CN112580952A - User behavior risk prediction method and device, electronic equipment and storage medium - Google Patents

User behavior risk prediction method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN112580952A
CN112580952A CN202011451677.9A CN202011451677A CN112580952A CN 112580952 A CN112580952 A CN 112580952A CN 202011451677 A CN202011451677 A CN 202011451677A CN 112580952 A CN112580952 A CN 112580952A
Authority
CN
China
Prior art keywords
user
target user
risk prediction
information
behavior
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011451677.9A
Other languages
Chinese (zh)
Inventor
余意
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN202011451677.9A priority Critical patent/CN112580952A/en
Publication of CN112580952A publication Critical patent/CN112580952A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/06Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
    • G06Q10/063Operations research, analysis or management
    • G06Q10/0635Risk analysis of enterprise or organisation activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/04Forecasting or optimisation specially adapted for administrative or management purposes, e.g. linear programming or "cutting stock problem"

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Human Resources & Organizations (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Strategic Management (AREA)
  • Economics (AREA)
  • Entrepreneurship & Innovation (AREA)
  • Data Mining & Analysis (AREA)
  • Biomedical Technology (AREA)
  • Molecular Biology (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Evolutionary Computation (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Computational Linguistics (AREA)
  • Biophysics (AREA)
  • Development Economics (AREA)
  • General Health & Medical Sciences (AREA)
  • Game Theory and Decision Science (AREA)
  • Artificial Intelligence (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Marketing (AREA)
  • Operations Research (AREA)
  • Quality & Reliability (AREA)
  • Tourism & Hospitality (AREA)
  • General Business, Economics & Management (AREA)
  • Educational Administration (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention provides a user behavior risk prediction method, which comprises the following steps: acquiring behavior information of a target user, and reading user behavior characteristics matched with the target user through an application program interface; determining user portrait information matched with the target user based on the behavior information of the target user; performing risk prediction processing on the user behavior characteristics through the user behavior risk prediction model to obtain a behavior risk prediction result of the target user; and determining an event execution strategy matched with the target user according to the behavior risk prediction result of the target user and the user portrait information, thereby realizing monitoring of user behavior.

Description

User behavior risk prediction method and device, electronic equipment and storage medium
Technical Field
The present invention relates to data processing technologies in neural network models, and in particular, to a method and an apparatus for predicting user behavior risk, an electronic device, and a storage medium.
Background
Anti-cheating processing in the related technology mainly comprises the steps of extracting and analyzing features of original data through complex feature engineering, then training the extracted and analyzed features by adopting a traditional Autoregressive Integrated Moving Average Model (ARIMA) or an isolated forest algorithm, and detecting abnormal behaviors based on the trained Model. However, in the process, different experts are needed for different industries and different scenes, a single expert is difficult to precisely communicate with anti-cheating strategies in different scenes such as the industries of navigation, e-commerce, finance and the like, marketing activities, ticket booking, seat occupation, transaction and the like, meanwhile, the cheating mode can be continuously updated in an iterative mode, and the early-set threshold value cannot intercept the latest cheating method and cannot adapt to variable use environments.
When the interception of cheating behaviors is realized based on deep learning through a neural network model, some important features may be omitted under the condition of high feature dimensionality, so that the prediction effect of the model is deteriorated, meanwhile, when the deep learning model is used for processing, the model training process is complex and time-consuming, if the network layers are too many, parameters can be increased, the model is increased finally, the prediction time-consuming time can be increased, the requirements of on-line time delay and TPS cannot be met, and the use requirements of different users cannot be met due to poor interpretability.
Disclosure of Invention
In view of this, embodiments of the present invention provide a user behavior risk prediction method, an apparatus, an electronic device, and a storage medium, which can implement real-time monitoring of a behavior of a target user through a user behavior risk prediction model, and execute a matched event execution policy according to a risk prediction result, so that the generalization capability and data processing capability of the user behavior risk prediction model are stronger, the user behavior risk prediction model is adapted to different use environments, and the robustness of the user behavior risk prediction model is reduced.
The technical scheme of the embodiment of the invention is realized as follows:
the embodiment of the invention provides a user behavior risk prediction method, which comprises the following steps:
acquiring behavior information of a target user, and reading user behavior characteristics matched with the target user through an application program interface;
processing different behavior characteristics of the target user based on the behavior information of the target user, and determining user portrait information matched with the target user;
performing risk prediction processing on the user behavior characteristics through the user behavior risk prediction model to obtain a behavior risk prediction result of the target user;
and determining an event execution strategy matched with the target user according to the behavior risk prediction result of the target user and the user portrait information.
The embodiment of the invention also provides a user behavior risk prediction device, which comprises:
the information transmission module is used for acquiring the behavior information of the target user and reading the user behavior characteristics matched with the target user through an application program interface;
the information processing module is used for processing different behavior characteristics of the target user based on the behavior information of the target user and determining user portrait information matched with the target user;
the information processing module is used for carrying out risk prediction processing on the user behavior characteristics through the user behavior risk prediction model to obtain a behavior risk prediction result of the target user;
and the information processing module is used for determining an event execution strategy matched with the target user according to the behavior risk prediction result of the target user and the user portrait information.
In the above-mentioned scheme, the first step of the method,
the information processing module is used for triggering a corresponding application program interface based on the terminal running environment of the target user and acquiring the behavior information of the target user through the application program interface;
the information processing module is used for acquiring account parameter information, user IP address information and user operation timestamp information transmitted by an application program interface through the application program interface;
the information processing module is used for obtaining dynamic noise matched with the terminal operation environment of the target user based on the terminal operation environment of the target user;
and the information processing module is used for carrying out denoising processing on the acquired account parameter information, the user IP address information and the user operation timestamp information transmitted by the application program interface based on the dynamic noise to form user behavior characteristics matched with a target user.
In the above-mentioned scheme, the first step of the method,
and the information processing module is used for acquiring the communication process information, the operation history information and the payment information transmitted by the application program interface based on the terminal running environment of the target user.
In the above-mentioned scheme, the first step of the method,
the information processing module is used for determining account portrait information of the target user based on the account parameter information transmitted by the application program interface;
the information processing module is used for determining the IP address portrait of the target user based on the user IP address information transmitted by the application program interface;
and the information processing module is used for determining the equipment portrait information of the target user based on the user operation time stamp information transmitted by the application program interface.
In the above-mentioned scheme, the first step of the method,
the information processing module is used for carrying out risk prediction processing on the user behavior characteristics through a time sequence abnormity sub-model in the user behavior risk prediction model and determining the difference value between the restored predicted value in the target user behavior information and the original behavior characteristics;
the information processing module is used for carrying out risk prediction processing on the user behavior characteristics through an activity level sub-model in the user behavior risk prediction model and determining the activity level of a target user account in the target user behavior information;
the information processing module is used for determining the risk level and the risk label of the target user based on the difference value between the restored predicted value in the target user behavior information and the original behavior characteristic and the activity of the target user account in the target user behavior information.
In the above-mentioned scheme, the first step of the method,
the information processing module is used for triggering an off-line analysis process based on the risk level of the target user and the risk label of the target user;
and the information processing module is used for responding to the offline analysis process and determining cheating information corresponding to the behavior characteristics of the target user through a group mining submodel in the user behavior risk prediction model.
In the above-mentioned scheme, the first step of the method,
the information processing module is used for determining the incidence relation among account parameter information, user IP address information and user operation timestamp information in different target user behavior information based on the analysis result of the group mining submodel in the user behavior risk prediction model;
and the information processing module is used for adjusting the user portrait information matched with the target user based on the incidence relation among the account parameter information, the user IP address information and the user operation timestamp information in the different target user behavior information.
