CN111278014A - Fraud prevention system, method, server and storage medium - Google Patents

Fraud prevention system, method, server and storage medium Download PDF

Info

Publication number
CN111278014A
CN111278014A CN201911420412.XA CN201911420412A CN111278014A CN 111278014 A CN111278014 A CN 111278014A CN 201911420412 A CN201911420412 A CN 201911420412A CN 111278014 A CN111278014 A CN 111278014A
Authority
CN
China
Prior art keywords
data
call
suspicious
unit
fraud
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911420412.XA
Other languages
Chinese (zh)
Inventor
许鑫伶
何洋
鲁银冰
林宇俊
林甜甜
邵妍
常玉
叶艳
刘阳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Hangzhou Information Technology Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Hangzhou Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Hangzhou Information Technology Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201911420412.XA priority Critical patent/CN111278014A/en
Publication of CN111278014A publication Critical patent/CN111278014A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/55Push-based network services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The embodiment of the invention relates to the technical field of communication, and discloses a fraud prevention system, a method, a server and a storage medium, wherein the fraud prevention system comprises: the system comprises a suspicious call analysis module, a network data acquisition module, a fusion analysis module and a warning service module; the suspicious call analysis module is used for identifying call signaling corresponding to the personal account according to the first preset model and recording suspicious call data; the network data acquisition module is used for screening personal internet data according to a second preset model and acquiring network data for accessing malicious websites; the fusion analysis module is used for carrying out fraud identification on the suspicious call data and the network data according to a third preset model; and the warning service module is used for intercepting and sending out early warning after the suspected deception of the personal account is judged. According to the method and the system, the communication data and the internet surfing data are aggregated, the fraud events are identified more accurately and comprehensively, the prompt and the interception are comprehensively performed, and the prevention and control capacity of the family users on the fraud events is effectively improved.

