CN120750618A - Intelligent management system and method applied to interactive authentication platform - Google Patents
Intelligent management system and method applied to interactive authentication platformInfo
- Publication number
- CN120750618A CN120750618A CN202511064047.9A CN202511064047A CN120750618A CN 120750618 A CN120750618 A CN 120750618A CN 202511064047 A CN202511064047 A CN 202511064047A CN 120750618 A CN120750618 A CN 120750618A
- Authority
- CN
- China
- Prior art keywords
- authentication
- client
- server
- interaction
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0861—Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- General Health & Medical Sciences (AREA)
- Power Engineering (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses an intelligent management system and method applied to an interactive authentication platform, and relates to the technical field of intelligent management of the interactive authentication platform; the multi-factor dynamic authentication module is used for integrating a plurality of authentication factors and verifying the identity of a client calling party, the behavior pattern analysis module is used for collecting and analyzing historical interaction data of the client calling party and constructing a behavior pattern model, and the risk assessment and decision module is used for quantitatively assessing the risk level of each service interaction. The invention obtains a plurality of groups of authentication factor combinations based on the authentication strategy, realizes the special treatment protection of various service requests, combines the constructed behavior pattern model, performs accurate verification on the identity of the caller of the client, can effectively avoid information theft or malicious operation execution through a multiple protection mechanism, and realizes the accurate protection of the system on the interaction information.
Description
Technical Field
The invention relates to the technical field of intelligent management of an interactive authentication platform, in particular to an intelligent management system and method applied to the interactive authentication platform.
Background
In the current complex and changeable network environment, the interaction between the server and between the server and the client is increasingly frequent, and the conventional authentication method has difficulty in coping with diversified and complex attack means.
The traditional authentication mode based on the user name and the password has lower security, an attacker can easily impersonate the identity of the caller to call a service interface after acquiring the password to finish information theft or execute malicious operation, and meanwhile, the traditional authentication method lacks effective supervision and analysis on the behavior of the caller, so that the potential malicious attack suffered by the client cannot be found in time, and the working efficiency and the service interaction security of service interaction cannot be balanced by the traditional authentication system.
Disclosure of Invention
The invention aims to provide an intelligent management system and method applied to an interactive authentication platform, so as to solve the problems in the prior art.
In order to achieve the aim, the invention provides the following technical scheme that the intelligent management system applied to the interactive authentication platform comprises a client, a server and an authentication server;
The client side performs information interaction with the server side, and is used for initiating a service request to the server side, collecting authentication information according to an authentication request sent by the server side and submitting the collected authentication information to the server;
The server is used for sending an authentication request to the client according to an authentication strategy fed back by the authentication server, forwarding a service request initiated by the client and submitted authentication information to the authentication server, and determining whether to allow the service request to continue to execute according to an authentication result of the authentication server;
The authentication server is used for generating an authentication strategy according to the client information and feeding back the authentication strategy to the server, performing authentication processing on authentication information forwarded by the server, and feeding back an authentication processing result to the server.
Further, the authentication server is internally provided with a multi-factor dynamic authentication module, a behavior pattern analysis module and a risk assessment and decision module;
the multi-factor dynamic authentication module is used for integrating a plurality of authentication factors, verifying the identity of a calling party of a client, dynamically adjusting an authentication strategy through the multi-factors, and ensuring that the system can be suitable for different application scenes and security requirements;
The behavior pattern analysis module is used for collecting and analyzing historical interaction data of a client caller and constructing a behavior pattern model;
the risk assessment and decision module is used for quantitatively assessing the risk level of each service interaction and feeding back an assessment result to the server as an authentication result.
Further, the multi-factor dynamic authentication module comprises an authentication policy generation unit, an authentication information analysis unit and a dynamic authentication unit;
the authentication policy generation unit determines a target service interface of the server according to the application identifier of the client and the initiated service request, and dynamically generates an authentication policy according to the authority level of the determined target service interface and the type of the service request initiated by the client;
the authentication information analysis unit performs matching analysis on authentication information collected by the client according to the dynamically generated authentication policy, reservation information of the client calling party at the server and historical interaction information of the client calling party at the server, verifies the identity of the client calling party based on a matching analysis result, if the identity verification is successful, the authentication result is an execution service request, and if the identity verification is unsuccessful, the authentication result is a refusal service request;
After the authentication of the client caller is successful, the dynamic authentication unit generates a dynamic key by adopting an asymmetric encryption algorithm and combining a corresponding time stamp, a random number and a unique identification code of equipment used by the client caller when the authentication of the client caller is completed, and transmits the generated dynamic key to the client and the server, the client encrypts the initiated service request data by using the dynamic key, and the server decrypts the service request data by using the dynamic key after receiving the service request.
