Title of Invention	METHOD FOR NETWORK SECURITY AUTHENTICATION
Abstract	The present invention discloses a network security authentication server. including: an area setting unit, operable for setting an area record including the correspondence between a user account identity and one or more areas; an area authentication unit, operable for acquiring the location of a client, and determining whether the acquired location of the client falls into the one or more pre-set areas according to the area record; judging that the authentication is passed if deciding that the acquired location of the client falls into the pre-set areas, or otherwise judging that the authentication is failed pre-set. The present invention further discloses a corresponding method for network security authentication. The system and method for network security authentication may restrict the login area of a user by determining whether the location of the user falls into one or more pre-set areas, so as to partly prevent malicious actions in computer network systems.

Title of Invention

METHOD FOR NETWORK SECURITY AUTHENTICATION

Abstract

The present invention discloses a network security authentication server. including: an area setting unit, operable for setting an area record including the correspondence between a user account identity and one or more areas; an area authentication unit, operable for acquiring the location of a client, and determining whether the acquired location of the client falls into the one or more pre-set areas according to the area record; judging that the authentication is passed if deciding that the acquired location of the client falls into the pre-set areas, or otherwise judging that the authentication is failed pre-set. The present invention further discloses a corresponding method for network security authentication. The system and method for network security authentication may restrict the login area of a user by determining whether the location of the user falls into one or more pre-set areas, so as to partly prevent malicious actions in computer network systems.