Description

Fraud prevention system, method, server and storage medium
Technical Field
The embodiment of the invention relates to the technical field of communication, in particular to a fraud prevention technology.
Background
In recent years, with the development and popularization of communication and networks, communication information fraud has formed a very complete crime industry chain.
The current communication information fraud case set presents some new characteristics: one is fraud mode event chaining. Criminals often set fraud processes by using social engineering, and set victims into snares step by step through fraud event chains by using continuously upgraded fraud methods, so that the victims cannot defend the criminals. Secondly, the fraud channels are diversified, and with the progress of scientific and technological means, the crime means has been developed from the most original crime means of short message sending, call making and the like to a novel crime means of scanning malicious two-dimensional codes and implanting Trojan viruses, phishing, fraud and other malicious websites and the like to carry out crime jointly.
Currently, the main communication information fraud behavior identification schemes mainly include the following: performing modeling association analysis based on operator core network ticket data, signaling data, user basic data and the like, and restoring a telecommunication fraud scene based on a communication time sequence; or constructing a classifier for fraud identification based on the original call ticket data.
The inventor finds that at least the following problems exist in the prior art: whether modeling association analysis is carried out based on operator core network ticket data, signaling data, user basic data and the like or fraud identification is carried out by constructing a classifier based on original ticket data, fraud events cannot be traced or the risk of identification misjudgment of a current person of communication information fraud is easily caused.
Disclosure of Invention
The embodiment of the invention aims to provide a fraud prevention system and method, so that fraud events are identified more accurately and comprehensively by aggregating call data and internet surfing data, and are reminded and intercepted comprehensively, and the fraud prevention and control capacity of a home user is effectively improved.
To solve the above technical problem, an embodiment of the present invention provides a fraud prevention system, including: the system comprises a suspicious call analysis module, a network data acquisition module, a fusion analysis module and a warning service module; the suspicious call analysis module is used for analyzing and identifying call signaling corresponding to the personal account according to a first preset model and recording suspicious call data when a suspicious call is judged to be received; the network data acquisition module is used for screening personal internet data according to a second preset model and acquiring network data for visiting malicious websites, wherein the personal internet data comprises home wide internet data and mobile communication internet data corresponding to personal accounts; the fusion analysis module is used for carrying out fraud identification on the suspicious call data and the network data according to a third preset model to generate an identification result; and the warning service module is used for intercepting suspicious calls and access of malicious websites and sending out early warning after the suspected cheating of the personal account is judged according to the identification result.
The embodiment of the invention also provides a fraud prevention method, which comprises the following steps: analyzing and identifying a call signaling corresponding to the personal account number according to a first preset model, and recording suspicious call data when a suspicious call is judged to be received; screening personal internet data according to a second preset model, and acquiring network data for accessing malicious websites, wherein the personal internet data comprises home-wide internet data and mobile communication internet data corresponding to personal accounts; fraud recognition is carried out on the suspicious call data and the network data according to a third preset model, and a recognition result is generated; and after the suspected cheating of the personal account is judged according to the identification result, the suspicious call and the access of a malicious website are intercepted, and early warning is sent out.
An embodiment of the present invention further provides a server, including: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the above-described anti-fraud method.
The present invention also provides a computer-readable storage medium storing a computer program, characterized in that the computer program, when executed by a processor, implements the above-mentioned anti-fraud method.
Compared with the prior art, the embodiment of the invention utilizes the first preset model to identify the call signaling corresponding to the personal account, and records suspicious call data when judging that the personal account receives the suspicious call; screening malicious domain names of home wide internet access data and mobile communication internet access data corresponding to the personal account by using a second preset model, and acquiring network data for accessing malicious websites; and finally, carrying out fusion analysis on multi-dimensional data such as suspicious call data, network data and the like based on the time sequence, and restoring an event chain of communication information fraud. The method comprises the steps of obtaining more complete fraud behavior data by aggregating mobile communication internet surfing data, home wide internet surfing data and call signaling, realizing the tracing of fraud events and the more accurate identification of fraud behaviors through modeling analysis of the more complete fraud behavior data so as to reduce the risk of misjudgment of suspected victim accounts, and comprehensively and intensively reminding and intercepting communication of communication information fraud-affected family users so as to comprehensively guarantee the information safety of the family users.
In addition, the suspicious call analysis module specifically comprises: the system comprises a call signaling processing unit, an identification unit and a call data storage unit; the call signaling processing unit is used for analyzing and de-duplicating the call signaling to acquire preprocessed call data; the identification unit is used for substituting the preprocessed call data into the first preset model and judging whether a suspicious call is received or not; and the call data storage unit is used for storing the preprocessed call data as suspicious call data when judging that the suspicious call is received. By arranging the communication signaling processing unit, the call signaling is analyzed and deduplicated, repeated data in the call signaling is reduced, the call data to be analyzed subsequently is more simplified, and the working efficiency of the identification unit for identifying suspicious calls is improved; and the setting identification unit is used for identifying whether the suspicious call event is received or not, and determining the suspicious call data according to the identification result generated by the identification unit so as to perform correlation analysis on the suspicious call data and the internet behavior data by the fusion analysis module.
In addition, the network data acquisition module specifically includes: the device comprises a home-wide internet data acquisition unit, a personal internet data acquisition unit and a malicious domain name identification unit; the home-wide internet data acquisition unit is used for acquiring home-wide internet data corresponding to the home-wide account according to the home-wide log and acquiring the home-wide internet data corresponding to the personal account according to the corresponding relationship between the home-wide account and the personal account; the personal internet data acquisition unit is used for analyzing and de-duplicating the home-wide internet data and the mobile communication internet data corresponding to the personal account to generate personal internet data; and the malicious domain name recognition unit is used for screening personal internet data according to the second preset model and acquiring network data for accessing malicious websites. The home-wide internet surfing data corresponding to the personal account is acquired through the corresponding relation between the home-wide account and the home-wide log and the corresponding relation between the home-wide account and the personal account, and then the home-wide internet surfing data corresponding to the personal account is fused with the 2/3/4G internet surfing data, so that the problem that fraud behavior data is incomplete due to lack of non-2/3/4G internet surfing data in the prior art is solved, and more comprehensive data is provided for subsequent communication information fraud identification.
In addition, the fusion analysis module includes: the system comprises a feature extraction unit, a behavior risk evaluation unit and a user risk comprehensive evaluation unit; the characteristic extraction unit is used for acquiring behavior characteristic statistics from suspicious call data and network data based on the time sequence; wherein the behavior feature statistics comprise: calling frequency characteristics, strangers called frequency characteristics and malicious link access frequency characteristics; the behavior risk evaluation unit is used for arranging the behavior characteristic statistics in time sequence to integrate and form a multi-dimensional time sequence dataset in a complete time period, sending the multi-dimensional time sequence dataset into a third preset model for analysis, and generating a current cheated pre-evaluation value; and the user risk comprehensive evaluation unit is used for generating a current risk comprehensive value according to the pre-stored preorder risk comprehensive value and the current cheated pre-evaluation value, and judging that the personal account is suspected to be cheated when the current risk comprehensive value is greater than a preset threshold value. In the invention, the suspicious call data and the network data are converged, the behavior characteristic statistics is obtained based on the time sequence, the fraud event can be more comprehensively and accurately identified, and the fraud event can be accurately traced after the personal account is judged to be suspected to be deceived. In addition, the preorder risk comprehensive value and the current cheated pre-evaluation value are comprehensively considered, so that the obtained fraud event recognition result is more scientific, and the influence of random factors is reduced.
In addition, the alert service module includes: the device comprises a warning unit, an intercepting unit and a pushing unit; the warning unit is used for sending warning information to the personal account after the suspected deception of the personal account is judged; the intercepting unit is used for intercepting and recording subsequent malicious link access after the suspected deception of the personal account is judged; and the pushing unit is used for pushing the alarm information to other family users under the same family wide account according to the third-party application association. The warning unit sends warning information to the personal account at the first time, so that suspected victims can more visually know the current situation, and the prevention and control capacity of the users on fraud events is effectively provided; the intercepting unit intercepts at a first time so as to protect suspected victim users in time; in addition, the pushing unit pushes the warning information to other family users under the same family wide account number to remind the family, so that the purpose of preventing and controlling communication information fraud behaviors by taking the family as a unit is achieved.