In the key generation process, the dynamic authentication unit combines the unique identification codes of the equipment used by the timestamp, the random number and the client caller to ensure the uniqueness and unpredictability of the key, and the dynamic authentication unit is immediately invalid after each service interaction, regenerates the next interaction, and ensures the high security of service request data.
Further, the behavior pattern analysis module comprises a judging unit, a behavior characteristic acquisition unit and a behavior pattern model construction unit;
The judging unit performs integrity check on the decrypted data obtained by the server, judges whether the service request initiated by the client needs to be re-authenticated according to the check result, does not need to be re-authenticated when the integrity of the decrypted data obtained by the server is 1, and re-authenticates the service request initiated by the client according to the multi-factor authentication module when the integrity of the decrypted data obtained by the server is not 1;
the behavior feature acquisition unit acquires behavior features of a client caller in each service request process when the judgment result is that the service request initiated by the client does not need to be re-authenticated;
The behavior pattern model construction unit constructs a behavior pattern model according to the acquired behavior characteristics.
Further, the specific method for the behavior feature acquisition unit to acquire the behavior feature of the client caller in each service request process is as follows:
acquiring a key time stamp of a client caller in a service request process, wherein the key time stamp comprises time T1 when the client initiates the service request, starting time T2 and ending time T3 when the client collects authentication information;
Determining the type of a service request initiated by a client at a time T1, acquiring the request frequency f of the service request of the determined type by a client caller, taking the request frequency as an independent variable, taking the authentication information acquisition time as a dependent variable, constructing a linear relation model R between the request frequency and the acquisition time, inputting the request frequency f into the linear relation model R to obtain the acquisition time R f, and taking the authentication information acquisition time deviation R f - (T3-T2) of the client caller as a first static behavior characteristic of the client caller;
Determining target service interfaces called by a client at the moment T1, numbering the target service interfaces according to the sequence from large to small of times of calling various target service interfaces by a client calling party, wherein the numbering results are i=1, 2, n represents the total number of the target service interfaces, calculating a difference value s between the number of a historical target service interface called by the client calling party when a service request of a determined type is initiated and the number of the determined target service interface, and taking a difference value g between a numerical value 1 and 1/|s|asa second static behavior characteristic of the client calling party;
when a service end executes a service request of a determined type, acquiring interaction information of a client calling party, wherein the interaction information comprises an interaction object, an interaction grade and an interaction type;
Determining the interaction grade and the interaction type of each interaction object according to the historical interaction information of a client caller, giving the same weight value to the same interaction grade or the same interaction type, and numbering each interaction object, wherein the numbering result is j=1, 2, m, and m represents the total number of the interaction objects;
According to the obtained interaction information of the client caller, determining a weight value d1p corresponding to the interaction level of the interaction object p and a weight value d2p corresponding to the interaction type, wherein p=1, 2;
according to the historical interaction information, a weight value mean d1 ́ p corresponding to the interaction level of the interaction object p and a weight value mean d2 ́ p corresponding to the interaction type are obtained;
d1p-d1 ́ p is used as a first dynamic behavior feature of the client caller, and d2p-d2 ́ p is used as a second dynamic behavior feature of the client caller.
The dynamic behavior characteristics and the static behavior characteristics of the client calling party are acquired, and the behavior pattern model is constructed according to the acquired behavior characteristics, so that the identity of the client calling party is accurately verified, and the management effect of the system is further improved.
Further, the specific method for constructing the behavior pattern model by the behavior pattern model constructing unit according to the acquired behavior characteristics is as follows:
Taking H=a1×g+a2×ln [1+|R f - (T3-T2) | ] as a first behavior pattern model of the client calling party, wherein a1 and a2 both represent proportionality coefficients and a1+a2=1, and H represents a first behavior characteristic value of the client calling party;
taking K=a3× (d 1p-d1 ́ p) +a4× (d 2p-d2 ́ p) as a second behavior pattern model of the client caller, wherein a3, a4 each represent a scaling factor and a3+a4=1, K represents a second behavior feature value of the client caller;
when K > Y or H > X, the interactive information of the calling party of the client is abnormal behavior information, and when K is more than or equal to 0 and less than or equal to Y and H is more than or equal to 0 and less than or equal to X, the interactive information of the calling party of the client is normal behavior information.