Full Text	System and Method for Network Security Authentication Field of the Invention The present invention relates to network security technologies, and more particularly, to a system and method for network security authentication. Background of the Invention Along with the development in computer network applications, online games, communities and businesses are more and more popular. Meanwhile, network security of such network applications becomes more and more important. At present, authentication schemes adopted by network applications for guaranteeing the applications are used by only registered users themselves, which mainly include a process of a user inputting an account identity and password for logging in. After the account identity and password inputted by the user are authenticated by a server, the user is allowed to enter the system. In addition, there are advanced password schemes, e.g., changeable passwords and so on. However, the above authentication schemes are relatively simple and can be easily cracked by malicious users (e.g. Hackers). In addition, there is a widely-applied method for preventing illegal login, i.e., adopting an extra code. A user needs to identify the extra code with unaided eyes and input the extra code manually and correctly to log in normally. This may effectively prevent malicious actions, e.g., cracking users' passwords by force. However, when a user's password is stolen by other malicious users in the network through certain means, the extra code will not guard against theft. As a result, the user may suffer losses, e.g., economic loss and so on. Summary A main aspect of the present invention provides a system and method for network security authentication to improve the security of network authentication compared with the prior art. A server for network security authentication in accordance with the present invention includes: an area setting unit, operable for setting an area record including correspondence between a user account identity and one or more areas; an area authentication unit, operable for acquiring the location of a client, and determining whether the acquired location of the client falls into the one or more pre¬set areas according to the area record; judging that the authentication is passed if deciding that the acquired location of the client falls into the pre-set areas, or judging that the authentication is failed if the acquired location of the client does not fall into the pre-set areas. The server for network security authentication in accordance with the present invention may further include: a password authentication unit operable for determining whether a user account identity matches a password received from the client, and allowing the area authentication unit to perform area authentication after deciding that the user account identity matches the password. The server for network security authentication in accordance with the present invention may further include: a password authentication unit operable for performing ' password authentication according to a user account identity and password received from the client after the area authentication unit decides the location of the client falls into the one or more pre-set login areas. In the server for network security authentication in accordance with the present invention, the area authentication unit further includes: an area analysis sub-unit, operable for acquiring the location of the client according to a login request received from the client, wherein the login request comprises a user account identity; an area determining sub-unit, operable for searching for an area record according to the user account identity to acquire one or more areas corresponding to the user account identity, and determining whether the location of the client acquired by the area analysis swb-unit falls into the one or more area. In the server for network security authentication in accordance with the present invention, the area analysis sub-unit is operable for acquiring the location of the client according to an IP address derived from the login request or designating an IP address derived from the login request as the location of the client. In the server for network security authentication in accordance with the present invention, the area authentication unit further includes: an area re-authentication sub-unit, operable for sending a message to a pre-set mobile terminal corresponding to the user account identity after the area determining sub-unit judges that the authentication is failed, judging that the authentication is passed after receiving a login-allowed message from the mobile terminal, or judging that the authentication is failed after receiving a login-rejected message from the mobile terminal. In the server for network security authentication in accordance with the present invention, the area re-authentication sub-unit is further operable for according to the message sent by the mobile terminal adding the location of the client into the pre-set areas as a pre-set area or a temporary login area; or modifying the password of the user account; or setting the user account as login-prohibited. Embodiments of the present invention further provide a method for network security authentication, including; (a) setting an area record including correspondence between a user account identity and one or more areas; (b) acquiring the location of a client, and determining whether the acquired location of the client falls into the pre-set one or more areas; judging that the authentication is passed if the acquired location of the client falls into the one or more areas, or judging that the authentication is failed if the acquired location of the client does not fall into the one or more areas. The method for network security authentication in accordance with the present invention further includes: determining whether the user account identity matches the password received from the client, and performing the step (b) after judging the user account identity matches the password. When the location of the client falls into the one or more areas in the step (b), the method further comprises: performing password authentication according to the user account identity and password received from the client. In the method for network security authentication in accordance with the present invention, the step (b) further includes: (bl) acquiring the location of the client according to a login request received from the client, wherein the login request comprises a user account identity; (b2) searching an area record according to the user account identity to acquire the one or more areas corresponding to the user account identity, and determining whether the location of the client acquired in the step (bl) falls into the one or more areas; judging that the authentication is passed if the acquired location of the client falls into the one or more areas, or judging that the authentication is failed if the acquired location of the client does not fall into the one or more areas. In the network security authentication method in accordance with the present invention, the step (b2) further includes: after judging the authentication is failed, sending a message to a mobile terminal corresponding to the user account identity, and determining whether the authentication is passed or failed according to a login-allowed message or a login-rejected message returned by the mobile terminal. The network security authentication method in accordance with the present invention further includes: adding the location of the client into the pre-set areas as a pre-set area or a temporary login area; or modifying the password of the user account; or setting the user account as login-prohibited. In accordance with the network security authentication method in accordance with the present invention, in the step (bl), the location of the client is determined according to an IP address derived from a login request; or the IP address derived from the login request is designated as the location of the client, and determining whether the location of the client acquired in the step (bl) falls into the one or more areas in the step (b2) comprises: determining whether the IP address derived from the login request falls into the one or more areas. The system and method for network security authentication in accordance with the present invention may restrict the login area of a user by determining whether the location from which the user is logging in falls into one or more pre-set areas, so as to partly prevent the malicious action in computer network systems. The authentication system may be integrated with other authentication systems, so as to effectively improve the security of computer network applications. Brief Description of the Drawings The present invention is further explained hereinafter with reference to accompanying drawings and embodiments. Figure 1 is a schematic diagram illustrating the structure of a system for network security authentication in accordance with Embodiment 1 of the present invention. Figure 2 is a schematic diagram illustrating the structure of a system for network security authentication in accordance with Embodiment 2 of the present invention. Figure 3 is a schematic diagram illustrating the detailed structure of the area authentication unit in Figure 1. .Figure 4 is a flowchart of a method for network security authentication in accordance with Embodiment 1 of the present invention. Figure 5 is a detailed flowchart of the area authenticating process in Figure 3. Figure 6 is a flowchart of a method for network security authentication in accordance with Embodiment 2 of the present invention. Figure 7 is a flowchart of a method for network security authentication in accordance with Embodiment 3 of the present invention. Embodiments of the Invention Figure 1 is a schematic diagram illustrating the structure of a system for network security authentication in accordance with Embodiment 1 of the present invention. The system includes an area setting unit 11 and an area authentication unit 12, In this embodiment, the system for secure authentication resides within an authentication server 10. In practical applications, the authentication server 10 is connected with an application server which is connected with clients via a network. A client will not be able to log in the application server for applications until the client is authenticated by the authentication server. The application server and the authentication server 10 may also reside within the same hardware. The area setting unit 11 is operable