In the above-mentioned scheme, the first step of the method,
the information processing module is used for determining execution events corresponding to different risk levels based on the risk level of the target user;
the information processing module is used for determining account risk, behavior risk and environmental risk corresponding to the target user through the risk label of the target user;
and the information processing module is used for determining an event execution strategy matched with the target user according to the user portrait information and through the account risk, the behavior risk and the environment risk corresponding to the target user.
In the above scheme, the apparatus further comprises:
the training module is used for acquiring the characteristics of the target user set and the historical parameters of the terminal operation environment;
the training module is used for obtaining a sample feature set matched with the user behavior risk prediction model according to the features of the target user set and the historical parameters of the terminal operation environment, wherein the sample feature set comprises sample features based on time sequence;
the training module is used for processing the sample feature set based on corresponding time sequence information and determining a training sample set matched with the user behavior risk prediction model, wherein the training sample set comprises at least one group of training samples;
the training module is used for training the user behavior risk prediction model according to a training sample set matched with the user behavior risk prediction model, and determining model parameters matched with the user behavior risk prediction model so as to predict the behavior risk of the target user through the user behavior risk prediction model.
In the above scheme, the apparatus further comprises:
the training module is used for training the user behavior risk prediction model according to the training sample set and determining model parameters of a time sequence abnormal submodel in the user behavior risk prediction model;
the training module is used for training the user behavior risk prediction model according to the training sample set and determining model parameters of an activity level sub-model in the user behavior risk prediction model;
and the training module is used for training the user behavior risk prediction model according to the training sample set and determining the model parameters of the group mining submodel in the user behavior risk prediction model.
In the above scheme, the apparatus further comprises:
the training module is used for processing the training sample set through a time sequence abnormal submodel in the user behavior risk prediction model so as to determine initial parameters of the time sequence abnormal submodel;
the training module is used for responding to the initial parameters of the time sequence abnormal submodel, processing the training sample set through the time sequence abnormal submodel and determining the updating parameters of the time sequence abnormal submodel;
and the training module is used for carrying out iterative updating on the parameters of the time sequence abnormal submodel through the training sample set according to the updated parameters of the time sequence abnormal submodel so as to extract the characteristic embedded vector of each sample in the training sample set.
In the above scheme, the apparatus further comprises:
the training module is used for determining a loss function corresponding to the time sequence abnormal submodel;
the training module is used for carrying out iterative updating on the parameters of the time sequence abnormal submodel according to the updated parameters of the time sequence abnormal submodel; until the loss function of the time sequence abnormal submodel reaches corresponding convergence conditions, and based on the parameters in the time sequence abnormal submodel, the feature embedded vector of each sample in the training sample set can be extracted.
In the above scheme, the apparatus further comprises:
the training module is used for processing the training sample set through an activity level submodel in the user behavior risk prediction model so as to determine initial parameters of the activity level submodel;
the training module is used for responding to the initial parameter of the activity level submodel, processing the training sample set through the activity level submodel and determining the updating parameter of the activity level submodel;
and the training module is used for carrying out iterative updating on the parameters of the activity level submodel through the training sample set according to the updated parameters of the activity level submodel so as to realize the determination of the risk prediction results of different samples based on corresponding sample labels and the characteristic embedded vector of each sample.
In the above scheme, the apparatus further comprises:
the training module is used for substituting different training samples in the training sample set into a loss function corresponding to the activity level submodel;
and the training module is used for determining that the activity submodel corresponds to the updating parameters when the loss function meets the corresponding convergence condition.
In the above scheme, the apparatus further comprises:
the training module is used for determining a loss function corresponding to the activity level submodel;
the training module is used for carrying out iterative updating on the parameters of the activity level submodel according to the updated parameters of the activity level submodel; until the loss function of the activity sub-model reaches the corresponding convergence condition, and based on the corresponding sample label and the feature embedding vector of each sample, determining the risk prediction results of different samples.
An embodiment of the present invention further provides an electronic device, where the electronic device includes:
a memory for storing executable instructions;
and the processor is used for realizing the preorder user behavior risk prediction method when the executable instructions stored in the memory are operated.
The embodiment of the invention also provides a computer-readable storage medium, which stores executable instructions, and the executable instructions are executed by a processor to realize the preorder user behavior risk prediction method.
The embodiment of the invention has the following beneficial effects:
the embodiment of the invention reads the user behavior characteristics matched with the target user through the application program interface by acquiring the behavior information of the target user; processing different behavior characteristics of the target user based on the behavior information of the target user, and determining user portrait information matched with the target user; performing risk prediction processing on the user behavior characteristics through the user behavior risk prediction model to obtain a behavior risk prediction result of the target user; and determining an event execution strategy matched with the target user according to the behavior risk prediction result of the target user and the user portrait information. Therefore, the behavior of the target user can be monitored in real time through the user behavior risk prediction model, and the matched event execution strategy is executed according to the risk prediction result, so that the generalization capability and the data processing capability of the user behavior risk prediction model are higher, the user behavior risk prediction model is suitable for different use environments, and the robustness of the user behavior risk prediction model is reduced.
Drawings
FIG. 1 is a schematic usage environment diagram of a user behavior risk prediction method according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of an electronic device according to an embodiment of the present invention;
fig. 3 is an optional flowchart of the user behavior risk prediction method provided in the present application;
FIG. 4 is a schematic diagram of a data structure of a user behavior risk prediction model according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of a group mining submodel according to an embodiment of the present invention;
FIG. 6 is an alternative diagram of an event enforcement policy in an embodiment of the present invention;
fig. 7 is an alternative flowchart of a user behavior risk prediction method provided in the present application;
FIG. 8 is a schematic diagram of a user behavior risk prediction model training process according to an embodiment of the present invention;
FIG. 9 is a schematic diagram of a front-end display of a user behavior risk prediction method provided in the present application;
fig. 10 is a schematic view of a usage process of the user behavior risk prediction method provided in the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be further described in detail with reference to the accompanying drawings, the described embodiments should not be construed as limiting the present invention, and all other embodiments obtained by a person of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.
In the following description, reference is made to "some embodiments" which describe a subset of all possible embodiments, but it is understood that "some embodiments" may be the same subset or different subsets of all possible embodiments, and may be combined with each other without conflict.
Before further detailed description of the embodiments of the present invention, terms and expressions mentioned in the embodiments of the present invention are explained, and the terms and expressions mentioned in the embodiments of the present invention are applied to the following explanations.
1) In response to the condition or state on which the performed operation depends, one or more of the performed operations may be in real-time or may have a set delay when the dependent condition or state is satisfied; there is no restriction on the order of execution of the operations performed unless otherwise specified.
2) Based on the condition or state on which the operation to be performed depends, when the condition or state on which the operation depends is satisfied, the operation or operations to be performed may be in real time or may have a set delay; there is no restriction on the order of execution of the operations performed unless otherwise specified.
3) Convolutional Neural Networks (CNN Convolutional Neural Networks) are a class of Feed forward Neural Networks (Feed forward Neural Networks) that contain convolution computations and have a deep structure, and are one of the representative algorithms for deep learning (deep learning). The convolutional neural network has the capability of representation learning (rendering), and can carry out shift-i invariant classification (shift-i invariant classification) on input information according to the hierarchical structure of the convolutional neural network.