Further, the risk assessment and decision module comprises a risk assessment unit and an authentication decision unit;
When the risk assessment unit judges that the interaction information of the client calling party is abnormal behavior information, carrying out risk assessment on the interaction behavior of the client calling party according to the first behavior characteristic value and the second behavior characteristic value;
the authentication decision unit selects whether to add authentication factors according to the risk assessment result, and when the additional authentication factors are needed, the additional authentication request is sent to the client through the server, the client collects additional authentication information according to the additional authentication request, and the additional authentication information is forwarded to the authentication server through the server for verification until the risk assessment result is that the additional authentication factors are not needed, or the server refuses the service request again.
Further, the specific method for risk assessment by the risk assessment unit on the interaction behavior of the client caller is as follows:
when K > Y and 0≤H≤X or H > X and 0≤K≤Y:
Performing quantization processing on the risk assessment value W of the client calling party according to 1-exp (-K) or 1-exp (-H);
when K > Y and H > X:
carrying out quantization processing on the risk evaluation value W of the client calling party according to 1-exp (-K multiplied by H);
if W is more than or equal to 0 and less than or equal to 0.3, the risk assessment grade of the client calling party is represented as a first grade;
If W is more than 0.3 and less than or equal to 0.6, the risk assessment level of the client caller is represented as a second level;
if W is less than or equal to 0.6 and less than or equal to 1, the risk assessment level of the client caller is three-level;
Where exp () represents an exponential function based on e and e=2.73.
Further, the additional authentication factors comprise static authentication factors and dynamic authentication factors, the static authentication factors comprise face recognition verification and target service interface re-verification, and the dynamic authentication factors are interaction information re-verification.
An intelligent management method applied to an interactive authentication platform, the method comprising:
S10, integrating a plurality of authentication factors and verifying the identity of a calling party of the client;
s20, collecting and analyzing historical interaction data of a client caller, and constructing a behavior pattern model;
s30, quantitatively evaluating the risk level of each service interaction, and feeding back an evaluation result to the server as an authentication result;
and S40, the server selects whether to execute the service request initiated by the client or not according to the feedback result.
Compared with the prior art, the invention has the beneficial effects that:
1. According to the invention, an authentication strategy is dynamically generated according to the authority level of the target service interface and the service request type initiated by the client, a plurality of groups of authentication factor combinations are obtained based on the authentication strategy, the special treatment protection of various service requests is realized, the behavior pattern model is constructed by combining the dynamic behavior characteristics and the static behavior characteristics obtained through the interaction information, the identity of a caller of the client is accurately verified, the execution of information embezzlement or malicious operation can be effectively avoided through a multiple protection mechanism, and the accurate protection of the interaction information by the system is realized.
2. According to the invention, the dynamic behavior characteristics and the static behavior characteristics are obtained, so that the interactive behavior of the calling party of the client is effectively monitored, and the potential malicious attack suffered by the client can be found out in time.
3. According to the invention, through the behavior pattern model obtained after continuous optimization, not only can the normal service request initiated by the client be ensured to be authenticated quickly, but also the interference of the verification step corresponding to the additional authentication factor on the service request flow can be reduced, and the balance of the working efficiency and the safety is realized.
Drawings
Fig. 1 is a schematic structural diagram of the working principle of an intelligent management system applied to an interactive authentication platform.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The embodiment of the invention provides an intelligent management system and a method technical scheme applied to an interactive authentication platform, as shown in figure 1, wherein the system comprises a client, a server and an authentication server;
The client side performs information interaction with the server side, the client side is used for initiating a service request to the server side, collecting authentication information according to an authentication requirement sent by the server side, submitting the collected authentication information to the server, the client side comprises, but is not limited to, a mobile application client side, a desktop application client side, an Internet of things equipment client side and the like, and the collection process of the authentication information is executed after authorization of a client side calling party;
the server is used for sending an authentication request to the client according to an authentication strategy fed back by the authentication server, forwarding a service request initiated by the client and submitted authentication information to the authentication server, and deciding whether to allow the service request to continue to be executed or not according to an authentication result of the authentication server, wherein the server comprises but is not limited to a Web server, a mobile application back-end server, a service node in a micro-service architecture and the like;
The authentication server is used for generating an authentication strategy according to the client information and feeding back the authentication strategy to the server, performing authentication processing on the authentication information forwarded by the server, and feeding back an authentication processing result to the server;
The authentication server is internally provided with a multi-factor dynamic authentication module, a behavior pattern analysis module and a risk assessment and decision module;
The multi-factor dynamic authentication module is used for integrating a plurality of authentication factors and verifying the identity of a client caller;
the multi-factor dynamic authentication module comprises an authentication policy generation unit, an authentication information analysis unit and a dynamic authentication unit;
The authentication policy generation unit determines a target service interface of the server according to the application identifier of the client and the initiated service request, and dynamically generates an authentication policy according to the authority level of the determined target service interface and the type of the service request initiated by the client, wherein the type of the service request comprises transfer transaction, content release and the like;
For example, when a user invokes a transfer transaction interface of a bank background system (server) through a mobile banking client to complete a funds transfer operation:
a user initiates a transfer transaction request at a mobile phone bank client, a bank background system sends an application identifier of the client to an authentication server, the application identifier comprises a bank APP version number, a device model used by the user and the like, and the authentication server generates an authentication strategy according to a high authority level of a transfer transaction interface (a target service interface), wherein the authentication strategy is that a calling party of the mobile phone bank client is required to provide a user name password, a fingerprint, a device geographic position and the like;
when a user invokes a release interface of a platform content management server through a user-defined release client to upload multimedia contents such as articles, pictures and videos, the user can:
When a user initiates a content request by using a release client, a platform content management server sends an application identifier of the client to an authentication server, wherein the application identifier comprises a client software version, a device model used by the user, a device operating system version and the like, and the authentication server generates an authentication strategy according to medium authority of a platform content release interface (target service interface), wherein the authentication strategy comprises a calling party requiring the release client to provide a user name password, a device fingerprint (the device fingerprint refers to a device hardware serial number), topic classification of release content and the like;
The authentication information analysis unit performs matching analysis on authentication information collected by the client according to the dynamically generated authentication strategy, reservation information of the client calling party at the server and historical interaction information of the client calling party at the server, and verifies the identity of the client calling party based on a matching analysis result, if the identity verification is successful, the authentication result is an execution service request, if the identity verification is unsuccessful, the authentication result is a denial of service request, and the historical interaction information comprises a common transaction area range of the client calling party and a hardware serial number of equipment used by the client calling party in the past;
For example, when the user invokes a transfer transaction interface of a bank background system (server side) through a mobile phone bank client to complete a funds transfer operation:
the user inputs a user name password according to a prompt at a mobile phone bank client and carries out fingerprint identification operation, the client collects equipment geographical position information (such as coordinate data based on GPS or base station positioning) at the same time, the client encrypts the authentication information and then sends the encrypted information to a bank background system, the background system forwards the encrypted information to a multi-factor dynamic authentication module of an authentication server, an authentication information analysis unit firstly verifies the correctness of the user name password, if the authentication information analysis unit is correct, a biological feature recognition service is invoked again to verify whether fingerprint information is matched with the fingerprint information reserved in the bank by the user, and meanwhile, whether the equipment geographical position information is in a common transaction area range of the user (judged according to a historical transaction record) is checked, if the user name password is correct, the fingerprint is matched and the geographical position is normal, user identity verification is successful, otherwise, user identity verification is unsuccessful;
when a user invokes a release interface of a platform content management server through a user-defined release client to upload multimedia contents such as articles, pictures and videos, the user can:
The user inputs a user name password at the release client, allows the release client to collect device fingerprint information and select release content theme classification, the release client packages and encrypts the authentication information and sends the encrypted information to the platform content management server, the server forwards the encrypted information to the authentication server, the multi-factor dynamic authentication module verifies whether the user name password is correct, if the user name password is correct, the device fingerprint information is matched with a device fingerprint record used by the user before (preventing the device from being stolen to release illegal content), meanwhile, whether the release content theme classification belongs to a platform allowed range is checked, if the user name password is correct, the device fingerprint is matched and the content theme is within the platform allowed range, user identity verification is successful, otherwise, user identity verification is unsuccessful;
After the authentication of the client calling party is successful, the dynamic authentication unit adopts an asymmetric encryption algorithm, combines a corresponding time stamp and a random number when the authentication of the client calling party is finished with a unique identification code of equipment used by the client calling party, generates a dynamic key, transmits the generated dynamic key to the client and the server, encrypts the initiated service request data by using the dynamic key, and decrypts the service request data by using the dynamic key after the server receives the service request;
The behavior pattern analysis module is used for collecting and analyzing historical interaction data of a client caller and constructing a behavior pattern model;
The behavior pattern analysis module comprises a judging unit, a behavior characteristic acquisition unit and a behavior pattern model construction unit;
The judging unit performs integrity check on the decrypted data obtained by the server, judges whether the service request initiated by the client needs to be re-authenticated according to the check result, does not need to re-authenticate the service request initiated by the client at the moment when the integrity of the decrypted data obtained by the server is 1, and performs re-authentication on the service request initiated by the client according to the multi-factor authentication module at the moment when the integrity of the decrypted data obtained by the server is not 1, so that the method for performing integrity check on the decrypted data belongs to the prior art;
When the judging result is that the service request initiated by the client does not need to be re-authenticated, the behavior feature acquiring unit acquires the behavior feature of the client calling party in the process of each service request, and the specific method is as follows:
acquiring a key time stamp of a client caller in a service request process, wherein the key time stamp comprises time T1 when the client initiates the service request, starting time T2 and ending time T3 when the client collects authentication information;
Determining the type of a service request initiated by a client at a time T1, acquiring the request frequency f of the service request of the determined type by a client caller, taking the request frequency as an independent variable, taking the authentication information acquisition time as a dependent variable, constructing a linear relation model R between the request frequency and the acquisition time, inputting the request frequency f into the linear relation model R to obtain the acquisition time R f, taking the authentication information acquisition time deviation R f - (T3-T2) of the client caller as a first static behavior characteristic of the client caller, wherein the authentication information acquisition time = T3-T2;
Determining target service interfaces called by a client at the moment T1, numbering the target service interfaces according to the sequence from large to small of times of calling various target service interfaces by a client calling party, wherein the numbering results are i=1, 2, n represents the total number of the target service interfaces, calculating a difference value s between the number of a historical target service interface called by the client calling party when a service request of a determined type is initiated and the number of the determined target service interface, and taking a difference value g between a numerical value 1 and 1/|s|asa second static behavior characteristic of the client calling party;
when a service end executes a service request of a determined type, acquiring interaction information of a client calling party, wherein the interaction information comprises an interaction object, an interaction grade and an interaction type;
Determining the interaction grade and the interaction type of each interaction object according to the historical interaction information of a client caller, giving the same weight value to the same interaction grade or the same interaction type, and numbering each interaction object, wherein the numbering result is j=1, 2, m, and m represents the total number of the interaction objects;
According to the obtained interaction information of the client caller, determining a weight value d1p corresponding to the interaction level of the interaction object p and a weight value d2p corresponding to the interaction type, wherein p=1, 2;
according to the historical interaction information, a weight value mean d1 ́ p corresponding to the interaction level of the interaction object p and a weight value mean d2 ́ p corresponding to the interaction type are obtained;
taking d1p-d1 ́ p as a first dynamic behavior feature of a client calling party and d2p-d2 ́ p as a second dynamic behavior feature of the client calling party;
The behavior pattern model building unit builds a behavior pattern model according to the acquired behavior characteristics, and the specific method comprises the following steps:
Taking H=a1×g+a2×ln [1+|R f - (T3-T2) | ] as a first behavior pattern model of the client caller, wherein a1 and a2 both represent proportionality coefficients and a1+a2=1, H represents a first behavior feature value of the client caller, ln [ ] represents a logarithmic function based on a natural constant e and e=2.73;
taking K=a3× (d 1p-d1 ́ p) +a4× (d 2p-d2 ́ p) as a second behavior pattern model of the client caller, wherein a3, a4 each represent a scaling factor and a3+a4=1, K represents a second behavior feature value of the client caller;
When K > Y or H > X, the interactive information of the calling party of the client is abnormal behavior information, and when K is more than or equal to 0 and less than or equal to Y and H is more than or equal to 0 and less than or equal to X, the interactive information of the calling party of the client is normal behavior information, wherein X, Y is a manually set threshold value;
The risk assessment and decision module is used for quantitatively assessing the risk level of each service interaction and feeding back an assessment result to the server as an authentication result;
the risk assessment and decision module comprises a risk assessment unit and an authentication decision unit;
when judging that the interaction information of the client calling party is abnormal behavior information, the risk assessment unit carries out risk assessment on the interaction behavior of the client calling party according to the first behavior characteristic value and the second behavior characteristic value, and the specific method comprises the following steps:
when K > Y and 0≤H≤X or H > X and 0≤K≤Y:
Performing quantization processing on the risk assessment value W of the client calling party according to 1-exp (-K) or 1-exp (-H);
when K > Y and H > X:
carrying out quantization processing on the risk evaluation value W of the client calling party according to 1-exp (-K multiplied by H);
if W is more than or equal to 0 and less than or equal to 0.3, the risk assessment grade of the client calling party is represented as a first grade;
If W is more than 0.3 and less than or equal to 0.6, the risk assessment level of the client caller is represented as a second level;
if W is less than or equal to 0.6 and less than or equal to 1, the risk assessment level of the client caller is three-level;
Wherein exp () represents an exponential function based on e and e=2.73, the larger the risk assessment value, the higher the corresponding risk assessment level;
The authentication decision unit selects whether to add authentication factors according to the risk assessment result, and when the additional authentication factors are needed, the additional authentication request is sent to the client through the server, the client collects additional authentication information according to the additional authentication request, and the additional authentication information is forwarded to the authentication server through the server for verification until the risk assessment result is that the additional authentication factors are not needed, or the server refuses the service request again;
The additional authentication factors comprise static authentication factors and dynamic authentication factors, the static authentication factors comprise face recognition verification and target service interface re-verification, and the dynamic authentication factors are interaction information re-verification.
An intelligent management method applied to an interactive authentication platform, the method comprises the following steps:
S10, integrating a plurality of authentication factors and verifying the identity of a calling party of the client;
s20, collecting and analyzing historical interaction data of a client caller, and constructing a behavior pattern model;
s30, quantitatively evaluating the risk level of each service interaction, and feeding back an evaluation result to the server as an authentication result;
and S40, the server selects whether to execute the service request initiated by the client or not according to the feedback result.
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential characteristics thereof. The present embodiments are, therefore, to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned.
Claims (10)
1. The intelligent management system applied to the interactive authentication platform is characterized by comprising a client, a server and an authentication server;
The client side performs information interaction with the server side, and is used for initiating a service request to the server side, collecting authentication information according to an authentication request sent by the server side and submitting the collected authentication information to the server;
The server is used for sending an authentication request to the client according to an authentication strategy fed back by the authentication server, forwarding a service request initiated by the client and submitted authentication information to the authentication server, and determining whether to allow the service request to continue to execute according to an authentication result of the authentication server;
The authentication server is used for generating an authentication strategy according to the client information and feeding back the authentication strategy to the server, performing authentication processing on authentication information forwarded by the server, and feeding back an authentication processing result to the server.
2. The intelligent management system for the interactive authentication platform according to claim 1, wherein the authentication server is internally provided with a multi-factor dynamic authentication module, a behavior pattern analysis module and a risk assessment and decision module;
the multi-factor dynamic authentication module is used for integrating a plurality of authentication factors and verifying the identity of a client caller;
The behavior pattern analysis module is used for collecting and analyzing historical interaction data of a client caller and constructing a behavior pattern model;
the risk assessment and decision module is used for quantitatively assessing the risk level of each service interaction and feeding back an assessment result to the server as an authentication result.
3. The intelligent management system for the interactive authentication platform according to claim 2, wherein the multi-factor dynamic authentication module comprises an authentication policy generation unit, an authentication information analysis unit and a dynamic authentication unit;
the authentication policy generation unit determines a target service interface of the server according to the application identifier of the client and the initiated service request, and dynamically generates an authentication policy according to the authority level of the determined target service interface and the type of the service request initiated by the client;
the authentication information analysis unit performs matching analysis on authentication information collected by the client according to the dynamically generated authentication policy, reservation information of the client calling party at the server and historical interaction information of the client calling party at the server, verifies the identity of the client calling party based on a matching analysis result, if the identity verification is successful, the authentication result is an execution service request, and if the identity verification is unsuccessful, the authentication result is a refusal service request;
After the authentication of the client caller is successful, the dynamic authentication unit generates a dynamic key by adopting an asymmetric encryption algorithm and combining a corresponding time stamp, a random number and a unique identification code of equipment used by the client caller when the authentication of the client caller is completed, and transmits the generated dynamic key to the client and the server, the client encrypts the initiated service request data by using the dynamic key, and the server decrypts the service request data by using the dynamic key after receiving the service request.
4. The intelligent management system for an interactive authentication platform according to claim 3, wherein the behavior pattern analysis module comprises a judgment unit, a behavior feature acquisition unit and a behavior pattern model construction unit;
The judging unit performs integrity check on the decrypted data obtained by the server, judges whether the service request initiated by the client needs to be re-authenticated according to the check result, does not need to be re-authenticated when the integrity of the decrypted data obtained by the server is 1, and re-authenticates the service request initiated by the client according to the multi-factor authentication module when the integrity of the decrypted data obtained by the server is not 1;
the behavior feature acquisition unit acquires behavior features of a client caller in each service request process when the judgment result is that the service request initiated by the client does not need to be re-authenticated;
The behavior pattern model construction unit constructs a behavior pattern model according to the acquired behavior characteristics.
5. The intelligent management system for an interactive authentication platform according to claim 4, wherein the specific method for the behavior feature acquisition unit to acquire the behavior feature of the client caller in each service request process is as follows:
acquiring a key time stamp of a client caller in a service request process, wherein the key time stamp comprises time T1 when the client initiates the service request, starting time T2 and ending time T3 when the client collects authentication information;
Determining the type of a service request initiated by a client at a time T1, acquiring the request frequency f of the service request of the determined type by a client caller, taking the request frequency as an independent variable, taking the authentication information acquisition time as a dependent variable, constructing a linear relation model R between the request frequency and the acquisition time, inputting the request frequency f into the linear relation model R to obtain the acquisition time R f, and taking the authentication information acquisition time deviation R f - (T3-T2) of the client caller as a first static behavior characteristic of the client caller;
Determining target service interfaces called by a client at the moment T1, numbering the target service interfaces according to the sequence from large to small of times of calling various target service interfaces by a client calling party, wherein the numbering results are i=1, 2, n represents the total number of the target service interfaces, calculating a difference value s between the number of a historical target service interface called by the client calling party when a service request of a determined type is initiated and the number of the determined target service interface, and taking a difference value g between a numerical value 1 and 1/|s|asa second static behavior characteristic of the client calling party;
when a service end executes a service request of a determined type, acquiring interaction information of a client calling party, wherein the interaction information comprises an interaction object, an interaction grade and an interaction type;
Determining the interaction grade and the interaction type of each interaction object according to the historical interaction information of a client caller, giving the same weight value to the same interaction grade or the same interaction type, and numbering each interaction object, wherein the numbering result is j=1, 2, m, and m represents the total number of the interaction objects;
According to the obtained interaction information of the client caller, determining a weight value d1p corresponding to the interaction level of the interaction object p and a weight value d2p corresponding to the interaction type, wherein p=1, 2;
according to the historical interaction information, a weight value mean d1 ́ p corresponding to the interaction level of the interaction object p and a weight value mean d2 ́ p corresponding to the interaction type are obtained;
d1p-d1 ́ p is used as a first dynamic behavior feature of the client caller, and d2p-d2 ́ p is used as a second dynamic behavior feature of the client caller.
6. The intelligent management system for an interactive authentication platform according to claim 5, wherein the specific method for constructing the behavior pattern model by the behavior pattern model constructing unit according to the acquired behavior characteristics is as follows:
Taking H=a1×g+a2×ln [1+|R f - (T3-T2) | ] as a first behavior pattern model of the client calling party, wherein a1 and a2 both represent proportionality coefficients and a1+a2=1, and H represents a first behavior characteristic value of the client calling party;
taking K=a3× (d 1p-d1 ́ p) +a4× (d 2p-d2 ́ p) as a second behavior pattern model of the client caller, wherein a3, a4 each represent a scaling factor and a3+a4=1, K represents a second behavior feature value of the client caller;
when K > Y or H > X, the interactive information of the calling party of the client is abnormal behavior information, and when K is more than or equal to 0 and less than or equal to Y and H is more than or equal to 0 and less than or equal to X, the interactive information of the calling party of the client is normal behavior information.
7. The intelligent management system for an interactive authentication platform according to claim 6, wherein the risk assessment and decision module comprises a risk assessment unit and an authentication decision unit;
When the risk assessment unit judges that the interaction information of the client calling party is abnormal behavior information, carrying out risk assessment on the interaction behavior of the client calling party according to the first behavior characteristic value and the second behavior characteristic value;
the authentication decision unit selects whether to add authentication factors according to the risk assessment result, and when the additional authentication factors are needed, the additional authentication request is sent to the client through the server, the client collects additional authentication information according to the additional authentication request, and the additional authentication information is forwarded to the authentication server through the server for verification until the risk assessment result is that the additional authentication factors are not needed, or the server refuses the service request again.
8. The intelligent management system for an interactive authentication platform according to claim 7, wherein the specific method for risk assessment by the risk assessment unit for the interactive behavior of the client caller is as follows:
when K > Y and 0≤H≤X or H > X and 0≤K≤Y:
Performing quantization processing on the risk assessment value W of the client calling party according to 1-exp (-K) or 1-exp (-H);
when K > Y and H > X:
carrying out quantization processing on the risk evaluation value W of the client calling party according to 1-exp (-K multiplied by H);
if W is more than or equal to 0 and less than or equal to 0.3, the risk assessment grade of the client calling party is represented as a first grade;
If W is more than 0.3 and less than or equal to 0.6, the risk assessment level of the client caller is represented as a second level;
if W is less than or equal to 0.6 and less than or equal to 1, the risk assessment level of the client caller is three-level;
Where exp () represents an exponential function based on e and e=2.73.
9. The intelligent management system for an interactive authentication platform as claimed in claim 8, wherein the additional authentication factors include static authentication factors and dynamic authentication factors, the static authentication factors include face recognition verification and target service interface re-verification, and the dynamic authentication factors are interactive information re-verification.
10. An intelligent management method applied to an interactive authentication platform, applied to the intelligent management system applied to an interactive authentication platform as claimed in any one of claims 1 to 9, characterized in that the method comprises the following steps:
S10, integrating a plurality of authentication factors and verifying the identity of a calling party of the client;
s20, collecting and analyzing historical interaction data of a client caller, and constructing a behavior pattern model;
s30, quantitatively evaluating the risk level of each service interaction, and feeding back an evaluation result to the server as an authentication result;
and S40, the server selects whether to execute the service request initiated by the client or not according to the feedback result.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202511064047.9A CN120750618A (en) | 2025-07-31 | 2025-07-31 | Intelligent management system and method applied to interactive authentication platform |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202511064047.9A CN120750618A (en) | 2025-07-31 | 2025-07-31 | Intelligent management system and method applied to interactive authentication platform |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN120750618A true CN120750618A (en) | 2025-10-03 |
Family
ID=97192287
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202511064047.9A Pending CN120750618A (en) | 2025-07-31 | 2025-07-31 | Intelligent management system and method applied to interactive authentication platform |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN120750618A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130246639A1 (en) * | 2012-03-09 | 2013-09-19 | Mcafee, Inc. | System and method for flexible network access control policies in a network environment |
| CN113783844A (en) * | 2021-08-13 | 2021-12-10 | 中国光大银行股份有限公司 | Zero-trust access control method and device and electronic equipment |
| CN114465807A (en) * | 2022-02-24 | 2022-05-10 | 重庆邮电大学 | Zero-trust API gateway dynamic trust evaluation and access control method and system based on machine learning |
| CN117371007A (en) * | 2023-09-21 | 2024-01-09 | 国网上海市电力公司 | An adaptive method and system for access control policies based on attribute trust |
| CN119135440A (en) * | 2024-11-08 | 2024-12-13 | 广州思迈特软件有限公司 | Access control method for data requests |
-
2025
- 2025-07-31 CN CN202511064047.9A patent/CN120750618A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130246639A1 (en) * | 2012-03-09 | 2013-09-19 | Mcafee, Inc. | System and method for flexible network access control policies in a network environment |
| CN113783844A (en) * | 2021-08-13 | 2021-12-10 | 中国光大银行股份有限公司 | Zero-trust access control method and device and electronic equipment |
| CN114465807A (en) * | 2022-02-24 | 2022-05-10 | 重庆邮电大学 | Zero-trust API gateway dynamic trust evaluation and access control method and system based on machine learning |
| CN117371007A (en) * | 2023-09-21 | 2024-01-09 | 国网上海市电力公司 | An adaptive method and system for access control policies based on attribute trust |
| CN119135440A (en) * | 2024-11-08 | 2024-12-13 | 广州思迈特软件有限公司 | Access control method for data requests |
Non-Patent Citations (1)
| Title |
|---|
| 刘晨亮等: ""零信任安全防护体系落地实践"", 《中国金融电脑》, 19 July 2022 (2022-07-19) * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110098932B (en) | Electronic document signing method based on safe electronic notarization technology | |
| US11399045B2 (en) | Detecting fraudulent logins | |
| CN103856472B (en) | A kind of method and device of Account Logon | |
| US11057372B1 (en) | System and method for authenticating a user to provide a web service | |
| CN112000744B (en) | Signature method and related equipment | |
| CN103119975B (en) | User account recovers | |
| CN103944722A (en) | Identification method for user trusted behaviors under internet environment | |
| CN103986734B (en) | Authentication management method and authentication management system applicable to high-security service system | |
| CN117494092B (en) | Scenic spot ticket non-inductive verification method, system and medium based on living organism identification | |
| CN111010279A (en) | A remote multi-factor authentication protocol based on zero-knowledge proof | |
| KR20210095061A (en) | Method for providing authentification service by using decentralized identity and server using the same | |
| CN108965335B (en) | Method for preventing malicious access to login interface, electronic device and computer medium | |
| CN111814130A (en) | Single sign-on method and system | |
| CN112383401A (en) | User name generation method and system for providing identity authentication service | |
| CN109033784A (en) | Identity identifying method and device in a communication network | |
| CN112329004A (en) | Method and device for face recognition and face password | |
| CN110516427B (en) | Terminal user identity authentication method and device, storage medium and computer equipment | |
| Merdassi et al. | Private security for the cloud mobile via a strong authentication method | |
| CN120750618A (en) | Intelligent management system and method applied to interactive authentication platform | |
| CN119814363A (en) | User verification method, device and equipment based on content distribution network | |
| CN113992380B (en) | Trusted employee certificate authentication method and system based on network mapping certificate | |
| CN111681009A (en) | Multi-platform centralized authentication and authorization system and method, authentication and authorization and service device | |
| CN117376000A (en) | Block chain-based data processing method, device, equipment and storage medium | |
| CN115118512A (en) | Access control method | |
| CN117811770B (en) | Login authentication method and device, electronic equipment and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |