RU2842185C1 - Method of ensuring the protection of information resources from unauthorized access by using a biometric identity authentication technology and a system for implementation thereof - Google Patents

Abstract

FIELD: computer equipment.

SUBSTANCE: invention relates to computer engineering and can be used to provide protection from unauthorized access to information circulating in a corporate data transmission network (CDTN) of an organisation. Result is achieved due to application of two-factor authentication, which includes standard system of user identification/authentication with additional application of biometric technology of person authentication by facial image. User identification is carried out based on the user's front image with preliminary presentation of the access subject electronic pass. After the user has successfully passed identification based on the front image, the user account is unlocked. User is then authenticated. Upon successful user authentication, the user is granted access to the corporate data transmission network of the organization and its information resources, and the moment the user leaves the territory of the organization, the account is automatically blocked.

EFFECT: high security of information circulating in the organisation's CDTN.

2 cl, 1 dwg

Description

The invention relates to the field of computer technology and can be used to provide protection against unauthorized access (UAA) to information circulating in the corporate data transmission network (CDTN) of an organization.

Unauthorized access to information is the most common and most probable threat to information security. Unauthorized access to information leads to undesirable consequences in the organization, such as leakage of protected information (personal data, official information, etc.), complete or partial disruption of the system. All this leads to a decrease in the company's reputation, financial losses and disruption of business processes. The main types of violators in the event of the implementation of such a threat, as a rule, are employees of the organization that is the owner of such information. For example, in the case of temporary disability or vacation of an employee, his colleagues can gain access to certain information by going through identification and authentication procedures, thereby compromising other people's data, which creates a direct prerequisite for the leakage of information, access to which may be limited.

Standard authentication systems (in the absence of increased security requirements) are often based on a request from the user for his/her identifier (login) and password to determine the user's right to enter the system. As an example, we can cite systems based on the use of the widely known Password Access Protocol (PAP), originally described in B. Lloyd, W. Simpson. RFC 1334. PPP Authentication Protocols. October 1992.

However, the main problem in this case is that the user can leave the computer unlocked or transfer their login and password to a third party, which can cause unauthorized access to the resources of the automated workstation (AWP) and the computer network to which the AWP is connected. As mentioned earlier, another problem can be the compromise of the user's personal identifiers during their absence from the workplace, which also creates the prerequisite for unauthorized access to information (for example, in the case of using simple passwords or storing personal identifiers for access to the system in a visible place).

A passive method of continuous (cyclically performed in automatic mode at small adjustable time intervals) real-time authentication is known from the state of the art, for example, using biometric feedback to perform the authentication process (patent US 8660322 of 25.02.2014, IPC: G06K 9/62). The method proposes to passively (without the participation of the user in the process) authenticate a person using the automated workplace, based on biometric information (for example, an image of his face recorded by a video camera) and determine whether he is a valid user who has passed authentication.

To implement the method, the user's reference face image is registered in the user database. Subsequently, in the authentication phase, the access system allows the user to log in to the workstation and use the computing resource based on the recognition of the face image presented by the system's video camera, comparing it with the image registered in the database. If the verified characteristics of the observed image match the characteristics of the registered reference image, the workstation operates, and if they do not match or if there is no image (the user has left the workstation), the workstation monitor screen is automatically blocked. In the event of the user's temporary absence, upon returning to the workstation, the video camera records the image of his face, and the system automatically unlocks the monitor, allowing the user to work without re-authentication by entering the account ID and/or password.

The system allows only the recognized user to access the data. During the user's work, the authentication system does not require interaction with the user and does not interrupt his work. The reliability of recognition of the user's biometric information is ensured by using several user images registered in the database and the use of the advanced interactive optimization algorithm IABC (Interactive Artificial Bee Colony) used for intellectual analysis.