4) And (4) model training, namely performing multi-classification learning on the image data set. The model can be constructed by adopting deep learning frames such as Tensor Flow, torch and the like, and a multi-classification model is formed by combining multiple layers of neural network layers such as CNN and the like. The input of the model is a three-channel or original channel matrix formed by reading an image through openCV and other tools, the output of the model is multi-classification probability, and the webpage category is finally output through softmax and other algorithms. During training, the model approaches to a correct trend through an objective function such as cross entropy and the like.
5) Neural Networks (NN): an Artificial Neural Network (ANN), Neural network or Neural network for short, is a mathematical model or computational model simulating the structure and function of a biological Neural network (animal central nervous system, especially brain) in the field of machine learning and cognitive science, and is used for estimating or approximating functions.
6) API: the full Application Programming Interface can be translated into an Application program Interface, and is a predefined function or a convention for linking different components of a software system. The goal is to provide applications and developers the ability to access a set of routines based on certain software or hardware without having to access native code or understand the details of the internal workings.
7) The full stack type model system: in order to avoid false killing and missed killing of a single model, a full-stack model system is established by carrying out deep fusion on a plurality of supervised models and unsupervised models such as XGboost, G AN, a community discovery Fast-Unfolding algorithm and the like, so that the accuracy of flow anti-cheating is improved, and false killing is reduced.
Fig. 1 is a schematic view of a usage scenario of a user behavior risk prediction method according to an embodiment of the present invention, and referring to fig. 1, a client capable of displaying software of corresponding resource transaction data is disposed on a terminal (including a terminal 10-1 and a terminal 10-2), such as a client or a plug-in for a virtual resource or a physical resource to perform financial activities or pay (bitcoin or Q coin) through the virtual resource, a user can obtain and display resource transaction data through the corresponding client, triggering a corresponding fraud identification process (such as WeChat payment or financial game red envelope process by a program in WeChat) in the virtual resource change process, wherein the user behavior of the target user needs to be monitored through user behavior risk prediction deployed in a server in the process, so as to determine the risk level of the target user through a corresponding prediction result; the terminal is connected to the server 200 through a network 300, and the network 300 may be a wide area network or a local area network, or a combination of the two, and uses a wireless link to realize data transmission.
As an example, the server 200 is configured to lay a trained user behavior risk prediction model to implement the user behavior risk prediction method provided by the present application, by obtaining behavior information of a target user and reading a user behavior feature matched with the target user through an application program interface; determining user portrait information matched with the target user based on the behavior information of the target user; performing risk prediction processing on the user behavior characteristics through the user behavior risk prediction model to obtain a behavior risk prediction result of the target user; and determining an event execution strategy matched with the target user according to the behavior risk prediction result of the target user and the user portrait information.
Of course, before deploying the user behavior risk prediction model, training the user behavior risk prediction model is also required, including: acquiring characteristics of a target user set and historical parameters of a terminal operation environment; obtaining a sample feature set matched with the user behavior risk prediction model according to the features of the target user set and the historical parameters of the terminal operation environment, wherein the sample feature set comprises sample features based on time sequence; processing the sample feature set based on corresponding time sequence information, and determining a training sample set matched with the user behavior risk prediction model, wherein the training sample set comprises at least one group of training samples; training the user behavior risk prediction model according to the training sample set matched with the user behavior risk prediction model, and determining model parameters matched with the user behavior risk prediction model so as to predict the behavior risk of the target user through the user behavior risk prediction model.
Of course, the User behavior risk prediction apparatus provided by the present invention may be applied to a usage environment in which a virtual resource or an entity resource performs a financial activity or performs information interaction through an entity financial resource payment environment (including but not limited to various types of entity financial resource change environments, an electronic payment shopping environment, and a usage environment in which e-commerce shopping can be cheated) or social software, financial information of different data sources is usually processed in performing a financial activity or performing virtual resource payment on various types of entity financial resources, and finally financial information corresponding to a target object selected by the target User is presented on a User Interface (UI). The financial information (such as user risk judgment) obtained by the user in the current display interface can be called by other application programs.
As will be described in detail below with respect to the structure of the user behavior risk prediction apparatus according to the embodiment of the present invention, the user behavior risk prediction apparatus may be implemented in various forms, such as a dedicated terminal with a processing function of the user behavior risk prediction apparatus, or a server with a processing function of the user behavior risk prediction apparatus, for example, the server 200 in the foregoing fig. 1. Fig. 2 is a schematic diagram of a composition structure of an electronic device according to an embodiment of the present invention, and it is understood that fig. 2 only shows an exemplary structure of a user behavior risk prediction apparatus, and not a whole structure, and a part of or the whole structure shown in fig. 2 may be implemented as needed.
The user behavior risk prediction device provided by the embodiment of the invention comprises: at least one processor 201, memory 202, user interface 203, and at least one network interface 204. The various components of the user behavioral risk prediction apparatus are coupled together by a bus system 205. It will be appreciated that the bus system 205 is used to enable communications among the components. The bus system 205 includes a power bus, a control bus, and a status signal bus in addition to a data bus. For clarity of illustration, however, the various buses are labeled as bus system 205 in fig. 2.
The user interface 203 may include, among other things, a display, a keyboard, a mouse, a trackball, a click wheel, a key, a button, a touch pad, or a touch screen.
It will be appreciated that the memory 202 can be either volatile memory or nonvolatile memory, and can include both volatile and nonvolatile memory. The memory 202 in embodiments of the present invention is capable of storing data to support operation of the terminal (e.g., 10-1). Examples of such data include: any computer program, such as an operating system and application programs, for operating on a terminal (e.g., 10-1). The operating system includes various system programs, such as a framework layer, a core library layer, a driver layer, and the like, and is used for implementing various basic services and processing hardware-based tasks. The application program may include various application programs.
In some embodiments, the user behavior risk prediction apparatus provided in the embodiments of the present invention may be implemented by a combination of software and hardware, and as an example, the user behavior risk prediction apparatus provided in the embodiments of the present invention may be a processor in the form of a hardware decoding processor, which is programmed to execute the user behavior risk prediction method provided in the embodiments of the present invention. For example, a processor in the form of a hardware decoding processor may employ one or more Application Specific Integrated Circuits (ASICs), DS ps, Programmable Logic Devices (PLDs), Complex Programmable Logic Devices (CPLDs), Field-Programmable Gate arrays (FPGs), or other electronic components.
As an example that the user behavior risk prediction apparatus provided by the embodiment of the present invention is implemented by combining software and hardware, the user behavior risk prediction apparatus provided by the embodiment of the present invention may be directly embodied as a combination of software modules executed by the processor 201, where the software modules may be located in a storage medium, the storage medium is located in the memory 202, the processor 201 reads executable instructions included in the software modules in the memory 202, and the user behavior risk prediction method provided by the embodiment of the present invention is completed in combination with necessary hardware (for example, including the processor 201 and other components connected to the bus system 205).
By way of example, the Processor 201 may be an integrated circuit chip having Signal processing capabilities, such as a general purpose Processor, a Digital Signal Processor (DSP), or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or the like, wherein the general purpose Processor may be a microprocessor or any conventional Processor or the like.
As an example of the user behavior risk prediction apparatus provided in the embodiment of the present invention implemented by hardware, the apparatus provided in the embodiment of the present invention may be implemented by directly using the processor 201 in the form of a hardware decoding processor, for example, the apparatus may be implemented by one or more Application Specific Integrated Circuits (ASICs), DSPs, Programmable Logic Devices (PLDs), Complex Programmable Logic Devices (CPLDs), Field Programmable Gate Arrays (FPGAs), or other electronic components to implement the user behavior risk prediction method provided in the embodiment of the present invention.
The memory 202 in the embodiment of the present invention is used to store various types of data to support the operation of the user behavior risk prediction apparatus. Examples of such data include: any executable instructions for operating on the user behavior risk prediction device, such as executable instructions, may be included in the executable instructions, and the program implementing the user behavior risk prediction method according to the embodiment of the present invention may be included in the executable instructions.
In other embodiments, the user behavior risk prediction apparatus provided in the embodiment of the present invention may be implemented in software, and fig. 2 illustrates the user behavior risk prediction apparatus stored in the memory 202, which may be software in the form of programs, plug-ins, and the like, and includes a series of modules, as an example of the program stored in the memory 202, which may include the user behavior risk prediction apparatus, and the user behavior risk prediction apparatus includes the following software modules: an information transmission module 2081 and an information processing module 2082. When the software modules in the user behavior risk prediction apparatus are read into the RAM by the processor 201 and executed, the user behavior risk prediction method provided by the embodiment of the present invention is implemented, where the functions of each software module in the user behavior risk prediction apparatus include:
the information transmission module 2081 is used to obtain the behavior information of the target user and read the user behavior characteristics matched with the target user through the application program interface.
The information processing module 2082 is configured to process different behavior characteristics of the target user based on the behavior information of the target user, and determine user portrait information matched with the target user.
The information processing module 2082 is configured to perform risk prediction processing on the user behavior characteristics through the user behavior risk prediction model to obtain a behavior risk prediction result of the target user.
The information processing module 2082 is configured to determine an event execution policy matched with a target user according to a behavior risk prediction result of the target user and the user portrait information.
According to the image detection apparatus shown in fig. 2, in one aspect of the present application, the present application also provides a computer program product or a computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions to cause the computer device to perform various embodiments and combinations of embodiments provided in the various alternative implementations of the user behavior risk prediction method described above.
Before introducing the user behavior risk prediction method provided by the application, an anti-cheating method in a wind control scene of the related technology is preferentially explained, wherein anti-cheating processing in the related technology mainly includes that original data are subjected to feature extraction and analysis through complex feature engineering, extracted and analyzed features are trained by using a traditional Autoregressive Integrated Moving Average Model (ARIMA) or an isolated forest algorithm, and abnormal behavior detection is performed based on the trained models. However, in the process, different experts are needed for different industries and different scenes, a single expert is difficult to precisely communicate with anti-cheating strategies in different scenes such as the industries of navigation, e-commerce, finance and the like, marketing activities, ticket booking, seat occupation, transaction and the like, meanwhile, the cheating mode can be continuously updated in an iterative mode, and the early-set threshold value cannot intercept the latest cheating method and cannot adapt to variable use environments.
When the interception of cheating behaviors is realized based on deep learning through a neural network model, some important features may be omitted under the condition of high feature dimensionality, so that the prediction effect of the model is deteriorated, meanwhile, when the deep learning model is used for processing, the model training process is complex and time-consuming, if the network layers are too many, parameters can be increased, the model is increased finally, the prediction time-consuming time can be increased, the requirements of on-line time delay and TPS cannot be met, and the use requirements of different users cannot be met due to poor interpretability.
To solve the above-mentioned drawbacks, referring to fig. 3, fig. 3 is an optional flowchart of the user behavior risk prediction method provided in the present application, and it can be understood that the steps shown in fig. 3 may be executed by various electronic devices operating the user behavior risk prediction apparatus to complete training and deployment of the corresponding user behavior risk prediction model, specifically, the electronic devices may be, for example, a dedicated terminal with a financial data processing function, a server with a user behavior risk prediction model training function, or a server cluster, and implement training and deployment of the user behavior risk prediction model adapted in different financial scenarios. The following is a description of the steps shown in fig. 3.
Step 301: the user behavior risk prediction device obtains the behavior information of the target user and reads the user behavior characteristics matched with the target user through the application program interface.
User behaviors include, but are not limited to: accessing a website, sending and receiving mails, uploading and downloading, instant messaging, chatting, forums, online games, streaming media videos, advertising, financial payments, coupon pickup, full subsidy pickup, red pack pickup.
In some embodiments of the present invention, obtaining behavior information of a target user, and reading a user behavior feature matched with the target user through an application program interface may be implemented in the following manner:
triggering a corresponding application program interface based on the terminal running environment of the target user, and acquiring behavior information of the target user through the application program interface; acquiring account parameter information, user IP address information and user operation timestamp information transmitted by an application program interface through the application program interface; obtaining dynamic noise matched with the terminal operation environment of the target user based on the terminal operation environment of the target user; and based on the dynamic noise, denoising the acquired account parameter information, user IP address information and user operation timestamp information transmitted by the application program interface to form user behavior characteristics matched with the target user. Referring to fig. 4, fig. 4 is a data structure diagram of a user behavior risk prediction model in an embodiment of the present invention, where in order to implement an API interface to determine whether a request traffic is malicious or not in real time, and implement a determination result returned within 100ms, so that a client can process a request according to a risk value. The selectable interface has three optional input parameters, account parameter information, user IP information, and user operation timestamp information, wherein the account parameters include but are not limited to: the more the parameters are, the more the accuracy of malicious flow judgment is improved, and flexible configuration can be performed according to different user behavior risk prediction implementation environments.
In some embodiments of the present invention, since the usage environment of the user behavior risk prediction model is different, the dynamic noise threshold value matched with the usage environment of the user behavior risk prediction model is also different, for example, in a financial usage environment where payment and transfer are performed through a WeChat process, the dynamic noise threshold value matched with the usage environment of the user behavior risk prediction model needs to be smaller than that in a financial usage environment where a user acquires a coupon through a WeChat process or is eligible for reduction. Furthermore, when the user behavior risk prediction model is solidified in a corresponding hardware mechanism, such as a financial terminal (POS machine or a teller machine), and the usage environment is a financial game red packet usage environment for predicting the risk of the target user, because the noise is relatively single, the acquired account parameter information, the user IP address information, and the user operation timestamp information transmitted by the application program interface are denoised by the fixed noise threshold corresponding to the fixed user behavior risk prediction model, so as to form a user behavior feature matched with the target user, thereby effectively improving the training speed of the user behavior risk prediction model and reducing the waiting time of the user.
In some embodiments of the present invention, at least one piece of user account information and/or at least one piece of device identification information may also be acquired from the traffic log record information. The user account information includes, but is not limited to, an instant messaging account, a shopping account, an investment and financial account, an information account, and the like, the instant messaging account may further include a QQ account, a micro account, and the like, the device identification information includes, but is not limited to, an Internet Protocol Address (IP), an IMEI, an advertisement identifier applied to the IOS system, a device unique identifier, a browser identifier, and other user behavior information, and user behavior characteristics that can be used by the user behavior risk prediction model are separated therefrom.
Further, because the terminal operating environments of the target user are different and the functions to be executed are also different, the communication process information, the operation history information and the payment information transmitted by the application program interface are acquired based on the terminal operating environment of the target user, and the acquired user characteristics are processed through the user behavior risk prediction model to obtain a user behavior risk prediction result matched with the functions to be executed, so that the application range of the user behavior risk prediction model is expanded.
Step 302: and the user behavior risk prediction device processes different behavior characteristics of the target user based on the behavior information of the target user and determines user portrait information matched with the target user.
In some embodiments of the present invention, based on the behavior information of the target user, processing different behavior characteristics of the target user to determine user portrait information matching the target user may be implemented as follows:
determining account portrait information of the target user based on the account parameter information transmitted by the application program interface; determining the IP address portrait of the target user based on the user IP address information transmitted by the application program interface; and determining the device portrait information of the target user based on the user operation time stamp information transmitted by the application program interface. In practical application, common network cheating modes at least include machine cheating and artificial cheating, wherein the machine cheating can include machine brushing amount, task distribution, flow hijacking and the like, and the artificial cheating can include Q group/water force, direct labor, induction and the like. Common network cheating means may include at least: the user portrait can at least comprise information such as a position portrait, an account portrait, an Internet Protocol Address (IP) portrait, an equipment portrait and the like, and the user portrait can effectively monitor the user behavior through the user portrait.
Step 303: and the user behavior risk prediction device carries out risk prediction processing on the user behavior characteristics through the user behavior risk prediction model to obtain a behavior risk prediction result of the target user.
Step 304: and the user behavior risk prediction device determines an event execution strategy matched with the target user according to the behavior risk prediction result of the target user and the user portrait information.
Therefore, the terminal 1 can obtain a corresponding user behavior risk prediction model 1 and a corresponding event execution strategy 1, and the terminal 2 can obtain a corresponding user behavior risk prediction model 2 and a corresponding event execution strategy 2, wherein model parameters of the risk prediction model 1 and the risk prediction model 2 can be different.
In some embodiments of the present invention, the user behavior risk prediction model is used to perform risk prediction processing on the user behavior characteristics to obtain a behavior risk prediction result of the target user, and the method may be implemented as follows:
performing risk prediction processing on the user behavior characteristics through a time sequence abnormal submodel in the user behavior risk prediction model, and determining a difference value between a restored predicted value in the target user behavior information and the original behavior characteristics; performing risk prediction processing on the user behavior characteristics through an activity level submodel in the user behavior risk prediction model, and determining the activity level of a target user account in the target user behavior information; and determining the risk level and the risk label of the target user based on the difference value between the restored predicted value in the target user behavior information and the original behavior characteristic and the activity of the target user account in the target user behavior information. Wherein, the risk prediction model is the full stack formula model system includes: the method comprises a time sequence abnormal submodel, AN activity submodel and a group mining submodel, wherein a risk prediction model of a full-stack model system can avoid mistaken killing and missed killing of a single model, and a plurality of supervised models and unsupervised models such as XGboost, G AN, a community discovery Fast-Unfolding algorithm and the like are deeply fused to establish the full-stack model system, improve the accuracy of flow anti-cheating and reduce mistaken killing.
The time sequence abnormity submodel is based on a time sequence abnormity detection algorithm of a self-encoder, high-dimensional behavior sequence data of a white sample is extracted to be used as characteristic input, the characteristic input is converted into a low-dimensional hidden vector through the encoder, compression and dimension reduction are achieved, and training of the model is completed through reduction of a decoder. In the prediction stage, the behavior characteristic sequence transmitted in real time is used as the input of the model, the output value of the model represents the error value of the data restored by encoding and decoding and the original data, and when the error value is larger, the probability that the user behavior is malicious is higher.
In some embodiments of the present invention, the activity level submodel may perform statistics according to historical behavior data based on activity level analysis of an account in a historical behavior record, for example, after a certain account is self-registered in a detection environment, the certain account is not active all the time, and becomes a high-activity state only near the start date of an activity, so that the malicious level of the certain account is higher and may be utilized by a cheater. In actual use, the input characteristics of the model are the characteristics of the account such as the active times, the active geographic positions, the active IPs and the like in different time spans of one month, two weeks, one week and the like, the output is the quality score of the account, the higher the score is, the higher the probability that the account is white is, and the time corresponding to the specific active times can be flexibly configured according to different use environments.
In some embodiments of the invention, the time series abnormality submodel and the activity submodel may be computed using an extreme Gradient Boosting model (XGBoost).
The extreme gradient boost model XGBoost involved in the present invention is described below.
The extreme Gradient boost model XGBoost is a modified algorithm of an iterative Decision Tree algorithm (GBDT Gradient Boosting Decision Tree) in the field of machine learning. For a given sample size n, the data set D of variable dimension m, can be written as:
D={(Xi,yi)|Xi∈Rm,yi∈R,i,j=1,2,...n}
fitting the data with an additive ensemble tree model can be expressed in the form:
Figure BDA0002827239990000171
wherein f iskA function representing the functional space gamma represents a tree model, and contains information such as specific tree structures and leaf nodes.
Then, the minimization process is carried out on the target function, namely:
Figure BDA0002827239990000172
wherein, Ω (f)k) Is a regularization term expressed as
Figure BDA0002827239990000173
MkIs the number of leaf nodes, wkjIs a leaf node coefficient, gamma denotes the difficulty of node segmentation, lambda denotes the L2 regularization coefficient,
Figure BDA0002827239990000174
is a loss function, represents
Figure BDA0002827239990000181
And yiThe deviation therebetween.
Because a set of all tree models is to be obtained, but not obtained at once, one way can be taken to: fixing the model obtained in the last time (t-1), then training the model in the next time (t) on the basis of the fixed result to obtain the corresponding t-th tree,
and by parity of reasoning, training is carried out in sequence. Wherein the prediction result of the t time is expressed as:
Figure BDA0002827239990000182
the objective function is then:
Figure BDA0002827239990000183
for which a second-order taylor expansion is used,
Figure BDA0002827239990000184
wherein
Figure BDA0002827239990000185
Deleting the constant term to obtain:
Figure BDA0002827239990000186
definition Ij={i|q(Xj) J is the jth leaf node, and q (f) ist) Unfolding to obtain:
Figure BDA0002827239990000187
this gives:
Figure BDA0002827239990000188
the final objective function is:
Figure BDA0002827239990000189
the objective function Objt*A measure of how good a tree structure is can be taken, with smaller values representing better such a structure. And selecting the optimal cutting point through the objective function so as to construct a classification and regression tree (CARTC _ lasification and regression tree).
In some embodiments of the present invention, after determining the risk level of the target user and the risk label of the target user, an offline analysis process may be triggered based on the risk level of the target user and the risk label of the target user; and responding to the offline analysis process, and determining cheating information corresponding to the behavior characteristics of the target user through a group mining submodel in the user behavior risk prediction model. Moreover, the user portrait can be adjusted according to the processing result of the group mining submodel, specifically, the association relationship of account parameter information, user IP address information and user operation timestamp information in different target user behavior information can be determined based on the analysis result of the group mining submodel in the user behavior risk prediction model; and adjusting the user portrait information matched with the target user based on the incidence relation among the account parameter information, the user IP address information and the user operation timestamp information in the different target user behavior information.
Referring to fig. 5, fig. 5 is a schematic structural diagram of a group mining submodel in an embodiment of the present invention, specifically, a post offline analysis process may implement association analysis including between accounts and group mining submodel, the group mining submodel of the present invention may be implemented by a community discovery algorithm Louvain (Fast-Unfoldin g) algorithm, an objective function of the group mining submodel is to maximize modularity of the entire relationship network, and an algorithm flow diagram of Fast-Unfolding is shown in fig. 5. Taking the parameters as the IP address parameter and the device number as an example, the device number may be taken as a vertex, and the IP address parameter or the IPC number shared by the device number is an edge, and if the two device numbers are connected, the weight of the edge is 3, which represents that the two devices simultaneously appear in 3 different IP address parameters in the history request flow. After the association diagram construction between the IP address parameters and the equipment numbers is completed, determining the corresponding modularity; then for each vertex, an attempt is made to assign the vertex to a neighboring community and calculate the change in modularity, leaving the assignment scheme with the greatest increase in modularity until the modularity of the entire graph is no longer changed. After the group mining submodel performs the feature processing, it may output a pair of pai r < nodeid, commid >, nodeid representing the vertex id (such as the device number), and commid representing the community number to which nodeid belongs. If the fact that the number of the devices under any one commid is larger than 50% is determined to have the black product cheating record, the commd representing the IP address is a cheating group, all the device resources under the commd are cheating resources shared by the black product group, and the cheating organization can be dug.
Furthermore, the results of offline post offline analysis can be output and dynamically updated into the account image, the recall rate of black product accounts in the image can be improved by the results of association analysis and group mining, and a new cheating mode can be identified in real time by different submodels included in the risk prediction model of the full stack type model system following the change of black products, so that the missed killing can be reduced on the premise of ensuring low false killing rate by the user behavior risk prediction method provided by the invention.
In some embodiments of the present invention, the execution events corresponding to different risk levels may be determined based on the risk level of the target user; determining account risk, behavior risk and environmental risk corresponding to the target user through the risk label of the target user; and determining an event execution strategy matched with the target user according to the user portrait information and account risk, behavior risk and environment risk corresponding to the target user. Referring to fig. 6, fig. 6 is an optional schematic diagram of an event execution policy in an embodiment of the present invention, and different processing policies may be executed according to determined risk levels and risk labels, specifically, a risk level range is 0 to 4, where a higher level indicates a higher risk, and in this application, it is preferable to perform respective processing through three gears, where a level of 0 indicates that the pipeline is normal, and is in a no-risk state (usually, approximately 90% of a service request amount), a level of 1,2 indicates that the pipeline is slightly malicious, and is in a medium-risk state (usually, approximately 7% of the service request amount), and a level of 3,4 indicates that the pipeline is severely malicious, and is in a high-risk state (usually, approximately 3% of the service request amount). Taking the reward issuing scene of the financial payment system as an example, if the interface returns no risk, no processing is performed; if the risk is medium, the experience can be degraded, and the reward size is properly adjusted to be low or the limit is added, such as popping up a verification code or requiring real-name verification; if there is a high risk, the award may be denied.
In some embodiments of the present invention, the risk tag is typically used as an aid to analysis, and targeted blows may also be made based on the returned risk tag. The returned risk labels are preferably of three types, namely account risk, behavior risk and environmental risk, and each type has a detailed risk type, for example, the behavior risk has batch operation and automation, the account risk has invalid accounts, low credit accounts and the like, so that the behavior of the user can be timely and accurately monitored.
With continuing reference to fig. 7, fig. 7 is an optional flowchart of the user behavior risk prediction method provided in the present application, and it can be understood that the steps shown in fig. 7 may be executed by various electronic devices operating the user behavior risk prediction apparatus, for example, a server or a server cluster with a model training function, to implement user behavior risk prediction by using the user behavior risk prediction model adapted in different deployed service scenarios. The following is a description of the steps shown in fig. 7.
Step 701: and acquiring the characteristics of the target user set and the historical parameters of the terminal operating environment.
Step 702: and obtaining a sample feature set matched with the user behavior risk prediction model according to the features of the target user set and the historical parameters of the terminal operation environment.
And the sample feature set comprises sample features based on time sequence.
Step 703: and processing the sample feature set based on corresponding time sequence information, and determining a training sample set matched with the user behavior risk prediction model.
Wherein the set of training samples comprises at least one set of training samples.
Step 704: and training the user behavior risk prediction model according to the training sample set matched with the user behavior risk prediction model, and determining model parameters matched with the user behavior risk prediction model.
Therefore, the behavior risk of the target user can be predicted through the user behavior risk prediction model.
In some embodiments of the present invention, the user behavior risk prediction model is trained according to a training sample set matched with the user behavior risk prediction model, and the model parameters adapted to the user behavior risk prediction model are determined, which may be implemented in the following manner:
training the user behavior risk prediction model according to the training sample set, and determining model parameters of a time sequence abnormal submodel in the user behavior risk prediction model; training the user behavior risk prediction model according to the training sample set, and determining model parameters of an activity level sub-model in the user behavior risk prediction model; and training the user behavior risk prediction model according to the training sample set, and determining model parameters of a group mining sub-model in the user behavior risk prediction model. Specifically, the risk prediction model is a full-stack model system, including: the method comprises a time sequence abnormal submodel, an activity submodel and a group mining submodel, wherein in the training process, when the time sequence abnormal submodel is trained, the training sample set can be processed through the time sequence abnormal submodel in the user behavior risk prediction model to determine initial parameters of the time sequence abnormal submodel; responding to the initial parameters of the time sequence abnormal submodel, processing the training sample set through the time sequence abnormal submodel, and determining the updating parameters of the time sequence abnormal submodel; and according to the updated parameters of the time sequence abnormal submodel, iteratively updating the parameters of the time sequence abnormal submodel through the training sample set so as to extract the feature embedded vector of each sample in the training sample set. According to the updating parameters of the time sequence abnormal submodel, the parameters of the time sequence abnormal submodel are iteratively updated through the training sample set so as to extract the feature embedding vector of each sample in the training sample set, and the method can be realized through the following modes: determining a loss function corresponding to the time series abnormal submodel; according to the updating parameters of the time sequence abnormal submodel, the parameters of the time sequence abnormal submodel are updated in an iterative manner; until the loss function of the time sequence abnormal submodel reaches corresponding convergence conditions, and based on the parameters in the time sequence abnormal submodel, the feature embedded vector of each sample in the training sample set can be extracted.
Referring to fig. 8, fig. 8 is a schematic diagram of a training process of a user behavior risk prediction model in an embodiment of the present invention, where when training an activity level sub-model, the training sample set may be processed through an activity level sub-model in the user behavior risk prediction model to determine initial parameters of the activity level sub-model; responding to the initial parameter of the activity level submodel, processing the training sample set through the activity level submodel, and determining an updating parameter of the activity level submodel; and according to the updated parameters of the activity level submodel, iteratively updating the parameters of the activity level submodel through the training sample set so as to realize the determination of the risk prediction results of different samples based on corresponding sample labels and the feature embedded vector of each sample. Specifically, determining a loss function corresponding to the activity level submodel; according to the updating parameters of the activity submodel, the parameters of the activity submodel are updated in an iterative manner; until the loss function of the activity sub-model reaches the corresponding convergence condition, and based on the corresponding sample label and the feature embedding vector of each sample, determining the risk prediction results of different samples.
Taking prediction of a target user who needs to receive a red envelope in a usage scenario of a payment red envelope as an example, a user behavior risk prediction method provided by the present application is described below, where, referring to fig. 9, fig. 9 is a schematic front-end display diagram of the user behavior risk prediction method provided by the present application, where a terminal (for example, the terminal 10-1 and the terminal 10-2 in fig. 1) is provided with a client capable of displaying software for performing financial payment correspondingly, for example, a client or a plug-in for performing financial activities on virtual resources or entity resources or playing the red envelope through the virtual resources, and a user can obtain the payment red envelope from a financial institution or a platform through the corresponding client (for example, payment through a WeChat financial payment or small program in WeChat to receive red envelopes with different amounts); the terminal is connected to the server 200 through a network 300, and the network 300 may be a wide area network or a local area network, or a combination of the two, and uses a wireless link to realize data transmission. Servers (e.g., the server in fig. 1) of enterprises that provide financial transactions such as payment, game bonus, financing, etc., such as banks, securities, mutual funds, P2P, etc. When a user who needs to transact related financial business uses client equipment to access services provided by a client server of an enterprise, the client server can carry out risk prediction on the risk of user behavior to obtain the credit risk category of the user and identify a cheating black-producing user. By training the user behavior risk prediction model, the financial platform or the red envelope provider can be assisted to judge whether the payment red envelope is provided for the user, or different red envelope pickup users in the financial platform can be assisted to perform different management on users with different credit risk types.
Referring to fig. 10, fig. 10 is a schematic view of a usage process of the user behavior risk prediction method provided by the present application, where the user behavior risk prediction method provided by the present application includes the following steps:
step 1001: and the server acquires the account parameter information, the user IP information and the user operation timestamp information transmitted by the interface.
Step 1002: and triggering parameter information, user IP information and user operation timestamp information which are transmitted by the user behavior risk prediction model through an interface, and determining the risk level and the risk label of the target user.
Step 1003: and processing cheating information through a group mining submodel in the user behavior risk prediction model based on the risk level and the risk label of the target user.
Step 1004: and executing the matched processing strategy based on the risk level and the risk label of the target user.
The method specifically comprises the following steps: the payment function is forbidden for the high-risk users, and the payment red packet is issued to the middle-risk and low-risk users, so that the payment red packet can be prevented from being received by the high-risk users.
The beneficial technical effects are as follows:
the embodiment of the invention reads the user behavior characteristics matched with the target user through the application program interface by acquiring the behavior information of the target user; determining user portrait information matched with the target user based on the behavior information of the target user; performing risk prediction processing on the user behavior characteristics through the user behavior risk prediction model to obtain a behavior risk prediction result of the target user; and determining an event execution strategy matched with the target user according to the behavior risk prediction result of the target user and the user portrait information. Therefore, the behavior of the target user can be monitored in real time through the user behavior risk prediction model, and the matched event execution strategy is executed according to the risk prediction result, so that the generalization capability and the data processing capability of the user behavior risk prediction model are higher, the user behavior risk prediction model is suitable for different use environments, and the robustness of the user behavior risk prediction model is reduced.
The above description is only exemplary of the present invention and should not be taken as limiting the scope of the present invention, and any modifications, equivalents, improvements, etc. made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims (15)

1. A method for predicting risk of user behavior, the method comprising:
acquiring behavior information of a target user, and reading user behavior characteristics matched with the target user through an application program interface;
processing different behavior characteristics of the target user based on the behavior information of the target user, and determining user portrait information matched with the target user;
performing risk prediction processing on the user behavior characteristics through the user behavior risk prediction model to obtain a behavior risk prediction result of the target user, wherein the user behavior risk prediction model is trained by a time sequence training sample;
and determining an event execution strategy matched with the target user according to the behavior risk prediction result of the target user and the user portrait information.
2. The method according to claim 1, wherein the performing risk prediction processing on the user behavior characteristics through the user behavior risk prediction model to obtain a behavior risk prediction result of the target user includes:
performing risk prediction processing on the user behavior characteristics through a time sequence abnormal submodel in the user behavior risk prediction model, and determining a difference value between a restored predicted value in the target user behavior information and the original behavior characteristics;
performing risk prediction processing on the user behavior characteristics by using an activity level submodel in the user behavior risk prediction model, and determining the activity level of a target user account in the target user behavior information;
and determining the risk level and the risk label of the target user based on the difference value between the restored predicted value in the target user behavior information and the original behavior characteristic and the activity of the target user account in the target user behavior information.
3. The method of claim 2, further comprising:
triggering an offline analysis process based on the risk level of the target user and the risk label of the target user;
and responding to the offline analysis process, and determining cheating information corresponding to the behavior characteristics of the target user through a group mining submodel in the user behavior risk prediction model.
4. The method of claim 3, further comprising:
determining the incidence relation among account parameter information, user IP address information and user operation timestamp information in different target user behavior information based on the analysis result of the group mining submodel in the user behavior risk prediction model;
and adjusting the user portrait information matched with the target user based on the incidence relation among the account parameter information, the user IP address information and the user operation timestamp information in the different target user behavior information.
5. The method of claim 1, wherein determining an event enforcement policy matching a target user based on the behavioral risk prediction result of the target user and the user profile information comprises:
determining execution events corresponding to different risk levels respectively based on the risk levels of the target user;
determining account risk, behavior risk and environmental risk corresponding to the target user through the risk label of the target user;
and determining an event execution strategy matched with the target user according to the user portrait information and account risk, behavior risk and environment risk corresponding to the target user.
6. The method of claim 1, further comprising:
acquiring characteristics of a target user set and historical parameters of a terminal operation environment;
obtaining a sample feature set matched with the user behavior risk prediction model according to the features of the target user set and the historical parameters of the terminal operation environment, wherein the sample feature set comprises sample features based on time sequence;
processing the sample feature set based on corresponding time sequence information, and determining a training sample set matched with the user behavior risk prediction model, wherein the training sample set comprises at least one group of training samples;
training the user behavior risk prediction model according to the training sample set matched with the user behavior risk prediction model, and determining model parameters matched with the user behavior risk prediction model so as to predict the behavior risk of the target user through the user behavior risk prediction model.
7. The method of claim 6, wherein the training the user behavior risk prediction model according to the set of training samples matched with the user behavior risk prediction model, and determining the model parameters matched with the user behavior risk prediction model comprises:
training the user behavior risk prediction model according to the training sample set, and determining model parameters of a time sequence abnormal submodel in the user behavior risk prediction model;
training the user behavior risk prediction model according to the training sample set, and determining model parameters of an activity level sub-model in the user behavior risk prediction model;
and training the user behavior risk prediction model according to the training sample set, and determining model parameters of a group mining sub-model in the user behavior risk prediction model.
8. The method of claim 7, wherein the training the user behavior risk prediction model according to the training sample set to determine model parameters of a time series anomaly sub-model in the user behavior risk prediction model comprises:
processing the training sample set through a time sequence abnormal submodel in the user behavior risk prediction model to determine initial parameters of the time sequence abnormal submodel;
responding to the initial parameters of the time sequence abnormal submodel, processing the training sample set through the time sequence abnormal submodel, and determining the updating parameters of the time sequence abnormal submodel;
and according to the updated parameters of the time sequence abnormal submodel, iteratively updating the parameters of the time sequence abnormal submodel through the training sample set so as to extract the feature embedded vector of each sample in the training sample set.
9. The method of claim 8, wherein iteratively updating the parameters of the time-series abnormal submodel through the training sample set according to the updated parameters of the time-series abnormal submodel to extract a feature embedding vector of each sample in the training sample set comprises:
determining a loss function corresponding to the time series abnormal submodel;
according to the updating parameters of the time sequence abnormal submodel, the parameters of the time sequence abnormal submodel are updated in an iterative manner; until the loss function of the time sequence abnormal submodel reaches corresponding convergence conditions, and based on the parameters in the time sequence abnormal submodel, the feature embedded vector of each sample in the training sample set can be extracted.
10. The method of claim 1, wherein the obtaining of the behavior information of the target user and the reading of the user behavior characteristics matching the target user through the application program interface comprises:
triggering a corresponding application program interface based on the terminal running environment of the target user, and acquiring behavior information of the target user through the application program interface;
acquiring account parameter information, user IP address information and user operation timestamp information transmitted by an application program interface through the application program interface;
obtaining dynamic noise matched with the terminal operation environment of the target user based on the terminal operation environment of the target user;
and based on the dynamic noise, denoising the acquired account parameter information, user IP address information and user operation timestamp information transmitted by the application program interface to form user behavior characteristics matched with the target user.
11. The method of claim 10, further comprising:
and acquiring communication process information, operation history information and payment information transmitted by the application program interface based on the terminal running environment of the target user.
12. The method of claim 1, wherein the processing different behavior characteristics of the target user based on the behavior information of the target user to determine user profile information matching the target user comprises:
determining account portrait information of the target user based on the account parameter information transmitted by the application program interface;
determining the IP address portrait of the target user based on the user IP address information transmitted by the application program interface;
and determining the device portrait information of the target user based on the user operation time stamp information transmitted by the application program interface.
13. A user behavior risk prediction apparatus, the apparatus comprising:
the information transmission module is used for acquiring the behavior information of the target user and reading the user behavior characteristics matched with the target user through an application program interface;
the information processing module is used for processing different behavior characteristics of the target user based on the behavior information of the target user and determining user portrait information matched with the target user;
the information processing module is used for carrying out risk prediction processing on the user behavior characteristics through the user behavior risk prediction model to obtain a behavior risk prediction result of the target user;
and the information processing module is used for determining an event execution strategy matched with the target user according to the behavior risk prediction result of the target user and the user portrait information.
14. An electronic device, characterized in that the electronic device comprises:
a memory for storing executable instructions;
a processor configured to implement the user behavioral risk prediction method of any one of claims 1 to 12 when executing the executable instructions stored in the memory.
15. A computer-readable storage medium storing executable instructions, wherein the executable instructions when executed by a processor implement the user behavioral risk prediction method of any one of claims 1 to 12.
CN202011451677.9A 2020-12-09 2020-12-09 User behavior risk prediction method and device, electronic equipment and storage medium Pending CN112580952A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011451677.9A CN112580952A (en) 2020-12-09 2020-12-09 User behavior risk prediction method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011451677.9A CN112580952A (en) 2020-12-09 2020-12-09 User behavior risk prediction method and device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN112580952A true CN112580952A (en) 2021-03-30

Family

ID=75131150

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011451677.9A Pending CN112580952A (en) 2020-12-09 2020-12-09 User behavior risk prediction method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN112580952A (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112733045A (en) * 2021-04-06 2021-04-30 北京轻松筹信息技术有限公司 User behavior analysis method and device and electronic equipment
CN112791414A (en) * 2021-04-15 2021-05-14 腾讯科技(深圳)有限公司 Plug-in recognition model training method and device, electronic equipment and storage medium
CN113420941A (en) * 2021-07-16 2021-09-21 湖南快乐阳光互动娱乐传媒有限公司 Risk prediction method and device for user behavior
CN113987466A (en) * 2021-12-27 2022-01-28 国网浙江省电力有限公司 Information sequencing auditing method and device based on middlebox and storage medium
CN113989043A (en) * 2021-10-28 2022-01-28 支付宝(杭州)信息技术有限公司 Event risk identification method, device and equipment
CN114119037A (en) * 2022-01-24 2022-03-01 深圳尚米网络技术有限公司 Marketing anti-cheating system based on big data
CN114662988A (en) * 2022-04-25 2022-06-24 中国银行股份有限公司 Discount roll wind control method and device, electronic equipment and computer storage medium
CN115051833A (en) * 2022-05-12 2022-09-13 中国电子科技集团公司电子科学研究院 Intercommunication network abnormity detection method based on terminal process
CN116205376A (en) * 2023-04-27 2023-06-02 北京阿帕科蓝科技有限公司 Behavior prediction method, training method and device of behavior prediction model
CN116720181A (en) * 2023-05-06 2023-09-08 武汉优尼思科技有限公司 Visual operation risk prediction method and software product for dealing with intelligent digital service

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112733045A (en) * 2021-04-06 2021-04-30 北京轻松筹信息技术有限公司 User behavior analysis method and device and electronic equipment
CN112733045B (en) * 2021-04-06 2021-06-22 北京轻松筹信息技术有限公司 User behavior analysis method and device and electronic equipment
CN112791414A (en) * 2021-04-15 2021-05-14 腾讯科技(深圳)有限公司 Plug-in recognition model training method and device, electronic equipment and storage medium
CN112791414B (en) * 2021-04-15 2021-08-17 腾讯科技(深圳)有限公司 Plug-in recognition model training method and device, electronic equipment and storage medium
CN113420941A (en) * 2021-07-16 2021-09-21 湖南快乐阳光互动娱乐传媒有限公司 Risk prediction method and device for user behavior
CN113989043A (en) * 2021-10-28 2022-01-28 支付宝(杭州)信息技术有限公司 Event risk identification method, device and equipment
CN113987466A (en) * 2021-12-27 2022-01-28 国网浙江省电力有限公司 Information sequencing auditing method and device based on middlebox and storage medium
CN113987466B (en) * 2021-12-27 2022-04-12 国网浙江省电力有限公司 Information sequencing auditing method and device based on middlebox and storage medium
CN114119037A (en) * 2022-01-24 2022-03-01 深圳尚米网络技术有限公司 Marketing anti-cheating system based on big data
CN114662988A (en) * 2022-04-25 2022-06-24 中国银行股份有限公司 Discount roll wind control method and device, electronic equipment and computer storage medium
CN115051833A (en) * 2022-05-12 2022-09-13 中国电子科技集团公司电子科学研究院 Intercommunication network abnormity detection method based on terminal process
CN115051833B (en) * 2022-05-12 2023-12-15 中国电子科技集团公司电子科学研究院 Intercommunication network anomaly detection method based on terminal process
CN116205376A (en) * 2023-04-27 2023-06-02 北京阿帕科蓝科技有限公司 Behavior prediction method, training method and device of behavior prediction model
CN116205376B (en) * 2023-04-27 2023-10-17 北京阿帕科蓝科技有限公司 Behavior prediction method, training method and device of behavior prediction model
CN116720181A (en) * 2023-05-06 2023-09-08 武汉优尼思科技有限公司 Visual operation risk prediction method and software product for dealing with intelligent digital service

Similar Documents

Publication Publication Date Title
CN112580952A (en) User behavior risk prediction method and device, electronic equipment and storage medium
US10691494B2 (en) Method and device for virtual resource allocation, modeling, and data prediction
CN106875078B (en) Transaction risk detection method, device and equipment
CN111681091B (en) Financial risk prediction method and device based on time domain information and storage medium
WO2021174966A1 (en) Risk identification model training method and apparatus
CN111401558A (en) Data processing model training method, data processing device and electronic equipment
CN111553488B (en) Risk recognition model training method and system for user behaviors
CN111737546B (en) Method and device for determining entity service attribute
CN113011884B (en) Account feature extraction method, device, equipment and readable storage medium
CN112785157A (en) Risk identification system updating method and device and risk identification method and device
CN114187112A (en) Training method of account risk model and determination method of risk user group
CN114782161A (en) Method, device, storage medium and electronic device for identifying risky users
CN114202336A (en) Risk behavior monitoring method and system in financial scene
Lukita et al. Predictive and Analytics using Data Mining and Machine Learning for Customer Churn Prediction
CN111951008A (en) Risk prediction method and device, electronic equipment and readable storage medium
CN112950347A (en) Resource data processing optimization method and device, storage medium and terminal
CN112330373A (en) User behavior analysis method and device and computer readable storage medium
CN117196630A (en) Transaction risk prediction method, device, terminal equipment and storage medium
CN116228391A (en) Risk identification method and device, storage medium and electronic equipment
CN116151954A (en) Real-time group-partner anti-fraud detection method and system
CN110570301B (en) Risk identification method, device, equipment and medium
JP2023506739A (en) METHOD AND SYSTEM FOR DETECTING MARGIN CALL FACTORS USING MACHINE LEARNING
CN113705682B (en) User behavior feature processing method and device
US20220309359A1 (en) Adverse features neutralization in machine learning
JP7366218B1 (en) Information processing device, method and program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 40040458

Country of ref document: HK