In addition, the system also comprises a striking service module which is used for recording the suspicious number and the malicious domain name and respectively transmitting the suspicious number and the malicious domain name to the malicious number library and the malicious domain name library; meanwhile, an alarm log is generated from the interception record and pushed to each family user under the same family wide account at a preset time point. Uploading the suspicious number and the malicious domain name to a corresponding database to realize continuous updating of the database, so that the updated database provides service for subsequent interception of the malicious number and the malicious domain name in more time; and the alarm log is pushed to the family user at the preset time point, so that the prevention and control capacity of the user on the fraud event is further improved.
Drawings
One or more embodiments are illustrated by the corresponding figures in the drawings, which are not meant to be limiting.
FIG. 1 is a schematic structural diagram of a fraud prevention system in a first embodiment of the present invention;
FIG. 2 is a schematic diagram of a time-series based time window in a first embodiment of the present invention;
FIG. 3 is a schematic structural diagram of a fraud prevention system in a second embodiment of the present invention;
FIG. 4 is a flow chart of a fraud prevention method in a third embodiment of the present invention;
FIG. 5 is a flowchart of suspicious call analysis in the anti-fraud method according to the third embodiment of the present invention;
FIG. 6 is a flowchart regarding network data acquisition in the anti-fraud method in the third embodiment of the present invention;
FIG. 7 is a flow chart of a fusion analysis in the anti-fraud method according to the third embodiment of the present invention;
fig. 8 is a schematic diagram of a server apparatus according to a fourth embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention more apparent, embodiments of the present invention will be described in detail below with reference to the accompanying drawings. However, it will be appreciated by those of ordinary skill in the art that numerous technical details are set forth in order to provide a better understanding of the present application in various embodiments of the present invention. However, the technical solution claimed in the present application can be implemented without these technical details and various changes and modifications based on the following embodiments. The following embodiments are divided for convenience of description, and should not constitute any limitation to the specific implementation manner of the present invention, and the embodiments may be mutually combined and cited without contradiction.
A first embodiment of the present invention relates to a fraud prevention system, as shown in fig. 1, specifically including: the system comprises a suspicious call analysis module 100, a network data acquisition module 200, a fusion analysis module 300 and an alarm service module 400. The suspicious call analysis module 100 is configured to analyze and identify a call signaling corresponding to the personal account according to a first preset model, and record suspicious call data when it is determined that a suspicious call is received. And the network data acquisition module 200 is configured to discriminate personal internet data according to the second preset model, and acquire network data for accessing a malicious website, where the personal internet data includes home-wide internet data and mobile communication internet data corresponding to the personal account. And the fusion analysis module 300 is configured to perform fraud identification on the suspicious call data and the network data according to a third preset model, and generate an identification result. And the warning service module 400 is configured to intercept suspicious calls and access to malicious websites and send out an early warning after determining that the personal account is suspected to be cheated according to the identification result. In the embodiment, the call signaling, the home wide internet data and the mobile communication internet data corresponding to the personal account are aggregated, the mobile communication internet data, the home wide internet data and the call signaling are aggregated to obtain more complete fraud behavior data, and the tracking of fraud events and the more accurate identification of fraud behaviors are realized through modeling analysis of the more complete fraud behavior data, so that the risk of misjudgment on suspected victim accounts is reduced, and meanwhile, the comprehensive reinforcement reminding and communication interception are performed on family users suffering from communication information fraud and victimization, so that the information safety of the family users is comprehensively guaranteed.
The structural composition of the fraud prevention system of the present embodiment is specifically described below, and the following is provided only for the sake of easy understanding of implementation details.
In an example, the suspicious data session module 100 in this embodiment may further include: call signaling processing unit 101, recognition unit 102, and call data storage unit 103.
And the call signaling processing unit 101 is configured to analyze and deduplicate the call signaling to obtain preprocessed call data. In practical application, the call signaling processing unit 101 acquires call signaling data corresponding to the personal account in a selected time period, and analyzes and deduplicates the acquired call signaling data by using a big data technology to obtain preprocessed call data. In this embodiment, by setting the communication signaling processing unit 101, the call signaling is analyzed and deduplicated, so as to reduce repeated data in the call signaling, so that the call data to be analyzed subsequently is more simplified, and the efficiency of the recognition unit 102 for performing suspicious call recognition work is improved.
The identifying unit 102 is configured to substitute the preprocessed call data into a first preset model, and determine whether a suspicious call is received. Specifically, the preprocessed call data obtained in step 101 mainly includes the following information: serial number, subscriber identification, calling number, called number, start time, end time, duration of the call, nature of the call, etc. The identification unit 102 extracts the number features and/or call behavior features of the preprocessed call data, and then analyzes and identifies the extracted number features and/or call behavior features by using a first preset model to determine whether the user receives a suspicious call. The first preset model can be modeled by utilizing algorithms such as cluster analysis, random forests, gradient decision trees and the like, and can be constructed by adopting a corresponding algorithm according to actual problems in practical application. In this embodiment, the identification unit 102 is configured to identify whether a suspicious call event is received, and determine suspicious call data according to an identification result generated by the identification unit, so that the fusion analysis module performs association analysis on the suspicious call data and the internet behavior data.
A call data storage unit 103, configured to store the preprocessed call data as suspicious call data when it is determined that a suspicious call is received. Specifically, when the identification unit 102 determines that a suspicious call is received, the preprocessed call data corresponding to the personal account is stored in the call data storage unit 103 as suspicious call data, so that the preprocessed call data can be called by the subsequent fusion analysis module 300.
In an example, the network data obtaining module 200 specifically includes: a home-wide internet data acquisition unit 201, a personal internet data acquisition unit 202, and a malicious domain name identification unit 203.
The home-wide internet data acquiring unit 201 is configured to acquire home-wide internet data corresponding to the home-wide account according to the home-wide log, and acquire home-wide internet data corresponding to the personal account according to a corresponding relationship between the home-wide account and the personal account. Specifically, a Deep Packet Inspection (DPI) technology is used to analyze the home width log, and obtain a correspondence between a home width account and a URL (uniform resource locator) for internet access, that is, home width internet access data corresponding to the home width account. And then analyzing the third-party application log, such as the family log, to find out the corresponding relationship between the family wide account and the personal account, and then acquiring the family wide internet data corresponding to the personal account according to the corresponding relationship between the family wide account and the personal account.
The personal internet data acquiring unit 202 is configured to analyze and deduplicate the home-wide internet data and the mobile communication internet data corresponding to the personal account to generate personal internet data. Specifically, the home-wide internet data corresponding to the personal account and the data on the internet through 2/3G and 4G corresponding to the personal account are summarized, but because of the personal browsing habit, a large amount of overlapped internet data can be determined in the summarized internet data, so that the summarized internet data is analyzed and deduplicated by using a big data technology, repeated data is reduced, and the working efficiency of performing malicious domain name recognition by the subsequent malicious domain name recognition unit 203 is improved.
And the malicious domain name recognition unit 203 is configured to discriminate personal internet data according to the second preset model, and acquire network data for accessing a malicious website. The malicious domain name recognition unit 203 extracts domain name information in the personal internet data, compares and recognizes the extracted domain name with data stored in the threat intelligence library by using a second preset model, and records the malicious domain name in the access malicious intelligence library. The threat information library is realized through continuous crawlers and an artificial intelligence technology, and meanwhile, the continuous rich data content of the threat information data of a partner manufacturer can be continuously obtained through cloud service. In this embodiment, malicious domain name information in home wide internet data and mobile communication internet data corresponding to the personal account is obtained, so that the problem of incomplete fraud behavior data caused by lack of non-2/3/4G internet data in the prior art is solved, more comprehensive internet data is provided for subsequent fusion analysis, and fraud events can be more accurately identified and traced.
In practical application, since the home-wide account has a plurality of personal accounts, the historical access data volume of the web page corresponding to the home-wide account is massive, and in order to save the time for subsequent association, the malicious domain name identifying unit 203 can be used to identify the accessed malicious domain name from the home-wide internet data corresponding to the home-wide account, that is, a part of the relevant data is fished out from the massive data. And then, according to the corresponding relation between the home wide account and the personal account, the personal account which has accessed the malicious domain name is obtained, so that the processing time of the intermediate task is reduced, and the identification efficiency is improved.
In one example, the fusion analysis module 300 includes: a feature extraction unit 301, a behavior risk assessment unit 302 and a user risk comprehensive assessment unit 303.