for setting an area record which includes the correspondence between a user account identity and one or more areas. In this embodiment, the area setting unit 11 receives a setting request from a client, and generates an area record according to the setting request. The setting request includes a user account identity and one or more pre-set areas (e.g. Shenzhen and Shanghai, etc.). The area record includes the correspondence between the user account identity and the one or more pre-set areas. The area record generated may be saved in a database or other storage systems. The area setting unit 11 may provide a window for a user to input login area information, and generates an area record according to the area information inputted by the user when the user registers for opening a user account, or the area setting unit 11 may provide a window for a registered user to input changed login area information, and generates an area record according to the changed area information inputted by the user after the user logs into the system. Since users generally live and work in a limited number of places, the users may set their working places and living places as their login areas the users may alternatively set their IP addresses as their login areas. In the above embodiment, province may be preferably set as the minimum unit of the login areas and the maximum number of the login areas per user may be set as 3. In other applications, the minimum unit of the login areas may also be city or an IP address, and the number of the login areas may also be other designated values such as 1,2,4, 5, etc. The area authentication unit 12 is operable for acquiring the location of the client through which the user logs into the system, and determines whether the acquired location of the client falls into the one or more pre-set areas based on the area record generated by the area setting unit 11. If the area authentication unit 12 recognizes that the acquired location of the client falls into the one or more pre-set areas, the user passes the authentication and is allowed to perform any operations with the user account, e.g., logging in, etc. If the area authentication unit 12 does not recognize the acquired location of the client falls into the pre-set areas, it will return an authentication failure message to the client. Through the above area authentication, registered users is allowed to perform any operations with the user account, e.g., logging in, etc. only when they are in their pre-set areas and can not log into the application system when they are in other areas. In this way, even though other malicious users have stolen a user's account identity and password, they are unable to log into the application system if they are not in the pre-set areas of the user. Thus it can prohibit most malicious users from illegally logging into the application system. Users who require high security level may set IP addresses, e.g., IP addresses of clients the users are using at home or at work, as their pre-set areas, by which the malicious users will not succeed in logging in the system if they are not logging in with the same IP address as the users even if they are within the same geographical areas as the users. Figure 2 is a schematic diagram illustrating the structure of a system for network security authentication in accordance with Embodiment 2 of the present invention. Besides an area setting unit 21 and an area authentication unit 22, the system also includes a password authentication unit 23. The password authentication unit 23 is operable for determining whether the user account identity matches the password received from a client, and the area authentication unit 22 is operable for performing area authentication when the password authentication unit 23 recognizes that the user account identity matches the password. The above operation for determining whether the user account identity matches the password is in accordance with that of a password authentication system in the prior art. In addition, in another embodiment of the present invention, the password authentication unit 23 is operable for performing the password authentication based on the user account identity and password received from the client after the area authentication unit 22 recognizes the location of the client falls into the one or more pre-set areas. Referring to Figure 3, the area authentication unit 12 of Figure 1 includes an area analysis sub-unit 121 and an area determining sub-unit 122. The area analysis sub-unit 121 is operable for acquiring the location of a client according to information contained in a login request sent by the client. The login request may include a user account identity. In this embodiment, the area analysis sub-unit 121 is operable for determining the location of the client according to an IP address derived from the login request. The area determining sub-unit 122 is operable for searching for an area record according to the user account identity to acquire the one or more pre-set areas corresponding to the user account identity, and determining whether the location of the client acquired by the area analysis sub-unit 121 falls into the pre-set areas. If the acquired location of the client falls into the pre-set areas, the area determining sub-unit 122 recognizes that the user passes the authentication and the user is entitled to log into the application system; if the acquired location of the client does not fall into the pre-set areas, the area determining sub-unit 122 recognizes that the user fails to pass the authentication and returns an authentication failure message to the client. In addition, the area authentication unit 12 may further include an area re-authentication sub-unit 123. The area re-authentication sub-unit 123 is operable for sending a message to a mobile terminal (e.g. a mobile phone, a PDA) corresponding to the user account identity after the area determining sub-unit 122 recognizes the user fails to pass the authentication. The user sends a login-allowed message or a login-rejected message to the area re-authentication sub-unit 123 via the mobile terminal. Then the area re-authentication sub-unit 123 determines the authentication is passed or failed according to the message returned by the mobile terminal. In this way, when the user is on a business trip, he can also securely log in the application system. Figure 4 is a flowchart of a method for network security authentication in accordance with Embodiment 1 of the present invention. The method specifically includes the steps as follows. In block S4l, an area record is generated which includes the correspondence between a user account identity and one or more areas. In this step, the area record is generated according to a setting request received from a client. The setting request includes a user account identity and one or more pre-set areas (e.g. Shenzhen and Shanghai, one or more IP addresses, etc.). The area record includes the correspondence between the user account identity and the one or more pre-set areas. The area record generated may be saved in a database or other storage systems. In this block, a window may be provided for a user to input login area information when the user registers for opening a user account and an area record will be generated according to the login area information inputted by the user, or a window may be provided for a registered user to input changed login area information after the user logs into the system, and an area record will be generated according to the changed login area information inputted by the user. In block S42, the location of a client is acquired, and whether the acquired location of the client falls into the one or more pre-set areas is judged according to the area record. If it is determined that the acquired location falls into the pre-set areas, the user is recognized to pass the authentication and may perform the subsequent operations. If it is determined that the acquired location does not fall into the pre-set areas, an authentication failure message is returned to the client. Figure 5 is a detailed flowchart of the area authenticating process (block S42). The process includes the following steps. In block S5l, the location of a client is acquired according to a login request received from the client, in which the login request includes a user account identity. In this embodiment, the location of the client is determined according to an IP address derived from the login request. In block S52, an area record is searched for according to the user account identity to obtain one or more pre-set areas corresponding to the user account identity, and whether the location acquired in block S5l falls into the pre-set areas is determined. If the location acquired falls into the pre-set areas, the user is recognized to pass the authentication and may perform subsequent operations. If the location acquired does not fall into the pre-set areas, the authentication is failed and an authentication failure message will be returned to the client. Block S52 may further include an area re-authentication process, i.e., after the authentication fails, a message is sent to a mobile terminal (e.g. mobile phone) corresponding to the user account identity, and whether the authentication is passed or failed is determined according to the login-allowed message or login-rejected message returned by the mobile terminal. In this block, the mobile terminal is pre-set by the user and may be included in user information stored in the server. Alternatively or optionally, a message may be send to an e-mail address, an instant message user identity or a PDA etc. which is pre-set by the user. When the user receives the message and judges whether the login is performed by the user. If the login is performed by the user, the user may send a login-allowed message to login the system, and the user may also send an instruction in the message or a new message to store the area from which the user is logging in into the server as a pre-set area or a temporary login area. The user may also designate or choose a valid period for this modification of pre-set areas or for the temporary login area, such as, valid only for this time, or valid until next modification, or valid in a fixed period of time (e.g., one week, one month). If the user judges that the login is not performed by the user, the user may send a login-rejected message to fail this login attempt, and the user may alternatively or optionally modify the password for login, or set the user account as login-prohibited which means nobody will log in the