The authentication system consists of a means for reading and transmitting the image of the user's face (video camera) and software with a set of software modules implementing the stages of the described authentication method:

- registration of the user's facial image in the user image database;

- comparative analysis of captured and recorded images using a special interactive algorithm;

- user access to computer resources based on the analysis results;

- continuous user authentication in real time;

- permission to continue further work if the observed and registered images match;

- prohibition on continuing further work (by blocking the monitor screen) if the observed and registered images do not match.

The disadvantage of the above method is the relatively low degree of effectiveness of protecting a personal computer from unauthorized access and the increased cost of the information protection system. The above disadvantages are related to the fact that:

- the use of additional equipment (video cameras) increases the cost of creating an information security system;

- continuous user authentication in real time leads to an additional load on the server where the registered (reference) image is stored and where the comparison of the received and reference images takes place, which for an organization in whose CSPD several hundred or thousands of users work simultaneously leads to a high load on the network/server equipment;

- not the PC is blocked, but only the monitor screen by blocking/unblocking the output of the graphical interface by the continuous biometric authentication system.

The closest in technical essence to the claimed technical solution are the system and method for continuous user authentication and protection of automated workplace resources from unauthorized access (patent RU No. 2691201, IPC: G06F 21/32, G06F 21/34, H04L 9/32, published 11.06.2019), selected as a prototype for the proposed method and system.

The specified method for implementing protection against unauthorized access and access control in real time using an image of the user's face includes the following sequentially implemented actions:

1) setting up the parameters of the trusted boot device (including setting up controlled time intervals) and registering users with recording in the non-volatile memory of the device of reference information necessary for subsequent authentication of the user, as well as information defining the user's authority to access the computer's hardware resources (access to which is restricted by the trusted boot device); user registration also includes registering his biometric information in the facial image database;

2) setting up access control rules (ACR) to computer resources at the user operating system level for users and processes executed on their behalf;

3) performing a trusted boot of the computer with diagnostics and control of the integrity of the components of the trusted boot module itself and all software and hardware objects controlled by it, including information about the controlled time intervals at which access is blocked;

4) authentication of the user logging into the system based on the control information presented by him on the authentication medium, as well as his facial image transmitted by the image reading and transmission device in real time;

5) providing access to computer resources in accordance with the powers of the authenticated user, followed by continuation of passive continuous biometric identification of the user by the continuous biometric identification system (CBIS);

6) ensuring access control to computer resources by an access control system (ACS) based on previously configured PRS;

7) blocking the computer operating system by the access control system based on the SNBI information during a short-term (within a configurable time interval) absence of the user from the workplace (SDS mode “inactivity pause 1”);

8) unlocking the computer operating system by the access control system upon timely return of the user without the need for re-authentication (in the “inactivity pause 1” SRS mode);

9) complete blocking of the computer's operation (up to and including its shutdown) by the access control system with the need for repeated full authentication of the user when turning on the computer or its unblocking in the event of a long absence of the user (in the "inactivity pause 2" SRS mode).

To implement the above actions, the system includes software blocks for identification and authentication, access control to procedures, management and auditing, as well as drivers for access control and filtering of USB devices, service administration utilities, etc.

The process of blocking the computer during the work of the automated workplace is controlled by the SRD, the main modules of which function in the kernel mode of the computer's operating system (OS). The SRD includes a special access control driver that functions in the area of the OS kernel modules that is inaccessible to user applications. When the SRD interacts with the software SNBI, the SRD implements the "inactivity pause" mode mechanism, which allows the user to be disconnected after a predetermined period of absence.

The disadvantage of the prototype is the technical complexity of implementing the said solution, associated with the implementation, including, of a trusted boot tool, the need for which often arises when processing restricted information (confidential information, commercial secrets, state secrets, etc.) and the increased cost of the information security system. The said disadvantages are related to the fact that:

- the system, method and device for protecting continuous user authentication and protecting automated workstation resources from unauthorized access are applicable to a greater extent for protecting one specific automated workstation and are not suitable for creating a system for protecting information circulating in the KSPD of an organization consisting of hundreds or even thousands of automated workstations;

- continuous user authentication in real time leads to an additional load on the server where the registered (reference) image is stored and where the comparison of the received and reference images takes place, and in the case of creating a KSPD consisting of hundreds or even thousands of automated workstations, several such processing and storage tools will be needed;

- the use of additional equipment (video cameras, trusted boot tools, etc.) leads to an increase in the cost of the information security system being created, in which the costs of ensuring the protection of information resources can significantly exceed the cost of the organization’s information assets themselves, including reputational losses in the event of their leakage.

The technical result of the proposed invention is to increase the security of information circulating in the organization's KSPD, due to the use of two-factor authentication, including a standard user identification/authentication system (login/password) with the additional use of biometric technology for authentication of a person by facial image, implemented on the basis of an access control and management system.

The technical result for the method is achieved in that in the method for ensuring protection of information resources from unauthorized access by using biometric technology for personal authentication to gain access to the corporate data transmission network of the organization, two-factor authentication of the access subject is performed, including identification of the user by his facial image transmitted in real time by the image reading and transmission device. At the same time, it differs from the prototype in that the user is identified by his facial image by comparing the facial image in real time with reference portrait samples stored in the data accounting unit of the access control and management system with a biometric face recognition terminal, with preliminary presentation of the electronic pass of the access subject. After the user has successfully passed the identification by facial image, the blocking is removed from the user account. After this, the user is authenticated by comparing the password entered by him for the specified login with the password stored in the user login database. If the passwords match, the user is granted access to the corporate data transmission network of the organization and its information resources. At the same time, when the user leaves the organization’s premises, his account is automatically blocked.

The technical result for the system is achieved in that the system for ensuring protection of information resources from unauthorized access by using biometric technology for personal authentication includes a video means for reading and transmitting the user's facial image for authentication. At the same time, it differs from the prototype in that the system includes an access control and management system, including a biometric face recognition terminal containing the said video means for reading and transmitting the user's facial image, installed at the entrance to the organization, a data recording unit and an identification unit, connected to the biometric face recognition terminal through a mathematical calculation subsystem. In addition, the system contains an Active Directory account management server, connected to the identification unit of the access control and management system, as well as a corporate data transmission network consisting of N automated workstations and an Active Directory server, connected to each other and to the Active Directory account management server. All components of the system are designed with the ability to interact with each other via a computing network and automated workstations, providing the ability to access information resources circulating in the corporate data transmission network of the organization.

The essence of the claimed method for ensuring protection of information resources from unauthorized access through the use of biometric technology for personal authentication and a system for its implementation is explained by the drawing.

To gain access to the corporate data transmission network of the organization in the method of ensuring protection of information resources from unauthorized access by using biometric technology of personal authentication, two-factor authentication of the access subject is performed, which includes identification of the user by his/her facial image transmitted in real time by the device for reading and transmitting the image. Identification of the user by his/her facial image is performed by comparing the facial image in real time with the reference portrait samples stored in the data accounting unit of the access control and management system with a biometric terminal for facial recognition. In this case, before the start of the user identification, the latter presents an electronic pass of the access subject. After the user has successfully passed the identification by facial image, the blocking is removed from the user account and the next authentication stage is performed, which consists of the user passing the authentication check directly on the automated workstation by comparing the password entered by him/her for the specified login with the password saved in the user login database. If the passwords match, the user is granted access to the organization's KSPD and its information resources. Moreover, at the moment of the access subject's exit from the territory of the organization, his account is automatically blocked by presenting an electronic pass as one of the identifiers, the authenticity control of which, by analogy with the entry procedure, is assigned to the subsystem of mathematical calculations, in which the identifier (electronic pass) presented by the access subject is compared with the one recorded in the data accounting block. After successful identification by the electronic pass, the second stage of the access subject's identification is carried out, based on the recognition of the facial image using a device for reading and transmitting the image (a facial recognition tablet). If the access subject successfully passes the two-stage identification procedure based on the ACS with a biometric facial recognition terminal, his account is automatically blocked, and access to the organization's information resources from under the user's account becomes unavailable.

A system for implementing a method for ensuring protection of information resources from unauthorized access by using biometric technology for personal authentication consists of an access control and management system (ACMS) 1, including a biometric facial recognition terminal 2 installed at the entrance to the organization, a data recording unit 3 and an identification unit 4, connected to the biometric facial recognition terminal 2 through a mathematical calculation subsystem 5. In addition, the claimed system contains an Active Directory account management server 6, connected to the identification unit 4 of the ACMS 1, as well as a KSPD 7, consisting of N ARM 8 and an Active Directory server 9, connected to each other and to the Active Directory account management server 6. All components of the system are designed with the ability to interact with each other via a computer network and an ARM 8, providing the ability to access the information resources circulating in the KSPD 7 of the organization.

The proposed system works as follows.

At the first stage, ACS 1 with biometric face recognition terminal 2 performs the function of identifying the access subject using an electronic pass with a specified identifier, after which, in order to confirm the presented identifier (electronic pass), ACS 1 ensures collection of biometric material (samples) - facial images presented in the form of a mathematical model. Then the sample goes to the mathematical calculation subsystem 5, where biometric identification of objects occurs by comparing their portrait samples (mathematical models of facial images) obtained from the corresponding photographic images with the reference portrait samples stored in the data recording unit 3. Then the results of the comparison of mathematical models of facial images go to the identification unit 4, where a decision is made to grant access or deny access to information resources. The operation of the identification unit 4 is directly correlated with the Active Directory account management server 6, where user accounts are blocked/unblocked, and an event log of attempts to access information resources is stored. After the user has successfully passed the first authentication stage in order to gain access to the information resources circulating in the organization's KSPD 7, the second authentication phase is performed directly on the ARM 8 by entering the login and password and checking the data entered by the user stored on the Active Directory 9 server, which are components of the KSPD 7. The operator/administrator works with the system through the Active Directory 6 account management server, which ensures convenient access, configuration and decision-making based on the identification results. Before passing the first authentication phase, the user account is blocked, access to the information resources circulating in the organization's KSPD 7 is prohibited. In addition, when the user leaves the territory of the organization, the user account is automatically blocked.

ACS 1 performs dynamic control of the images of the face of the access subjects received by the biometric face recognition terminal 2 and further compares this image with the reference image stored in the data recording unit 3.

Data accounting block 3 provides:

- collection, recording and orderly storage of portrait samples of objects (their mathematical models) subject to registration, as well as the installation data of these objects;

- the ability to store not the biometric samples themselves, but only their mathematical models.

A separate accounting card is created for each registered object. The cards are logically combined into a Card Index - a specialized database designed to consolidate, store and organize the collected accounting data.

For each collected biometric sample, a corresponding mathematical model is created and saved, compiled in accordance with the basic biometric algorithms on which the system operates.

Data accounting block 3 implements the following search methods:

- biometric search - is carried out on the basis of a portrait sample of the object and is accompanied by the issuance of a quantitative assessment of the probability of coincidence and similarity of the sought and found samples;

- search by installation data - is carried out on the basis of installation data (object name, object gender, object date of birth, employee personnel number, etc.) by which the object was recorded;

- search by metadata - is carried out on the basis of metadata generated when an object is registered (a unique identifier assigned to an object for unambiguous identification, date of registration, etc.).

Identification unit 4 ensures biometric identification of objects by comparing their portrait samples obtained from corresponding photographic images with reference portrait samples recorded by data recording unit 3.

Identification block 4, from the point of view of gradation by type of biometric characteristics, ensures identification based on the unique characteristics of the facial image.

The biometric face recognition terminal 2 is installed at the entrance to the organization and ensures the identification of objects by unique biometric facial features in real time. The biometric face recognition terminal 2 is organized in the form of a turnstile with a video device for reading and transmitting the user's facial image installed on it - a facial recognition tablet. When attempting to enter the territory of the organization, the access subject presents an electronic pass as one of the identifiers, the authenticity control of which is assigned to the mathematical calculation subsystem 5, in which the identifier (electronic pass) presented by the access subject is compared with the one recorded in the data accounting block 3. After successful identification by the electronic pass, the second stage of identification is carried out, based on facial image recognition using the facial recognition tablet. Upon successful completion of the two-stage identification procedure based on the ACS 1 with the biometric face recognition terminal, the access subject is allowed to enter the organization and his account is unblocked.

The biometric face recognition terminal 2 operates in the "thick client" mode, synchronizing on demand with the Card Index of the data recording unit 3. In this case, the "thick client" is understood to be a client that performs the manipulations requested by the user independently of the main server. The main server in this variation of the system architecture can be used as a special storage of information, the processing and final provision of which is simply transferred to the user's local machine. The "thick client" is a work machine or PC that operates on the basis of its own OS and is filled with a full set of software for the user's required tasks.

To specify the subset of Cards, which are compared for the purpose of identification, the list mechanism provided by the data accounting block 3 is used. Based on the results of identification, for each identified object either a list of Cards is issued with an indication for each of them of the quantitative assessment of the probability of coincidence and similarity of the sought and found samples, or the fact of the absence of Cards with suitable reference samples is indicated.

The subsystem of mathematical calculations 5 is implemented in the form of special computing software (SCS), individual equal copies of which are deployed and launched on independent computing nodes and operate in parallel.

The subsystem of mathematical calculations 5 provides the ability to scale using the subsystem itself: the number of simultaneously running instances of the computational software is specified through settings.

The mathematical computation subsystem 5 is capable of maintaining operability as long as at least one instance of the computational software is functioning.

The logic of the operation of the mathematical calculation subsystem 5 consists of recognizing and registering each i -th access subject in the data accounting block 3, during which an image of its identifier p _i is created, which is a set of reference values of identification features. All registered images can be represented as a set P = {p ₁ , p ₂ , …, p _n } .

ACS 1 with biometric face recognition terminal 2 allows to analyze (recognize) k identification features of the access subject. The set Z={z ₁ , z ₂ , …, z _k } includes features by which the identification process is carried out within the framework of a specific ACS 1. The elements of the set Z can be a series, pass number, operating frequency of the data transmission technology used, etc. In the case of biometric identification, methods of recognizing the access subject by physiological features (facial image) are used.

At the identification stage, the access subject presents its identifier, at which point its image is created in the mathematical calculation subsystem 5, which is used for comparison with the reference images stored in the data accounting block 3. If in the data accounting block 3 there is a single image that fully corresponds to the one presented, then the access subject is considered identified.

To formulate the identification problem, we introduce the following notations:

- the image that needs to be identified;

- vector of read values of identification features of set Z belonging to the image ;

- the value of the feature z _j ∈ Z read by the system; .

The identification task allows us to determine whether the presented image corresponds to , possessing the values of identification features , to exactly one element of the set P.

To carry out the identification procedure, the access subject must present the reader device (RD), which is part of the biometric facial recognition terminal, with 2 images . At the same time must be represented by the value of at least one of the identification features z _j ∈ Z. In the case of implementing the claimed system, there must be two such parameters:

- an electronic pass with a set of specified identification parameters (series, pass number, operating frequency of the data transmission technology used, etc.);

- facial image of the access subject (mathematical model of the image).

The control unit, which is part of the biometric face recognition terminal 2, receives and processes the images transmitted to it for identification, which are subsequently sent to the mathematical calculation subsystem 5. The operation of the biometric face recognition terminal 2 can be represented as an expression:

,

Where - an image presented by the access subject, converted into the format used by the controller from the mathematical calculation subsystem 5;

F - the function of converting the image into the format used by the controller of the mathematical calculation subsystem 5.

During the analysis of the image transmitted by the US the controller checks whether the corresponding image p _i exists in the data accounting block 3. If such an image exists, and in a single copy, a positive identification result is accepted, otherwise the access subject will not be identified.

The Active Directory Account Management Server 6 is used to provide operator/administrator access to the services of the data accounting block 3 and the identification block 4, which interact through the mathematical calculation subsystem 5.

The Active Directory 6 Account Management Server provides the ability to promptly notify the operator/administrator, which provides pop-up or similar messages organized by means of the graphical interface of the user's workstation OS.

ACS 1 performs dynamic control of the images of the face of the access subjects received by the biometric face recognition terminal 2 and further compares this image with the reference image stored in the data recording unit 3.

The technical effect of the proposed invention is that, due to the use of ACS 1 with a biometric facial recognition terminal 2, protection against unauthorized access to information circulating in the organization's KSPD 7 is ensured. The specified technical effect is achieved as a result of two-factor authentication of the access subject to the organization's KSPD 7, whereby the access subject first presents an electronic pass as one of the identifiers when attempting to enter the organization's territory, the authenticity of which is assigned to the mathematical calculation subsystem 5, in which the identifier (electronic pass) presented by the access subject is compared with that recorded in the data accounting block 3. After successful identification by the electronic pass in ACS 1, the second stage of identification is carried out, based on facial image recognition using the biometric facial recognition terminal 2. Upon successful completion of the two-stage identification procedure based on ACS 1 with the biometric facial recognition terminal 2, the access subject is allowed to enter the organization and the user account is unblocked using the Active Directory account management server 6. Two-factor authentication of the access subject when attempting to gain access to the organization's KSPD 7 consists of fulfilling the following two conditions:

- successful completion of the user authentication procedure by comparing the password entered by the user (for the specified login) with the password stored in the user login database;

- successful completion of the facial image recognition procedure by comparing it with reference images stored in the data recording unit.

If the above conditions are met simultaneously, the user gains access to the ARM 8 included in the organization’s KSPD 7.

Thus, the use of this invention makes it possible to achieve increased efficiency in protecting information circulating in the organization’s KSPD.

Claims (2)

1. A method for ensuring the protection of information resources from unauthorized access by using biometric technology for personal authentication, in which, in order to gain access to the corporate data transmission network of an organization, two-factor authentication of the access subject is performed, including identifying the user by his facial image transmitted in real time by an image reading and transmission device, characterized in that the user is identified by his facial image by comparing the facial image in real time with reference portrait samples stored in the data accounting unit of the access control and management system with a biometric facial recognition terminal, with the preliminary presentation of an electronic pass of the access subject, after the user has successfully passed the identification by facial image, the blocking of the user account is removed, after which the user undergoes authentication by comparing the password entered by him for the specified login with the password stored in the user login database, if the passwords match, the user is granted access to the corporate data transmission network of the organization and its information resources, and at the moment the user leaves the territory of the organization, an automatic blocking is performed his account. 2. A system for ensuring the protection of information resources from unauthorized access by using biometric technology for personal authentication, including a video means for reading and transmitting a user's facial image for authentication, characterized in that the system includes an access control and management system, including a biometric facial recognition terminal containing the aforementioned video means for reading and transmitting a user's facial image, installed at the entrance to the organization, a data recording unit and an identification unit, connected to the biometric facial recognition terminal via a mathematical calculation subsystem, in addition, the system contains an Active Directory account management server, connected to the identification unit of the access control and management system, as well as a corporate data transmission network consisting of N automated workstations and an Active Directory server, connected to each other and to the Active Directory account management server, all components of the system are designed with the ability to interact with each other via the computing network and automated workstations, providing the ability to access the information resources circulating in the corporate data transmission network of the organization.