A feature extraction unit 301, configured to obtain a behavior feature statistic from the suspicious call data and the network data based on the time sequence; wherein the behavior feature statistics include: calling frequency characteristics, stranger called frequency characteristics and malicious link access frequency characteristics. Specifically, a time window is set, the size of the time window can be 15 minutes (min), the time for accessing the malicious domain name is slid back and forth according to the time window, the malicious domain name data and the suspicious call data accessed by the user in each time window are matched, the suspicious call data in each time frame and the internet access data for accessing the malicious domain name are subjected to feature extraction, and behavior feature statistical quantity is obtained. The method can not only obtain calling frequency characteristics, strangers called frequency characteristics and malicious link access frequency characteristics, but also increase according to actual conditions. In addition, the size of the time window can be set according to the actual operation condition.
Due to the privacy, versatility and high antagonism of communication fraud, the long-term behavior characteristics of the communication fraud are studied first to find the relevance of different characteristics in the time dimension, and the multidimensional time-series data just have such characteristics. And a behavior risk evaluation unit 302 is arranged and used for arranging the behavior characteristic statistics in a time sequence to integrate and form a multi-dimensional time sequence dataset in a complete time period, sending the multi-dimensional time sequence dataset into a third preset model for analysis, and generating a current cheated pre-evaluation value. The third preset model can be constructed by adopting an LSTM neural network, and in practical application, a proper algorithm can be selected for construction according to the requirement of processing multi-dimensional time sequence data.
And the user risk comprehensive evaluation unit 303 is configured to generate a current risk comprehensive value according to the pre-stored preorder risk comprehensive value and the current cheated pre-evaluation value, and determine that the personal account is suspected to be cheated when the current risk comprehensive value is greater than a preset threshold value. Specifically, the preorder risk comprehensive value and the current cheated pre-evaluation value are weighted moving average, and the current risk comprehensive value in the current time window is obtained. And judging the current risk comprehensive value in the current time window by setting a threshold, and if the current risk comprehensive value is higher than the threshold, judging that the personal account is suspected to be cheated. Wherein the preamble risk integrated value is derived based on the current risk integrated value in all time windows of the day preceding the current date.
In the time window diagram based on time series in this embodiment, as shown in fig. 2, the blocks T1 to Tn + m represent a time window with a time length of 15 min. Taking T1 as an example of the current time window, the behavior feature statistics are shown in table 1:
table 1: t1 sequence behavior feature statistics
Figure BDA0002352227380000071
The behavior feature statistics of the T1 sequence are sent to a third preset model for recognition, and the result graph is shown in table 2:
table 2: user's current cheated pre-evaluation value based on T1 sequence
User name Risk of call behavior Risk of surfing the Internet Current cheated pre-evaluation value
AAA 5 8 7
The current cheated pre-evaluation value of the user based on the T1 sequence is sent to the user risk comprehensive evaluation unit 303, so as to obtain a current risk comprehensive value based on the T1 sequence, and the result is shown in Table 3:
table 3: current risk integrated value based on T1 sequence
User name Current cheated pre-evaluation value A pre-ordered risk composite value Current risk integrated value
AAA 7 8 9
In this embodiment, the suspicious call data and the network data are aggregated, the behavior feature statistics are obtained based on the time sequence, the fraud event can be more comprehensively and accurately identified, and the fraud event can be accurately traced after the personal account is judged to be suspected to be deceived. In addition, the preorder risk comprehensive value and the current cheated pre-evaluation value are comprehensively considered, so that the obtained fraud event recognition result is more scientific, and the influence of random factors is reduced.
In one example, the alert service module 400 includes: an alarm unit 401, an interception unit 402, and a pushing unit 403. The warning unit 401 is configured to send warning information to the personal account after it is determined that the personal account is suspected of being deceived, for example, a prompt box is popped up to remind a user by using a short message or during a call. By setting the warning unit 401 to send warning information to the personal account at the first time, suspected victims can more visually know the current situation, and the prevention and control capability of the user on fraud events is effectively provided. The intercepting unit 402 is configured to intercept and record subsequent malicious link access after it is determined that the personal account is suspected to be deceived, so that a slave technical party protects a suspected victim user. The pushing unit 403 is configured to, according to a third-party application association, for example, a family log is utilized, a personal account and a family account are associated, and alarm information is pushed to other family users under the family account, especially for the elderly or children who have weak discriminative power and weak resistance, and at this time, the alarm information is pushed to other family users, and a family-level reminder is realized by reminding related family user members, so that the purpose of preventing and controlling a communication information fraud behavior in a family unit is achieved.
It should be noted that all the modules related in this embodiment are logical modules, and in practical application, one logical unit may be one physical unit, may be a part of one physical unit, and may be implemented by a combination of multiple physical units. In addition, in order to highlight the innovative part of the present invention, elements that are not so closely related to solving the technical problems proposed by the present invention are not introduced in the present embodiment, but this does not indicate that other elements are not present in the present embodiment.
A second embodiment of the present invention relates to a fraud prevention system. The second embodiment is substantially the same as the first embodiment, and mainly differs therefrom in that: in the second embodiment of the present invention, a percussion service module is added to further enhance the prevention and control of fraud.
Specifically, the fraud prevention system provided by the second embodiment, as shown in fig. 3, specifically includes: the system comprises a suspicious call analysis module 100, a network data acquisition module 200, a fusion analysis module 300, an alert service module 400 and a percussion service module 500.
The suspicious call analysis module 100, the network data acquisition module 200, the fusion analysis module 300, and the alert service module 400 are similar to the suspicious call analysis module 100, the network data acquisition module 200, the fusion analysis module 300, and the alert service module 400 of the first embodiment in the fraud prevention system, and are not repeated herein.
The attack service module 500 is connected to the fusion analysis module 300, and is configured to record the suspicious number and the malicious domain name, and respectively transmit the suspicious number and the malicious domain name to the malicious number library and the malicious domain name library, so as to implement continuous update of the database by uploading the suspicious number and the malicious domain name to the corresponding database, so that the updated database provides service for subsequently intercepting the malicious number and the malicious domain name in a more timely manner. Meanwhile, an alarm log is generated from the interception record and pushed to each family user under the same family wide account at a preset time point, so that the family user can set a phone blacklist or a webpage blacklist according to the interception record to actively defend.
In the embodiment, by aggregating the call signaling, home wide internet data and mobile communication internet corresponding to the personal account, fraud behaviors are identified more accurately, and the risk of misjudgment on suspected damaged accounts is reduced; meanwhile, besides comprehensive enhanced reminding is carried out on the fraudulently and victimized family users, malicious websites and suspicious calls are intercepted, the interception records are pushed at the preset time point, and therefore the prevention and control capacity of the users on fraudulently and victimously events is further improved.
The third embodiment of the present invention relates to a fraud prevention method, as shown in fig. 4, specifically comprising the following steps:
step 301: and analyzing and identifying the call signaling corresponding to the personal account according to the first preset model, and recording suspicious call data when judging that a suspicious call is received. Specifically, the implementation process is shown in fig. 5:
substep 3011: and acquiring a call signaling corresponding to the personal account, preprocessing the call signaling, and acquiring preprocessed call data.
Specifically, the method comprises the following steps: and acquiring the call signaling data corresponding to the personal account in the selected time period, and analyzing and de-duplicating the acquired call signaling data by using a big data technology to obtain preprocessed call data. In the step, the call signaling is analyzed and deduplicated, repeated data in the call signaling is reduced, so that call data to be analyzed subsequently is more simplified, and the working efficiency of subsequent suspicious call identification is improved.
Substep 3012: and sending the preprocessed call data into a first preset model to identify suspicious calls.
Specifically, the preprocessed call data obtained in step 3011 mainly includes the following information: the method comprises the steps of processing pre-processing call data according to a preset model, wherein the pre-processing call data comprises a serial number, a user identifier, a calling number, a called number, a starting time, an ending time, a call duration, call properties and the like. The first preset model can be obtained by utilizing algorithm modeling such as cluster analysis, random forest, gradient decision tree and the like, and in practical application, the first preset model can be built by adopting a corresponding algorithm according to practical habits.
Substep 3013: and judging whether the suspicious call is received.
Specifically, when the received suspicious call is determined, sub-step 3014 is executed; when it is determined that the suspicious call is not received, go back to substep 3011 and continue to obtain preprocessed call data for another specified time period.
Substep 3014: and recording suspicious call data.
Specifically, when the suspicious call is determined to be received, the preprocessed call data corresponding to the personal account is recorded as suspicious call data for being called in the subsequent steps.
Step 302: and screening personal internet data according to a second preset model, and acquiring network data for accessing a malicious website, wherein the personal internet data comprises home-wide internet data and mobile communication internet data corresponding to a personal account. In this step, since only the 2/3G and 4G internet logs and the call signaling are used for performing the association analysis in the prior art, the fraud event cannot be traced due to incomplete data, and by acquiring the home-wide internet data and the mobile communication internet data corresponding to the personal account, more comprehensive internet data is provided for the subsequent fusion analysis, which is beneficial to more accurately identifying the fraud event and tracing. Specifically, the implementation is shown in fig. 6.
Substep 3021: and acquiring home-wide internet data corresponding to the home-wide account.
Specifically, the DPI technology is used to analyze the homewidth log, and obtain the correspondence between the homewidth account and the internet URL, that is, the homewidth internet data corresponding to the homewidth account is obtained.