system using the user account in a period of time. After receiving the login-allowed message from the mobile terminal, the server permits the login, and may also add a new pre-set area or a temporary login area to the pre-set areas in the user information. After receiving the login-rejected message from the mobile terminal, the server rejects the login attempt, and may also modify the password of the user account or set the user account as login-prohibited as instructed by the user. When the user account is set as login-prohibited, the server or the user may designate a period during which the user account is login-prohibited or designate a particular way of activating the user account. Figure 6 is a flowchart of a method for network security authentication in accordance with Embodiment 2 of the present invention. The method specifically includes the following steps. In block S6l, an area record is generated which includes the correspondence between a user account identity and one or more areas. In this step, an area record is generated according to a setting request received from a client. In block S62, a password authentication is performed according to the user account identity and password sent by the client. The process of password authentication is the same as that in the prior art. If the user passes the password authentication, block S63 will be performed; if the user does not pass the password authentication, block S64 will be performed; In block S63, the location of the client is acquired, and whether the location acquired falls into the pre-set areas is determined according to the area record. If the location acquired falls into the pre-set areas, the user is recognized to pass the authentication and may log into the application system; if the location acquired does not fall into the pre-set areas, block S64 will be performed. In block S64, an authentication failure message is returned to the client. Figure 7 is a flowchart of a method for network security authentication in accordance with Embodiment 3 of the present invention. The method specifically includes the following steps. In block S7l, an area record is generated which includes the correspondence between a user account identity and one or more areas. In this step, an area record is generated according to a setting request received from a client. In block S72, the location of the client is acquired, and whether the location acquired falls into the pre-set areas is determined according to the area record. If the location acquired falls into the pre-set areas, block S73 will be performed. If the location acquired does not fall into the pre-set areas, block S74 will be performed. In block S73? a password authentication is performed according to the user account identity and password sent by the client. The process of the password authentication is the same as that in the prior art. In block S74, an authentication failure message is returned to the client. It can be seen from the technical features in accordance with the present invention, part of malicious actions in computer networks can be prohibited. The authentication scheme can also be applied in combination of other authentication schemes to increase the security of network applications. In addition, according to a preferred embodiment, a re-authentication process is employed as a supplementary scheme, which enables a user to login from an area other than the pre-set areas, e.g., when the user is on a business trip, while preventing malicious users from logging in. According to another preferred embodiment, the pre-set area is an IP address, which provides higher security level for users, because users from other IP addresses will be prevented from logging in the system even if they are attempting the user account in the same geographical area as the user. The foregoing is only preferred embodiments of the present invention. The protection scope of the present invention, however, is not limited to the above description. Any change or substitution, within the technical scope disclosed by the present invention, easily occurring to those skilled in the art should be covered by the protection scope of the present invention. Therefore, the protection scope of the present invention should be compatible with the protection scope stated by claims. Claims 1. A server for network security authentication, comprising: an area setting unit, operable for setting an area record including correspondence between a user account identity and one or more areas; an area authentication unit, operable for acquiring the location of a client, and determining whether the acquired location of the client falls into the one or more pre¬set areas according to the area record; judging that the authentication is passed if the acquired location of the client falls into the pre-set areas, or judging that the authentication is failed if the acquired location of the client does not fall into the pre¬set areas. 2. The server for network security authentication of Claim 1, further comprising; a password authentication unit operable for determining whether a user account identity matches a password received from the client, and allowing the area authentication unit to perform area authentication after deciding that the user account identity matches the password. 3. The server for network security authentication of Claim 1, further comprising: a password authentication unit operable for performing password authentication according to a user account identity and password received from the client after the area authentication unit decides the location of the client falls into the one or more pre-set login areas. 4. The server for network security authentication of any of Claims 1-3, wherein the area authentication unit comprises: an area analysis sub-unit, operable for acquiring the location of the client according to a login request received from the client, wherein the login request comprises a user account identity; an area determining sub-unit, operable for searching for an area record according to the user account identity to acquire one or more areas corresponding to the user account identity, and determining whether the location of the client acquired by the area analysis sub-unit falls into the one or more area. 5. The server for network security authentication of Claim 4, wherein the area analysis sub-unit is operable for acquiring the location of the client according to an IP address derived from the login request; or designating an IP address derived from the login request as the location of the client, 6. The server for network security authentication of Claim 4, wherein the area authentication unit further comprises an area re-authentication sub-unit, operable for sending a message to a pre-set mobile terminal corresponding to the user account identity after the area determining sub-unit judges that the authentication is failed, judging that the authentication is passed after receiving a login-allowed message from the mobile terminal, or judging that the authentication is failed after receiving a login-rejected message from the mobile terminal. 7. The server for network security authentication of Claim 6, wherein the area re-authentication sub-unit is further operable for according to the message sent by the mobile terminal adding the location of the client into the pre-set areas as a pre-set area or a temporary login area; or modifying the password of the user account; or setting the user account as login-prohibited. 8. A method for network security authentication, comprising: (a) setting an area record comprising correspondence between a user account identity and one or more areas; (b) acquiring the location of a client, and determining whether the acquired location of the client falls into the pre-set one or more areas; judging that the authentication is passed if the acquired location of the client falls into the one or more areas, or judging that the authentication is failed if the acquired location of the client does not fall into the one or more areas. 9. The method for network security authentication of Claim 8, further comprising: determining whether the user account identity matches the password received from the client, and performing the step (b) after judging the user account identity matches the password. 10. The method for network security authentication of Claim 8, wherein when the location of the client falls into the one or more areas in the step (b), the method further comprises: performing password authentication according to the user account identity and password received from the client. 11. The method for network security authentication of any of Claims 8-10. wherein the step (b) further comprises: (bl) acquiring the location of the client according to a login request received from the client, wherein the login request comprises a user account identity; (b2) searching an area record according to the user account identity to acquire the one or more areas corresponding to the user account identity, and determining whether the location of the client acquired in the step (bl) falls into the one or more areas; judging that the authentication is passed if the acquired location of the client falls into the one or more areas, or judging that the authentication is failed if the acquired location of the client does not fall into the one or more areas. 12. The method for network security authentication of Claim 11, wherein the step (b2) further comprises: after judging the authentication is failed, sending a message to a mobile terminal corresponding to the user account identity, and determining whether the authentication is passed or failed according to a login-allowed message or a login-rejected message returned by the mobile terminal. 13. The method for network security authentication of Claim 12, further comprising: according to a message returned by the mobile terminal adding the location of the client into the pre-set areas as a pre-set area or a temporary login area; or modifying the password of the user account; or setting the user account as login-prohibited. 14. The method for network security authentication of Claim 11, wherein in the step (bl), the location of the client is determined according to an IP address derived from a login request; or the IP address derived from the login request is designated as the location of the client, and determining whether the location of the client acquired in the step (bl) falls into the one or more areas in the step (b2) comprises: determining whether the IP address derived from the login request falls into the one or more areas.

Full Text

System and Method for Network Security Authentication
Field of the Invention
The present invention relates to network security technologies, and more particularly, to a system and method for network security authentication.
Background of the Invention
Along with the development in computer network applications, online games, communities and businesses are more and more popular. Meanwhile, network security of such network applications becomes more and more important.
At present, authentication schemes adopted by network applications for guaranteeing the applications are used by only registered users themselves, which mainly include a process of a user inputting an account identity and password for logging in. After the account identity and password inputted by the user are authenticated by a server, the user is allowed to enter the system. In addition, there are advanced password schemes, e.g., changeable passwords and so on. However, the above authentication schemes are relatively simple and can be easily cracked by malicious users (e.g. Hackers).
In addition, there is a widely-applied method for preventing illegal login, i.e., adopting an extra code. A user needs to identify the extra code with unaided eyes and input the extra code manually and correctly to log in normally. This may effectively prevent malicious actions, e.g., cracking users' passwords by force. However, when a user's password is stolen by other malicious users in the network through certain means, the extra code will not guard against theft. As a result, the user may suffer losses, e.g., economic loss and so on.
Summary
A main aspect of the present invention provides a system and method for network security authentication to improve the security of network authentication compared with the prior art.
A server for network security authentication in accordance with the present invention includes:

an area setting unit, operable for setting an area record including correspondence between a user account identity and one or more areas;
an area authentication unit, operable for acquiring the location of a client, and determining whether the acquired location of the client falls into the one or more pre¬set areas according to the area record; judging that the authentication is passed if deciding that the acquired location of the client falls into the pre-set areas, or judging that the authentication is failed if the acquired location of the client does not fall into the pre-set areas.
The server for network security authentication in accordance with the present invention may further include: a password authentication unit operable for determining whether a user account identity matches a password received from the client, and allowing the area authentication unit to perform area authentication after deciding that the user account identity matches the password.
The server for network security authentication in accordance with the present
invention may further include: a password authentication unit operable for performing
' password authentication according to a user account identity and password received
from the client after the area authentication unit decides the location of the client falls
into the one or more pre-set login areas.
In the server for network security authentication in accordance with the present invention, the area authentication unit further includes:
an area analysis sub-unit, operable for acquiring the location of the client according to a login request received from the client, wherein the login request comprises a user account identity;
an area determining sub-unit, operable for searching for an area record according to the user account identity to acquire one or more areas corresponding to the user account identity, and determining whether the location of the client acquired by the area analysis swb-unit falls into the one or more area.
In the server for network security authentication in accordance with the present invention, the area analysis sub-unit is operable for acquiring the location of the client according to an IP address derived from the login request or designating an IP address derived from the login request as the location of the client.

In the server for network security authentication in accordance with the present invention, the area authentication unit further includes: an area re-authentication sub-unit, operable for sending a message to a pre-set mobile terminal corresponding to the user account identity after the area determining sub-unit judges that the authentication is failed, judging that the authentication is passed after receiving a login-allowed message from the mobile terminal, or judging that the authentication is failed after receiving a login-rejected message from the mobile terminal.
In the server for network security authentication in accordance with the present invention, the area re-authentication sub-unit is further operable for according to the message sent by the mobile terminal
adding the location of the client into the pre-set areas as a pre-set area or a temporary login area; or
modifying the password of the user account; or
setting the user account as login-prohibited.
Embodiments of the present invention further provide a method for network security authentication, including;
(a) setting an area record including correspondence between a user account identity and one or more areas;
(b) acquiring the location of a client, and determining whether the acquired location of the client falls into the pre-set one or more areas; judging that the authentication is passed if the acquired location of the client falls into the one or more areas, or judging that the authentication is failed if the acquired location of the client does not fall into the one or more areas.
The method for network security authentication in accordance with the present invention further includes: determining whether the user account identity matches the password received from the client, and performing the step (b) after judging the user account identity matches the password.
When the location of the client falls into the one or more areas in the step (b), the method further comprises: performing password authentication according to the user account identity and password received from the client.

In the method for network security authentication in accordance with the present invention, the step (b) further includes:
(bl) acquiring the location of the client according to a login request received from the client, wherein the login request comprises a user account identity;
(b2) searching an area record according to the user account identity to acquire the one or more areas corresponding to the user account identity, and determining whether the location of the client acquired in the step (bl) falls into the one or more areas; judging that the authentication is passed if the acquired location of the client falls into the one or more areas, or judging that the authentication is failed if the acquired location of the client does not fall into the one or more areas.
In the network security authentication method in accordance with the present invention, the step (b2) further includes:
after judging the authentication is failed, sending a message to a mobile terminal corresponding to the user account identity, and determining whether the authentication is passed or failed according to a login-allowed message or a login-rejected message returned by the mobile terminal.
The network security authentication method in accordance with the present invention further includes:
adding the location of the client into the pre-set areas as a pre-set area or a temporary login area; or
modifying the password of the user account; or
setting the user account as login-prohibited.
In accordance with the network security authentication method in accordance with the present invention, in the step (bl), the location of the client is determined according to an IP address derived from a login request; or the IP address derived from the login request is designated as the location of the client, and determining whether the location of the client acquired in the step (bl) falls into the one or more areas in the step (b2) comprises: determining whether the IP address derived from the login request falls into the one or more areas.
The system and method for network security authentication in accordance with the present invention may restrict the login area of a user by determining whether the

location from which the user is logging in falls into one or more pre-set areas, so as to partly prevent the malicious action in computer network systems. The authentication system may be integrated with other authentication systems, so as to effectively improve the security of computer network applications.
Brief Description of the Drawings
The present invention is further explained hereinafter with reference to accompanying drawings and embodiments.
Figure 1 is a schematic diagram illustrating the structure of a system for network security authentication in accordance with Embodiment 1 of the present invention.
Figure 2 is a schematic diagram illustrating the structure of a system for network security authentication in accordance with Embodiment 2 of the present invention.
Figure 3 is a schematic diagram illustrating the detailed structure of the area authentication unit in Figure 1.
.Figure 4 is a flowchart of a method for network security authentication in accordance with Embodiment 1 of the present invention.
Figure 5 is a detailed flowchart of the area authenticating process in Figure 3.
Figure 6 is a flowchart of a method for network security authentication in accordance with Embodiment 2 of the present invention.
Figure 7 is a flowchart of a method for network security authentication in accordance with Embodiment 3 of the present invention.
Embodiments of the Invention
Figure 1 is a schematic diagram illustrating the structure of a system for network security authentication in accordance with Embodiment 1 of the present invention. The system includes an area setting unit 11 and an area authentication unit 12, In this embodiment, the system for secure authentication resides within an authentication server 10. In practical applications, the authentication server 10 is connected with an application server which is connected with clients via a network. A client will not be able to log in the application server for applications until the client is authenticated by the authentication server. The application server and the authentication server 10 may also reside within the same hardware.

The area setting unit 11 is operable for setting an area record which includes the correspondence between a user account identity and one or more areas. In this embodiment, the area setting unit 11 receives a setting request from a client, and generates an area record according to the setting request. The setting request includes a user account identity and one or more pre-set areas (e.g. Shenzhen and Shanghai, etc.). The area record includes the correspondence between the user account identity and the one or more pre-set areas. The area record generated may be saved in a database or other storage systems.
The area setting unit 11 may provide a window for a user to input login area information, and generates an area record according to the area information inputted by the user when the user registers for opening a user account, or the area setting unit 11 may provide a window for a registered user to input changed login area information, and generates an area record according to the changed area information inputted by the user after the user logs into the system. Since users generally live and work in a limited number of places, the users may set their working places and living places as their login areas the users may alternatively set their IP addresses as their login areas.
In the above embodiment, province may be preferably set as the minimum unit of the login areas and the maximum number of the login areas per user may be set as 3. In other applications, the minimum unit of the login areas may also be city or an IP address, and the number of the login areas may also be other designated values such as 1,2,4, 5, etc.
The area authentication unit 12 is operable for acquiring the location of the client through which the user logs into the system, and determines whether the acquired location of the client falls into the one or more pre-set areas based on the area record generated by the area setting unit 11. If the area authentication unit 12 recognizes that the acquired location of the client falls into the one or more pre-set areas, the user passes the authentication and is allowed to perform any operations with the user account, e.g., logging in, etc. If the area authentication unit 12 does not recognize the acquired location of the client falls into the pre-set areas, it will return an authentication failure message to the client.

Through the above area authentication, registered users is allowed to perform any operations with the user account, e.g., logging in, etc. only when they are in their pre-set areas and can not log into the application system when they are in other areas. In this way, even though other malicious users have stolen a user's account identity and password, they are unable to log into the application system if they are not in the pre-set areas of the user. Thus it can prohibit most malicious users from illegally logging into the application system. Users who require high security level may set IP addresses, e.g., IP addresses of clients the users are using at home or at work, as their pre-set areas, by which the malicious users will not succeed in logging in the system if they are not logging in with the same IP address as the users even if they are within the same geographical areas as the users.
Figure 2 is a schematic diagram illustrating the structure of a system for network security authentication in accordance with Embodiment 2 of the present invention. Besides an area setting unit 21 and an area authentication unit 22, the system also includes a password authentication unit 23.
The password authentication unit 23 is operable for determining whether the user account identity matches the password received from a client, and the area authentication unit 22 is operable for performing area authentication when the password authentication unit 23 recognizes that the user account identity matches the password. The above operation for determining whether the user account identity matches the password is in accordance with that of a password authentication system in the prior art.
In addition, in another embodiment of the present invention, the password authentication unit 23 is operable for performing the password authentication based on the user account identity and password received from the client after the area authentication unit 22 recognizes the location of the client falls into the one or more pre-set areas.
Referring to Figure 3, the area authentication unit 12 of Figure 1 includes an area analysis sub-unit 121 and an area determining sub-unit 122.
The area analysis sub-unit 121 is operable for acquiring the location of a client according to information contained in a login request sent by the client. The login request may include a user account identity. In this embodiment, the area analysis

sub-unit 121 is operable for determining the location of the client according to an IP address derived from the login request.
The area determining sub-unit 122 is operable for searching for an area record according to the user account identity to acquire the one or more pre-set areas corresponding to the user account identity, and determining whether the location of the client acquired by the area analysis sub-unit 121 falls into the pre-set areas. If the acquired location of the client falls into the pre-set areas, the area determining sub-unit 122 recognizes that the user passes the authentication and the user is entitled to log into the application system; if the acquired location of the client does not fall into the pre-set areas, the area determining sub-unit 122 recognizes that the user fails to pass the authentication and returns an authentication failure message to the client.
In addition, the area authentication unit 12 may further include an area re-authentication sub-unit 123. The area re-authentication sub-unit 123 is operable for sending a message to a mobile terminal (e.g. a mobile phone, a PDA) corresponding to the user account identity after the area determining sub-unit 122 recognizes the user fails to pass the authentication. The user sends a login-allowed message or a login-rejected message to the area re-authentication sub-unit 123 via the mobile terminal. Then the area re-authentication sub-unit 123 determines the authentication is passed or failed according to the message returned by the mobile terminal. In this way, when the user is on a business trip, he can also securely log in the application system.
Figure 4 is a flowchart of a method for network security authentication in accordance with Embodiment 1 of the present invention. The method specifically includes the steps as follows.
In block S4l, an area record is generated which includes the correspondence between a user account identity and one or more areas. In this step, the area record is generated according to a setting request received from a client. The setting request includes a user account identity and one or more pre-set areas (e.g. Shenzhen and Shanghai, one or more IP addresses, etc.). The area record includes the correspondence between the user account identity and the one or more pre-set areas. The area record generated may be saved in a database or other storage systems.
In this block, a window may be provided for a user to input login area information when the user registers for opening a user account and an area record will

be generated according to the login area information inputted by the user, or a window may be provided for a registered user to input changed login area information after the user logs into the system, and an area record will be generated according to the changed login area information inputted by the user.
In block S42, the location of a client is acquired, and whether the acquired location of the client falls into the one or more pre-set areas is judged according to the area record. If it is determined that the acquired location falls into the pre-set areas, the user is recognized to pass the authentication and may perform the subsequent operations. If it is determined that the acquired location does not fall into the pre-set areas, an authentication failure message is returned to the client.
Figure 5 is a detailed flowchart of the area authenticating process (block S42). The process includes the following steps.
In block S5l, the location of a client is acquired according to a login request received from the client, in which the login request includes a user account identity. In this embodiment, the location of the client is determined according to an IP address derived from the login request.
In block S52, an area record is searched for according to the user account identity to obtain one or more pre-set areas corresponding to the user account identity, and whether the location acquired in block S5l falls into the pre-set areas is determined. If the location acquired falls into the pre-set areas, the user is recognized to pass the authentication and may perform subsequent operations. If the location acquired does not fall into the pre-set areas, the authentication is failed and an authentication failure message will be returned to the client.
Block S52 may further include an area re-authentication process, i.e., after the authentication fails, a message is sent to a mobile terminal (e.g. mobile phone) corresponding to the user account identity, and whether the authentication is passed or failed is determined according to the login-allowed message or login-rejected message returned by the mobile terminal. In this block, the mobile terminal is pre-set by the user and may be included in user information stored in the server. Alternatively or optionally, a message may be send to an e-mail address, an instant message user identity or a PDA etc. which is pre-set by the user. When the user receives the message and judges whether the login is performed by the user. If the login is

performed by the user, the user may send a login-allowed message to login the system, and the user may also send an instruction in the message or a new message to store the area from which the user is logging in into the server as a pre-set area or a temporary login area. The user may also designate or choose a valid period for this modification of pre-set areas or for the temporary login area, such as, valid only for this time, or valid until next modification, or valid in a fixed period of time (e.g., one week, one month). If the user judges that the login is not performed by the user, the user may send a login-rejected message to fail this login attempt, and the user may alternatively or optionally modify the password for login, or set the user account as login-prohibited which means nobody will log in the system using the user account in a period of time. After receiving the login-allowed message from the mobile terminal, the server permits the login, and may also add a new pre-set area or a temporary login area to the pre-set areas in the user information. After receiving the login-rejected message from the mobile terminal, the server rejects the login attempt, and may also modify the password of the user account or set the user account as login-prohibited as instructed by the user. When the user account is set as login-prohibited, the server or the user may designate a period during which the user account is login-prohibited or designate a particular way of activating the user account.
Figure 6 is a flowchart of a method for network security authentication in accordance with Embodiment 2 of the present invention. The method specifically includes the following steps.
In block S6l, an area record is generated which includes the correspondence between a user account identity and one or more areas. In this step, an area record is generated according to a setting request received from a client.
In block S62, a password authentication is performed according to the user account identity and password sent by the client. The process of password authentication is the same as that in the prior art. If the user passes the password authentication, block S63 will be performed; if the user does not pass the password authentication, block S64 will be performed;
In block S63, the location of the client is acquired, and whether the location acquired falls into the pre-set areas is determined according to the area record. If the location acquired falls into the pre-set areas, the user is recognized to pass the

authentication and may log into the application system; if the location acquired does not fall into the pre-set areas, block S64 will be performed.
In block S64, an authentication failure message is returned to the client.
Figure 7 is a flowchart of a method for network security authentication in accordance with Embodiment 3 of the present invention. The method specifically includes the following steps.
In block S7l, an area record is generated which includes the correspondence between a user account identity and one or more areas. In this step, an area record is generated according to a setting request received from a client.
In block S72, the location of the client is acquired, and whether the location acquired falls into the pre-set areas is determined according to the area record. If the location acquired falls into the pre-set areas, block S73 will be performed. If the location acquired does not fall into the pre-set areas, block S74 will be performed.
In block S73? a password authentication is performed according to the user account identity and password sent by the client. The process of the password authentication is the same as that in the prior art.
In block S74, an authentication failure message is returned to the client.
It can be seen from the technical features in accordance with the present invention, part of malicious actions in computer networks can be prohibited. The authentication scheme can also be applied in combination of other authentication schemes to increase the security of network applications.
In addition, according to a preferred embodiment, a re-authentication process is employed as a supplementary scheme, which enables a user to login from an area other than the pre-set areas, e.g., when the user is on a business trip, while preventing malicious users from logging in.
According to another preferred embodiment, the pre-set area is an IP address, which provides higher security level for users, because users from other IP addresses will be prevented from logging in the system even if they are attempting the user account in the same geographical area as the user.
The foregoing is only preferred embodiments of the present invention. The protection scope of the present invention, however, is not limited to the above

description. Any change or substitution, within the technical scope disclosed by the present invention, easily occurring to those skilled in the art should be covered by the protection scope of the present invention. Therefore, the protection scope of the present invention should be compatible with the protection scope stated by claims.

Claims
1. A server for network security authentication, comprising:
an area setting unit, operable for setting an area record including correspondence between a user account identity and one or more areas;
an area authentication unit, operable for acquiring the location of a client, and determining whether the acquired location of the client falls into the one or more pre¬set areas according to the area record; judging that the authentication is passed if the acquired location of the client falls into the pre-set areas, or judging that the authentication is failed if the acquired location of the client does not fall into the pre¬set areas.
2. The server for network security authentication of Claim 1, further comprising; a password authentication unit operable for determining whether a user account identity matches a password received from the client, and allowing the area authentication unit to perform area authentication after deciding that the user account identity matches the password.
3. The server for network security authentication of Claim 1, further comprising: a password authentication unit operable for performing password authentication according to a user account identity and password received from the client after the area authentication unit decides the location of the client falls into the one or more pre-set login areas.
4. The server for network security authentication of any of Claims 1-3, wherein the area authentication unit comprises:
an area analysis sub-unit, operable for acquiring the location of the client according to a login request received from the client, wherein the login request comprises a user account identity;
an area determining sub-unit, operable for searching for an area record according to the user account identity to acquire one or more areas corresponding to the user account identity, and determining whether the location of the client acquired by the area analysis sub-unit falls into the one or more area.
5. The server for network security authentication of Claim 4, wherein

the area analysis sub-unit is operable for acquiring the location of the client according to an IP address derived from the login request; or
designating an IP address derived from the login request as the location of the client,
6. The server for network security authentication of Claim 4, wherein the area authentication unit further comprises an area re-authentication sub-unit, operable for sending a message to a pre-set mobile terminal corresponding to the user account identity after the area determining sub-unit judges that the authentication is failed, judging that the authentication is passed after receiving a login-allowed message from the mobile terminal, or judging that the authentication is failed after receiving a login-rejected message from the mobile terminal.
7. The server for network security authentication of Claim 6, wherein the area re-authentication sub-unit is further operable for according to the message sent by the mobile terminal
adding the location of the client into the pre-set areas as a pre-set area or a temporary login area; or
modifying the password of the user account; or
setting the user account as login-prohibited.
8. A method for network security authentication, comprising:
(a) setting an area record comprising correspondence between a user account identity and one or more areas;
(b) acquiring the location of a client, and determining whether the acquired location of the client falls into the pre-set one or more areas; judging that the authentication is passed if the acquired location of the client falls into the one or more areas, or judging that the authentication is failed if the acquired location of the client does not fall into the one or more areas.
9. The method for network security authentication of Claim 8, further comprising:
determining whether the user account identity matches the password received from
the client, and performing the step (b) after judging the user account identity matches
the password.

10. The method for network security authentication of Claim 8, wherein when the location of the client falls into the one or more areas in the step (b), the method further comprises: performing password authentication according to the user account identity and password received from the client.
11. The method for network security authentication of any of Claims 8-10. wherein the step (b) further comprises:
(bl) acquiring the location of the client according to a login request received from the client, wherein the login request comprises a user account identity;
(b2) searching an area record according to the user account identity to acquire the one or more areas corresponding to the user account identity, and determining whether the location of the client acquired in the step (bl) falls into the one or more areas; judging that the authentication is passed if the acquired location of the client falls into the one or more areas, or judging that the authentication is failed if the acquired location of the client does not fall into the one or more areas.
12. The method for network security authentication of Claim 11, wherein the
step (b2) further comprises:
after judging the authentication is failed, sending a message to a mobile terminal corresponding to the user account identity, and determining whether the authentication is passed or failed according to a login-allowed message or a login-rejected message returned by the mobile terminal.
13. The method for network security authentication of Claim 12, further
comprising: according to a message returned by the mobile terminal
adding the location of the client into the pre-set areas as a pre-set area or a temporary login area; or
modifying the password of the user account; or
setting the user account as login-prohibited.
14. The method for network security authentication of Claim 11, wherein in the
step (bl),
the location of the client is determined according to an IP address derived from a login request; or

the IP address derived from the login request is designated as the location of the client, and determining whether the location of the client acquired in the step (bl) falls into the one or more areas in the step (b2) comprises: determining whether the IP address derived from the login request falls into the one or more areas.

Documents:

764-CHE-2008 AMENDED PAGES OF SPECIFICATION 28-03-2013.pdf

764-CHE-2008 AMENDED CLAIMS 28-03-2013.pdf

764-CHE-2008 CORRESPONDENCE OTHERS 18-09-2013.pdf

764-CHE-2008 CORRESPONDENCE OTHERS 08-11-2012.pdf

764-CHE-2008 ENGLISH TRANSLATION 28-03-2013.pdf

764-CHE-2008 EXAMINATION REPORT REPLY RECEIVED 28-03-2013.pdf

764-CHE-2008 FORM-1 28-03-2013.pdf

764-CHE-2008 FORM-3 28-03-2013.pdf

764-CHE-2008 POWER OF ATTORNEY 28-03-2013.pdf

764-che-2008-abstract.pdf

764-che-2008-claims.pdf

764-che-2008-correspondnece-others.pdf

764-che-2008-description(complete).pdf

764-che-2008-drawings.pdf

764-che-2008-form 1.pdf

764-che-2008-form 18.pdf

764-che-2008-form 3.pdf

764-che-2008-form 5.pdf

« Previous Patent

Next Patent »

Patent Number

265207

Indian Patent Application Number

764/CHE/2008

PG Journal Number

08/2015

Publication Date

20-Feb-2015

Grant Date

12-Feb-2015

Date of Filing

28-Mar-2008

Name of Patentee

TENCENT TECHNOLOGY (SHENZHEN) COMPANY LIMITED

Applicant Address

4/F, EAST 2 BLOCK, SEG PARK, ZHENXING ROAD, FUTIAN DISTRICT, SHENZHEN, GUANGDONG, 518044 CHINA

Inventors:

#	Inventor's Name	Inventor's Address
1	CHEN, QIRU	4/F, EAST 2 BLOCK, SEG PARK, ZHENXING ROAD, FUTIAN DISTRICT, SHENZHEN, GUANGDONG, 518044 CHINA
2	LONG, YIMIN	4/F, EAST 2 BLOCK, SEG PARK, ZHENXING ROAD, FUTIAN DISTRICT, SHENZHEN, GUANGDONG, 518044 CHINA

PCT International Classification Number

H04L12/28

PCT International Application Number

N/A

PCT International Filing date

PCT Conventions:

#	PCT Application Number	Date of Convention	Priority Country
1	200710073788.9	2007-03-30	China