baseline model. The behavior baseline model includes multiple behavior baseline representation units, each with a time label and a business label, and contains a baseline behavior feature vector and a feature distribution boundary. The feature distribution boundary indicates the maximum allowable deviation range of the behavior baseline representation unit from the baseline behavior feature vector. Determining the behavior deviation parameters of the current access includes: acquiring target context state information of the current access, including a time label and a business label; determining a target behavior baseline representation unit adapted to the current access from the multiple behavior baseline representation units based on the target context state information; and determining the behavior deviation parameters of the current access based on the target behavior feature vector, the baseline behavior feature vector of the target behavior baseline representation unit, and the feature distribution boundary. An execution module is configured to determine and execute a target access control policy path from a pre-built policy path graph based on the behavior deviation parameters. The policy path graph includes multiple access control policy action nodes and their attribute information, as well as directed edges connecting two access control policy action nodes. The attribute information includes the control action type and control strength coefficient of each access control policy action node. The directed edge represents the transferable conditions and constraints between the two connected access control policy action nodes. The directed edge has an edge weight parameter, which indicates the degree of adaptation for jumping from the previous node to the next node connected by the directed edge. The edge weight parameter is adapted to the behavior deviation parameters of the current access and / or the target context state information. The determination of the target access control policy path comprehensively considers the behavior deviation parameters and the control cost factors of each access control policy action node. The control cost factors represent the degree of intervention of the access control policy action on the current access.

22. An electronic device, comprising: At least one processor; as well as A memory connected to the at least one processor, wherein the memory stores computer instructions that, when executed by the at least one processor, enable the implementation of the method according to any one of claims 1-20.

23. A non-transitory computer-readable storage medium storing computer instructions, wherein, The computer instructions, when executed by at least one processor, are capable of implementing the method of any one of claims 1-20.

24. A computer program product comprising computer instructions, wherein, The computer instructions, when executed by at least one processor, are capable of implementing the method of any one of claims 1-20.