Substep 3022: and acquiring home-wide internet data corresponding to the personal account.
Specifically, the third-party application log, such as the family log, is analyzed to find out the corresponding relationship between the family wide account and the personal account, and then the family wide internet data corresponding to the personal account is acquired according to the corresponding relationship between the family wide account and the personal account.
Substep 3023: and carrying out duplication removal on the home wide internet data and the mobile communication internet data corresponding to the personal account to generate personal internet data.
Specifically, home-wide internet data corresponding to the personal account and data corresponding to the personal account, which surf the internet through 2/3G and 4G, are summarized, but due to the personal browsing habit, a large amount of overlapped internet data can be determined in the summarized internet data, so that the summarized internet data is analyzed and deduplicated by using a big data technology, repeated data is reduced, and the working efficiency of performing malicious domain name identification in subsequent steps is improved.
Substep 3024: and screening the personal internet data according to a second preset model.
Specifically, domain name information in personal internet data is extracted, then the extracted domain name is compared and identified with data stored in a threat intelligence library by using a second preset model, and a malicious domain name in an access malicious intelligence library is recorded. The threat information library is realized through continuous crawlers and artificial intelligence technology, and meanwhile, the continuous abundant data content of threat information data of a partner manufacturer can be continuously obtained through cloud service.
Substep 3025: and judging whether the malicious domain name exists or not.
Specifically, when a malicious domain name exists in the personal internet data, the substep 3026 is executed; when the personal internet data does not have the malicious domain name, executing a substep 3021 to continue to acquire the personal internet data in another specified time period.
Substep 3026: and recording network data for accessing the malicious website.
Specifically, when it is determined that a malicious domain name exists in personal internet data, network data of a visited malicious website corresponding to a personal account is recorded for retrieval in subsequent steps.
Step 303: and carrying out fraud identification on the suspicious call data and the network data according to a third preset model to generate an identification result. Specifically, the implementation process is shown in fig. 7:
substep 3031: and acquiring behavior feature statistics from the suspicious call data and the network data based on the time sequence.
Specifically, a time window is set, the size of the time window can be 15min, the time for visiting the malicious domain name is slid back and forth according to the time window, the malicious domain name data and the suspicious call data visited by the user in each time window are matched, the suspicious call data in each time frame and the internet access data for visiting the malicious domain name are subjected to feature extraction, and behavior feature statistics are obtained. The method can not only obtain the calling frequency characteristic, the stranger called frequency characteristic and the malicious link access frequency characteristic, but also carry out statistics according to actual conditions. In addition, the size of the time window may be set according to the actual operation.
Substep 3032: and sending the behavior characteristic quantity into a third preset model for analysis to obtain the current cheated pre-evaluation value.
In particular, since communication fraud is covert, multi-faceted and highly resistant, the long-term behavioral characteristics of the fraud are studied first to find the relevance of different characteristics in the time dimension, while the multidimensional time-series data has just such characteristics. In the step, the behavior feature statistics are arranged in time sequence to integrate and form a multi-dimensional time sequence dataset in a complete time period, and the multi-dimensional time sequence dataset is sent into a third preset model to be analyzed to generate a current cheated pre-evaluation value. The third preset model can be constructed by adopting an LSTM neural network, and in practical application, a proper algorithm can be selected for construction according to the requirement of processing multi-dimensional time sequence data.
Substep 3033: and acquiring a current risk comprehensive value according to the pre-stored preorder risk comprehensive value and the current cheated pre-evaluation value.
Specifically, the preorder risk comprehensive value and the current cheated pre-evaluation value are weighted moving average to obtain the current risk comprehensive value in the current time window. Wherein the preamble risk integrated value is derived based on the current risk integrated value in all time windows of the day preceding the current date.
Substep 3034: and judging whether the current risk comprehensive value is larger than a preset threshold value or not.
Specifically, a threshold is set, the current risk comprehensive value in the current time window is determined, if the current risk comprehensive value is higher than the threshold, step 3035 is executed, and if the current risk comprehensive value is not higher than the threshold, step 3031 is executed, that is, the behavior feature statistics in other time series are continuously obtained.
Substep 3035: and determining that the personal account is suspected to be deceived.
Specifically, when the current risk comprehensive value is higher than the set threshold value, it is determined that the personal account is suspected to be deceived, and the fraud behavior can be traced according to the result, that is, it is determined that the personal account has visited the malicious website after receiving the suspected fraud call, and then multiple call behaviors with a fraud are performed.
Step 304: and after the suspected cheating of the personal account is judged according to the identification result, the suspicious call and the access of a malicious website are intercepted, and early warning is sent out.
Specifically, after it is determined that the personal account is suspected of being deceived, a warning message is sent to the personal account, for example, a short message is used or a prompt box pops up during a call to remind the user. The method and the system have the advantages that the warning information is sent to the personal account at the first time, so that suspected victims can know the current situation more intuitively, and the prevention and control capacity of the user on fraud events is effectively provided. And after the suspected deceived personal account is judged, subsequent malicious link access and suspicious calls are intercepted and recorded at the first time, and the suspected victim user is protected from the technical side. In addition, alarm information can be pushed to other family users under the family wide account according to third party application association, for example, the personal account and the family wide account are associated with the family log, especially for the old or children who have weak discriminative power and weak counter force, the alarm information is pushed to other family users, and the family level reminding is realized by reminding the relevant family user members, so that the purpose of preventing and controlling communication information fraud behaviors in a family unit is achieved.
Step 305: and recording the suspicious number and the malicious domain name, generating an alarm log, and pushing the alarm log to each family user under the home wide account in a preset time period.
Specifically, suspicious numbers and malicious domain names are recorded and respectively transmitted to a malicious number library and a malicious domain name library of the cloud platform, so that continuous updating of the database is realized, and the updated database provides services for subsequent interception of the malicious numbers and the malicious domain names in more time; and provides the capability service to the outside. Meanwhile, an alarm log is generated from the interception record and pushed to each family user under the same family wide account at a preset time point, so that the family user can set a phone blacklist and a webpage blacklist according to the interception record to actively defend.
In the embodiment, the fraud behaviors are identified more accurately by aggregating the call signaling, the 2/3G and 4G internet logs and the home wide internet data corresponding to the personal account, and meanwhile, besides comprehensively strengthening the prompt to the fraud-victimized home user and intercepting the malicious website and the suspicious call, the interception records are pushed at the preset time point, so that the prevention and control capability of the user on fraud events is further improved.
The steps of the above methods are divided for clarity, and the implementation may be combined into one step or split some steps, and the steps are divided into multiple steps, so long as the same logical relationship is included, which are all within the protection scope of the present patent; it is within the scope of the patent to add insignificant modifications to the algorithms or processes or to introduce insignificant design changes to the core design without changing the algorithms or processes.
A fourth embodiment of the invention relates to a server, as shown in fig. 8, at least one processor 801; and a memory 802 communicatively coupled to the at least one processor; wherein the memory 802 stores instructions executable by the at least one processor 801, the instructions being executable by the at least one processor 801 to enable the at least one processor 801 to perform the above-described embodiments of the anti-fraud method.
The memory 802 and the processor 801 are coupled by a bus, which may comprise any number of interconnected buses and bridges that couple one or more of the various circuits of the processor 801 and the memory 802 together. The bus may also connect various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. A bus interface provides an interface between the bus and the transceiver. The transceiver may be one element or a plurality of elements, such as a plurality of receivers and transmitters, providing a means for communicating with various other devices over a transmission medium. The data processed by the processor 801 is transmitted over a wireless medium through an antenna, which receives the data and transmits the data to the processor 801.
The processor 801 is responsible for managing the bus and general processing and may also provide various functions including timing, peripheral interfaces, voltage regulation, power management, and other control functions. And the memory 802 may be used to store data used by the processor in performing operations.
A fifth embodiment of the present invention relates to a computer-readable storage medium storing a computer program. The computer program, when executed by the processor, implements the anti-fraud method embodiments described above.
That is, as those skilled in the art can understand, all or part of the steps in the method of the embodiments described above may be implemented by a program to instruct related hardware, where the program is stored in a storage medium and includes several instructions to enable a device (which may be a single chip, a chip, etc.) or a processor (processor) to execute all or part of the steps of the method described in the embodiments of the present application. And the aforementioned storage medium includes: a U disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
It will be understood by those of ordinary skill in the art that the foregoing embodiments are specific examples of implementing the invention, and that various changes in form and details may be made therein without departing from the spirit and scope of the invention in its practical application.

Claims (10)

1. A fraud prevention system, comprising: the system comprises a suspicious call analysis module, a network data acquisition module, a fusion analysis module and a warning service module;
the suspicious call analysis module is used for analyzing and identifying call signaling corresponding to the personal account according to a first preset model and recording suspicious call data when a suspicious call is judged to be received;
the network data acquisition module is used for screening personal internet data according to a second preset model and acquiring network data for visiting malicious websites, wherein the personal internet data comprises home-wide internet data and mobile communication internet data corresponding to the personal account;
the fusion analysis module is used for carrying out fraud identification on the suspicious call data and the network data according to a third preset model to generate an identification result;
and the warning service module is used for intercepting suspicious calls and access of malicious websites and sending early warning after the personal account is judged to be suspected to be cheated according to the identification result.
2. The fraud prevention system of claim 1, wherein the suspected call analysis module specifically comprises: the system comprises a call signaling processing unit, an identification unit and a call data storage unit;
the call signaling processing unit is used for analyzing and de-duplicating the call signaling to acquire preprocessed call data;
the identification unit is used for substituting the preprocessed call data into a first preset model and judging whether a suspicious call is received;
and the call data storage unit is used for storing the preprocessed call data as the suspicious call data when the suspicious call is judged to be received.
3. The fraud prevention system of claim 1, wherein the network data acquisition module specifically comprises: the device comprises a home-wide internet data acquisition unit, a personal internet data acquisition unit and a malicious domain name identification unit;
the home-wide internet data acquisition unit is used for acquiring home-wide internet data corresponding to a home-wide account according to a home-wide log and acquiring the home-wide internet data corresponding to the personal account according to the corresponding relationship between the home-wide account and the personal account;
the personal internet data acquisition unit is used for analyzing and de-duplicating the home-wide internet data and the mobile communication internet data corresponding to the personal account to generate personal internet data;
and the malicious domain name recognition unit is used for screening the personal internet data according to a second preset model and acquiring network data for accessing a malicious website.
4. The fraud prevention system of claim 1, wherein the fusion analysis module comprises: the system comprises a feature extraction unit, a behavior risk evaluation unit and a user risk comprehensive evaluation unit;
the characteristic extraction unit is used for acquiring behavior characteristic statistics from the suspicious call data and the network data based on a time sequence; wherein the behavior feature statistics include at least: calling frequency characteristics, strangers called frequency characteristics and malicious link access frequency characteristics;
the behavior risk evaluation unit is used for arranging the behavior characteristic statistics in time sequence to integrate and form a multi-dimensional time sequence dataset in a complete time period, sending the multi-dimensional time sequence dataset into a third preset model for analysis, and generating a current cheated pre-evaluation value;
and the user risk comprehensive evaluation unit is used for generating a current risk comprehensive value according to a pre-stored preorder risk comprehensive value and the current cheated pre-evaluation value, and judging that the personal account is suspected to be cheated when the current risk comprehensive value is greater than a preset threshold value.
5. The fraud prevention system of claim 1, wherein the alert service module comprises: the device comprises a warning unit, an intercepting unit and a pushing unit;
the warning unit is used for sending warning information to the personal account after the personal account is judged to be suspected to be cheated;
the intercepting unit is used for intercepting and recording subsequent malicious link access after the personal account is judged to be suspected to be cheated;
and the pushing unit is used for pushing the alarm information to other family users under the same family wide account according to the third-party application association.
6. The fraud prevention system according to any one of claims 1 to 5, further comprising a hack service module for recording the suspicious number and the malicious domain name and transmitting to the malicious number repository and the malicious domain name repository, respectively; meanwhile, an alarm log is generated from the interception record and pushed to each family user under the same family wide account at a preset time point.
7. A fraud prevention method, comprising:
analyzing and identifying a call signaling corresponding to the personal account according to a first preset model, and recording suspicious call data when a suspicious call is judged to be received;
screening personal internet data according to a second preset model, and acquiring network data for accessing a malicious website, wherein the personal internet data comprises home-wide internet data and mobile communication internet data corresponding to the personal account;
carrying out fraud identification on the suspicious call data and the network data according to a third preset model to generate an identification result;
and after the personal account is judged to be suspected to be cheated according to the identification result, the suspicious call and the access of a malicious website are intercepted, and early warning is sent out.
8. The fraud prevention method of claim 7, wherein the fraud recognition of the suspicious call data and the network data according to a third preset model and the generation of the recognition result further comprises:
recording a suspicious number and a malicious domain name, and respectively transmitting the suspicious number and the malicious domain name to a malicious number library and a malicious domain name library; meanwhile, an alarm log is generated from the interception record and pushed to each family user under the same family wide account at a preset time point.
9. A server, comprising:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the anti-fraud method recited in any one of claims 7-8.
10. A computer-readable storage medium storing a computer program, wherein the computer program, when executed by a processor, implements the anti-fraud method of any one of claims 7 to 8.
CN201911420412.XA 2019-12-31 2019-12-31 Fraud prevention system, method, server and storage medium Pending CN111278014A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911420412.XA CN111278014A (en) 2019-12-31 2019-12-31 Fraud prevention system, method, server and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911420412.XA CN111278014A (en) 2019-12-31 2019-12-31 Fraud prevention system, method, server and storage medium

Publications (1)

Publication Number Publication Date
CN111278014A true CN111278014A (en) 2020-06-12

Family

ID=70998784

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911420412.XA Pending CN111278014A (en) 2019-12-31 2019-12-31 Fraud prevention system, method, server and storage medium

Country Status (1)

Country Link
CN (1) CN111278014A (en)

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112307464A (en) * 2020-10-30 2021-02-02 维沃移动通信有限公司 Fraud identification method and device and electronic equipment
CN112333709A (en) * 2020-11-09 2021-02-05 中国信息通信研究院 Cross-network fraud association analysis method and system and computer storage medium
CN112738807A (en) * 2020-12-31 2021-04-30 恒安嘉新(北京)科技股份公司 Method, device, equipment and storage medium for discovering harmful GOIP equipment
CN112788016A (en) * 2020-12-31 2021-05-11 上海欣方智能系统有限公司 Illegal user identification method and device, electronic equipment and storage medium
CN113191775A (en) * 2021-04-22 2021-07-30 深圳前海移联科技有限公司 Pompe fraudster intelligent contract detection method based on Ethernet shop transaction timing sequence information
CN113766066A (en) * 2021-09-13 2021-12-07 上海欣方智能系统有限公司 Method and device for recognizing fraud
CN113923011A (en) * 2021-09-30 2022-01-11 北京恒安嘉新安全技术有限公司 Phishing early warning method and device, computer equipment and storage medium
CN114020985A (en) * 2021-11-10 2022-02-08 深圳安巽科技有限公司 Fraud countercheck interception method, system and storage medium
CN114066490A (en) * 2022-01-17 2022-02-18 浙江鹏信信息科技股份有限公司 GoIP fraud nest point identification method, system and computer readable storage medium
CN114363839A (en) * 2021-12-31 2022-04-15 恒安嘉新(北京)科技股份公司 Fraud data early warning method, device, equipment and storage medium
CN114430333A (en) * 2021-11-25 2022-05-03 深圳安巽科技有限公司 Anti-fraud system, method and storage medium for coping with illegal induced occupation activity
CN114501348A (en) * 2021-12-21 2022-05-13 恒安嘉新(北京)科技股份公司 Joint monitoring method, device, equipment and storage medium for scawed users
CN115186263A (en) * 2022-07-15 2022-10-14 深圳安巽科技有限公司 Method, system and storage medium for preventing illegal induced activities

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106550155A (en) * 2016-11-25 2017-03-29 上海欣方智能系统有限公司 Suspicious number is carried out swindling the method and system that sample screens classification and interception
CN106791220A (en) * 2016-11-04 2017-05-31 国家计算机网络与信息安全管理中心 Prevent the method and system of telephone fraud
CN109429230A (en) * 2017-08-28 2019-03-05 中国移动通信集团浙江有限公司 A kind of communication swindle recognition methods and system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106791220A (en) * 2016-11-04 2017-05-31 国家计算机网络与信息安全管理中心 Prevent the method and system of telephone fraud
CN106550155A (en) * 2016-11-25 2017-03-29 上海欣方智能系统有限公司 Suspicious number is carried out swindling the method and system that sample screens classification and interception
CN109429230A (en) * 2017-08-28 2019-03-05 中国移动通信集团浙江有限公司 A kind of communication swindle recognition methods and system

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112307464A (en) * 2020-10-30 2021-02-02 维沃移动通信有限公司 Fraud identification method and device and electronic equipment
CN112333709A (en) * 2020-11-09 2021-02-05 中国信息通信研究院 Cross-network fraud association analysis method and system and computer storage medium
CN112333709B (en) * 2020-11-09 2021-06-25 中国信息通信研究院 Cross-network fraud association analysis method and system and computer storage medium
CN112738807A (en) * 2020-12-31 2021-04-30 恒安嘉新(北京)科技股份公司 Method, device, equipment and storage medium for discovering harmful GOIP equipment
CN112788016A (en) * 2020-12-31 2021-05-11 上海欣方智能系统有限公司 Illegal user identification method and device, electronic equipment and storage medium
CN113191775A (en) * 2021-04-22 2021-07-30 深圳前海移联科技有限公司 Pompe fraudster intelligent contract detection method based on Ethernet shop transaction timing sequence information
CN113191775B (en) * 2021-04-22 2023-10-31 深圳前海移联科技有限公司 Pongshi cheating intelligent contract detection method based on transaction time sequence information on Ethernet
CN113766066A (en) * 2021-09-13 2021-12-07 上海欣方智能系统有限公司 Method and device for recognizing fraud
CN113923011B (en) * 2021-09-30 2023-10-17 北京恒安嘉新安全技术有限公司 Phishing early warning method, device, computer equipment and storage medium
CN113923011A (en) * 2021-09-30 2022-01-11 北京恒安嘉新安全技术有限公司 Phishing early warning method and device, computer equipment and storage medium
CN114020985A (en) * 2021-11-10 2022-02-08 深圳安巽科技有限公司 Fraud countercheck interception method, system and storage medium
CN114020985B (en) * 2021-11-10 2022-10-14 深圳安巽科技有限公司 Fraud countercheck interception method, system and storage medium
CN114430333A (en) * 2021-11-25 2022-05-03 深圳安巽科技有限公司 Anti-fraud system, method and storage medium for coping with illegal induced occupation activity
CN114501348A (en) * 2021-12-21 2022-05-13 恒安嘉新(北京)科技股份公司 Joint monitoring method, device, equipment and storage medium for scawed users
CN114501348B (en) * 2021-12-21 2024-04-23 恒安嘉新(北京)科技股份公司 Combined monitoring method, device, equipment and storage medium for users suffering from fraud
CN114363839A (en) * 2021-12-31 2022-04-15 恒安嘉新(北京)科技股份公司 Fraud data early warning method, device, equipment and storage medium
CN114066490A (en) * 2022-01-17 2022-02-18 浙江鹏信信息科技股份有限公司 GoIP fraud nest point identification method, system and computer readable storage medium
CN115186263A (en) * 2022-07-15 2022-10-14 深圳安巽科技有限公司 Method, system and storage medium for preventing illegal induced activities

Similar Documents

Publication Publication Date Title
CN111278014A (en) Fraud prevention system, method, server and storage medium
CN107566358B (en) Risk early warning prompting method, device, medium and equipment
CN107888571B (en) Multi-dimensional webshell intrusion detection method and system based on HTTP log
CN108881265B (en) Network attack detection method and system based on artificial intelligence
US8713682B2 (en) Dynamic learning method and adaptive normal behavior profile (NBP) architecture for providing fast protection of enterprise applications
CN107172022B (en) APT threat detection method and system based on intrusion path
Niakanlahiji et al. Phishmon: A machine learning framework for detecting phishing webpages
CN108023868B (en) Malicious resource address detection method and device
CN105072089A (en) WEB malicious scanning behavior abnormity detection method and system
CN105471882A (en) Behavior characteristics-based network attack detection method and device
CN103853841A (en) Method for analyzing abnormal behavior of user in social networking site
CN110650117B (en) Cross-site attack protection method, device, equipment and storage medium
CN103179132A (en) Method and device for detecting and defending CC (challenge collapsar)
CN109347808B (en) Safety analysis method based on user group behavior activity
CN108183888A (en) A kind of social engineering Network Intrusion path detection method based on random forests algorithm
CN114915479B (en) Web attack stage analysis method and system based on Web log
CN111917574B (en) Social network topology model and construction method, user confidence and affinity calculation method and telecom fraud intelligent interception system
CN108234426B (en) APT attack warning method and APT attack warning device
CN109756467B (en) Phishing website identification method and device
CN112668005A (en) Webshell file detection method and device
CN110457601B (en) Social account identification method and device, storage medium and electronic device
CN109889485A (en) A kind of user's abnormal operation behavioral value method, system and storage medium
CN109359251A (en) Audit method for early warning, device and the terminal device of application system service condition
CN108804501B (en) Method and device for detecting effective information
CN111885011B (en) Method and system for analyzing and mining safety of service data network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination