CA3152858C - Link-based risk user identification method and device - Google Patents

Link-based risk user identification method and device Download PDF

Info

Publication number
CA3152858C
CA3152858C CA3152858A CA3152858A CA3152858C CA 3152858 C CA3152858 C CA 3152858C CA 3152858 A CA3152858 A CA 3152858A CA 3152858 A CA3152858 A CA 3152858A CA 3152858 C CA3152858 C CA 3152858C
Authority
CA
Canada
Prior art keywords
risk
user
link
behavior
page
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CA3152858A
Other languages
French (fr)
Other versions
CA3152858A1 (en
Inventor
Chuandui WANG
Guohua YE
Jiajin Liu
Lifei YAO
Liang Wu
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
10353744 Canada Ltd
Original Assignee
10353744 Canada Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 10353744 Canada Ltd filed Critical 10353744 Canada Ltd
Publication of CA3152858A1 publication Critical patent/CA3152858A1/en
Application granted granted Critical
Publication of CA3152858C publication Critical patent/CA3152858C/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/06Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
    • G06Q10/063Operations research, analysis or management
    • G06Q10/0635Risk analysis of enterprise or organisation activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q30/00Commerce
    • G06Q30/018Certifying business or products

Landscapes

  • Business, Economics & Management (AREA)
  • Human Resources & Organizations (AREA)
  • Engineering & Computer Science (AREA)
  • Economics (AREA)
  • Entrepreneurship & Innovation (AREA)
  • Strategic Management (AREA)
  • Physics & Mathematics (AREA)
  • Development Economics (AREA)
  • Theoretical Computer Science (AREA)
  • Marketing (AREA)
  • General Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • Educational Administration (AREA)
  • Tourism & Hospitality (AREA)
  • Quality & Reliability (AREA)
  • Operations Research (AREA)
  • Game Theory and Decision Science (AREA)
  • Accounting & Taxation (AREA)
  • Finance (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

Pertaining to the field of computer technology, the present invention makes public risk user identifying method and device based on a link. The method comprises: obtaining at least one behavior data produced by a user on a current page of a client end; analyzing the at least one behavior data, and obtaining risk information of the current page; judging whether a current link node to which the current page corresponds is a head node of the link, wherein link nodes to which at least one page corresponds are employed to chronologically form a link; if yes, recording the risk information of the current page as risk information of the current link node; if not, calculating the risk information of the current link node according to the risk information of the current page and risk information of a link node previous to the current link node on the link.

Description

LINK-BASED RISK USER IDENTIFICATION METHOD AND DEVICE
BACKGROUND OF THE INVENTION
Technical Field [0001] The present invention relates to the field of computer technology, and more particularly to a risk user identifying method and a risk user identifying device based on a link.
Description of Related Art 100021 With the rapid development of the internet e-commerce, such as e-commerce platforms, more and more users are accustomed to purchasing through the e-commerce platforms, but there are also risk users (namely computers or machines) that are disguised as normal users to make various malicious attacking behaviors on the e-commerce platforms, such as cheating on special-offers, malicious grabbing of coupons, malicious panic purchasing, putting invalid orders, and putting fake orders, etc., the harms done by risk users are beyond enumeration, as they not only impair network shopping benefits of purchasing users, but also, and more importantly, damage the interests of selling users and the fairness of e-commerce platforms, and it therefore becomes ultimately important for e-commerce platforms to identify whether users are normal users or risk users.
[0003] As the current inventor has found in the process of implementing the present invention, it is usual in the state of the art to merely rely upon operational behavior data of a user on a single page to identify whether the user is a risk user, while there is no continued tracking of operational behaviors of the user on a plurality of pages; moreover, due to the strong antagonistic consciousness of risk users, it is impossible to identify the risk users precisely and reliably.
SUMMARY OF THE INVENTION
[0004] In order to overcome the technical problems mentioned in the above Description of Related Art, the present invention provides a risk user identifying method and a risk user identifying device based on a link, so as to realize precise and reliable identification of risk users.

Date recue/Date received 2024-02-14 [0005] The specific technical solutions provided by the embodiments of the present invention are as follows.
[0006] According to the first aspect, there is provided a risk user identifying method based on a link, and the method comprises:
[0007] obtaining at least one behavior data produced by a user on a current page of a client end;
[0008] analyzing the at least one behavior data, and obtaining risk information of the current page;
[0009] judging whether a current link node to which the current page corresponds is a head node of the link, wherein link nodes to which at least one page corresponds are employed to chronologically form a link;
[0010] if yes, recording the risk information of the current page as risk information of the current link node;
[0011] if not, calculating the risk information of the current link node according to the risk information of the current page and risk information of a link node previous to the current link node on the link; and [0012] identifying whether the user is a risk user according to the risk information of all link nodes including the current link node on the link.
[0013] Preferably, the at least one behavior data includes at least one of the following:
[0014] coordinate position of a clicked page, time duration of a clicked page, sliding distance, sliding acceleration, sliding angle, equipment gyroscope data, equipment acceleration data, and screen temperature.
[0015] Further, the step of analyzing the at least one behavior data, and obtaining risk information of the current page includes:
[0016] respectively obtaining at least one behavior feature from the at least one behavior data;
[0017] inputting various behavior features as obtained into a rule engine to be performed with rule evaluation, and obtaining risk levels of the various behavior features;
and [0018] determining the risk information of the current page according to the risk levels of the
2 Date recue/Date received 2024-02-14 various behavior features.
[0019] Further, the step of determining the risk information of the current page according to the risk levels of the various behavior features includes:
[0020] determining the highest risk level from the risk levels of the various behavior features;
and [0021] determining the risk information of the current page according to the highest risk level.
[0022] Further, the risk information includes respective probabilities of plural risk levels, and the step of calculating the risk information of the current link node according to the risk information of the current page and risk information of a link node previous to the current link node on the link includes:
[0023] with respect to each of the risk levels, calculating in accordance with a preset calculation formula to obtain the probability of the risk level of the current link node according to the probability of the risk level of the current page and the probability of the risk level of the previous link node;
[0024] preferably, the preset calculation formula is as follows:
Mi' = Ni * a + Mi * (1 ¨ a);
[0025] where Ili is the probability of risk level i of the current page, Mi is the probability of risk level i of the previous link node, Mi' is the probability of risk level i of the current link node, a is a coefficient, and 0< a < 0.5.
[0026] Further, the step of identifying whether the user is a risk user according to the risk information of all link nodes including the current link node on the link includes:
[0027] with respect to each link node in all the link nodes, determining the risk level with the highest probability from probabilities of the various risk levels of the link node;
[0028] determining the risk level with the highest probability as the ultimate risk level of the link node;
[0029] counting the number of occurrences of the ultimate risk levels of all the link nodes, and determining the ultimate risk level whose number of occurrences satisfies a preset condition as the
3 Date recue/Date received 2024-02-14 risk level of the user; and [0030] judging whether the risk level of the user is in a preset level range, and determining whether the user is a normal user or a risk user according to a judging result.
[0031] Moreover, the method further comprises:
[0032] after having identified that the user is a risk user, making identity authentication on the user, or performing a corresponding restriction operation on the user.
[0033] According to the second aspect, there is provided a risk user identifying device based on a link, and the device comprises:
[0034] an obtaining module, for obtaining at least one behavior data produced by a user on a current page of a client end;
[0035] an analyzing module, for analyzing the at least one behavior data, and obtaining risk information of the current page;
[0036] a judging module, for judging whether a current link node to which the current page corresponds is a head node of the link, wherein link nodes to which at least one page corresponds are employed to chronologically form a link;
[0037] a recording module, for recording, when the judging module judges positive, the risk information of the current page as risk information of the current link node;
[0038] a calculating module, for calculating, when the judging module judges negative, the risk information of the current link node according to the risk information of the current page and risk information of a link node previous to the current link node on the link; and [0039] an identifying module, for identifying whether the user is a risk user according to the risk information of all link nodes including the current link node on the link.
[0040] Further, the analyzing module is specifically employed for:
[0041] respectively obtaining at least one behavior feature from the at least one behavior data;
[0042] inputting various behavior features as obtained into a rule engine to be performed with rule evaluation, and obtaining risk levels of the various behavior features;
and [0043] determining the risk information of the current page according to the risk levels of the
4 Date recue/Date received 2024-02-14 various behavior features.
[0044] Further, the analyzing module is specifically employed for:
[0045] determining the highest risk level from the risk levels of the various behavior features;
and [0046] determining the risk information of the current page according to the highest risk level.
[0047] Preferably, the at least one behavior data includes at least one of the following:
[0048] coordinate position of a clicked page, time duration of a clicked page, sliding distance, sliding acceleration, sliding angle, equipment gyroscope data, equipment acceleration data, and screen temperature.
[0049] Further, the risk information includes respective probabilities of plural risk levels, and the calculating module is specifically employed for:
[0050] with respect to each of the risk levels, calculating in accordance with a preset calculation formula to obtain the probability of the risk level of the current link node according to the probability of the risk level of the current page and the probability of the risk level of the previous link node;
[0051] preferably, the preset calculation formula is as follows:
Mi' = Ni * a + Mi * (1 ¨ a);
[0052] where Ni is the probability of risk level i of the current page, Mi is the probability of risk level i of the previous link node, Mi' is the probability of risk level i of the current link node, a is a coefficient, and 0< a < 0.5.
[0053] Further, the identifying module is specifically employed for:
[0054] with respect to each link node in all the link nodes, determining the risk level with the highest probability from probabilities of the various risk levels of the link node;
[0055] determining the risk level with the highest probability as the ultimate risk level of the link node;
[0056] counting the number of occurrences of the ultimate risk levels of all the link nodes, and determining the ultimate risk level whose number of occurrences satisfies a preset condition as the Date recue/Date received 2024-02-14 risk level of the user; and [0057] judging whether the risk level of the user is in a preset level range, and determining whether the user is a normal user or a risk user according to a judging result.
[0058] Further, the device further comprises:
[0059] a risk processing module, for making identity authentication on the user, or performing a corresponding restriction operation on the user, after having identified that the user is a risk user.
[0060] According to the third aspect, there is provided a computer equipment that comprises:
[0061] one or more processor(s); and [0062] a storage device, for storing one or more program(s);
[0063] when the one or more program(s) is/are executed by the one or more processor(s), the processor(s) is/are enabled to realize the method as recited in anyone of the first aspect [0064] According to the fourth aspect, there is provided a computer-readable storage medium storing thereon a computer program that realizes the method as recited in anyone of the first aspect upon execution by a processor.
[0065] In the risk user identifying method and device based on a link provided by the embodiments of the present invention, risk information of the current page is obtained by analyzing obtained behavior data on the current page, and when it is judged that the current link node to which the page corresponds is not the head node of the link, the risk information of the current link node is calculated according to the risk information of the current page and the risk information of a link node previous to the current link node, and cyclic iteration is so performed that the risk information of each link node is associated with the risk information of the previous link node, whereby is achieved continued tracking of operational behaviors of the user on a plurality of pages; moreover, the identification as to whether the user is a risk user according to the risk information containing all link nodes including the current link node on the link is more comprehensive and precise as compared with the analysis of user behavior data by a single node or a single page, whereby is achieved more precise and reliable identification of risk users.

Date recue/Date received 2024-02-14 BRIEF DESCRIPTION OF THE DRAWINGS
[0066] To describe the technical solutions more clearly in the embodiments of the present invention, drawings required to illustrate the embodiments are briefly introduced below.
Apparently, the drawings introduced below are merely directed to some embodiments of the present invention, while persons ordinarily skilled in the art may further acquire other drawings on the basis of these drawings without spending creative effort in the process.
[0067] Fig. 1 is a flowchart illustrating a risk user identifying method based on a link provided by an embodiment of the present invention; and [0068] Fig. 2 is a block diagram illustrating the structure of a risk user identifying device based on a link provided by an embodiment of the present invention.
DETAILED DESCRIPTION OF THE INVENTION
100691 To make more lucid and clew- the objectives, technical solutions and advantages of the present invention, the technical solutions in the embodiments of the present invention will be clearly and comprehensively described below with reference to the accompanying drawings in the embodiments of the present invention. Apparently, the embodiments as described are merely partial, rather than the entire, embodiments of the present invention. Any other embodiments makeable by persons ordinarily skilled in the art on the basis of the embodiments in the present invention without creative effort shall all fall within the protection scope of the present invention.
[0070] Embodiment 1 [0071] An embodiment of the present invention provides a risk user identifying method based on a link, and the method is applicable to a server side; as shown in Fig. 1, the method can comprise the following steps.
100721 Step Si - obtaining at least one behavior data produced by a user on a current page of a client end.
[0073] The current page indicates a page currently operated by the user on the client end.
[0074] The client end can be installed in any electronic equipment having a processor and a memory. The client end can be any of such various client ends as a shopping client end, a loan-Date recue/Date received 2024-02-14 borrowing client end, etc., and the electronic equipment can be any of various personal computers, notebook computers, smart mobile phones, panel computers, and portable wearable devices.
[0075] A data collecting tool is preconfigured on the client end, and the data collecting tool is used to collect behavior data produced by the user on the current page of the client end, and to upload the behavior data to a server.
[0076] With respect to an APP client end, an SDK collecting tool can be preconfigured at the APP client end, and behavior data produced when the user operates on a page of the APP client end is collected via an SDK collecting interface. With respect to an HTML end or an applet end, a JavaScript collecting tool can be preconfigured, and user behavior data is collected from a webpage or the applet end through a JavaScriptrm collecting interface.
[0077] The user makes various operations on the client end, such as making a registration operation on a registration page, making a login operation on a login page, and so on, corresponding behavior data will be generated with respect to these operations, and the behavior data includes, but is not limited to, clicking behavior data (including position coordinates and time durations of clicks, etc.), and sliding behavior data (including sliding distance, acceleration, and angle, etc.).
[0078] In addition, in order to realize more precise identification, besides obtaining the clicking behavior data and the sliding behavior data, the behavior data can further include terminal equipment information, including, but not limited to, equipment gyroscope data, equipment acceleration data, and screen temperature, etc.
[0079] Specifically, the server receives the behavior data produced by the user on the current page of the APP client end as collected by SDK, and/or receives the behavior data produced by the user on the current page of the HTML end or the applet end as collected by JavaScripem.
[0080] In the embodiments of the present invention, both the SDK collecting interface and the JavaScriptrm collecting interface support continuous collection, and can realize collection of user behavior data without interfering with the business system in the entire course, thereby guaranteeing data continuity of the link nodes.

Date recue/Date received 2024-02-14 [0081] Step S2 - analyzing the at least one behavior data, and obtaining risk information of the current page.
[0082] Specifically, at least one behavior feature is obtained from the at least one behavior data, the various behavior features as obtained are input in a rule engine to be performed with rule evaluation, risk levels of the various behavior features are obtained, and the risk information of the current page is determined according to the risk levels of the various behavior features.
[0083] The step of respectively obtaining at least one behavior feature from the at least one behavior data includes the following:
[0084] the server performs statistical analysis on such plural pieces of behavior data as coordinate position of a clicked page, time duration of a clicked page, sliding distance, sliding acceleration, sliding angle, equipment gyroscope data, equipment acceleration data, and screen temperature, and calculates to obtain such plural behavior features as page clicking frequency, fluctuation in page clicking time durations, fluctuation in sliding distances, interval of sliding accelerations, interval of sliding angles, equipment motion information, screen temperature change information etc.
[0085] The step of inputting various behavior features as obtained into a rule engine to be performed with rule evaluation, and obtaining risk levels of the various behavior features includes the following:
100861 the server inputs the various behavior features in the rule engine, performs analytical comparison on the various behavior features with a corresponding preset normal range through the rule engine to obtain deviation degrees (which characterize the degrees by which the behavior features exceed the corresponding preset normal range) of the various behavior features, determines deviation degree interval ranges in which the deviation degrees of the various behavior features locate, and determines the risk levels of the various behavior features according to correspondence relations between the preset deviation degree interval ranges and the risk levels.
The risk levels can be classified as no risk, low risk, medium risk and high risk, the higher the deviation degree is, the higher will be the risk level.

Date recue/Date received 2024-02-14 [0087] The step of determining the risk information of the current page according to the risk levels of the various behavior features includes:
[0088] determining the highest risk level from the risk levels of the various behavior features, and determining the risk information of the current page according to the highest risk level.
[0089] In practical application, the risk information of the current page includes risk levels, and the highest risk level can be directly determined as the risk level of the current page.
[0090] In addition, it is also possible to count the number of occurrences of the risk levels of all the behavior features, determine the risk level with the maximum number of occurrences, and determine the risk level with the maximum number of occurrences as the risk information of the current page.
[0091] Step S3 -judging whether a current link node to which the current page corresponds is a head node of the link, wherein link nodes to which at least one page corresponds are employed to chronologically form a link; if yes, executing step S4, if not, executing step SS.
[0092] In this embodiment, the user will produce different behaviors on different pages of the client end, such as a registering behavior produced on a registration page, a logging-in behavior produced on a login page, a coupon-grabbing behavior produced on a coupon-grabbing page, a purchasing behavior produced on a shopping page, and so on; if each behavior of the user is taken as a node, and a series of nodes is chronologically linked together according to the order of times at which the user behavior occurred, then a link can be formed in the form of an event flow, that is to say, the link can record the behavior track of the current operation of the user.
[0093] Exemplarily, if the first page on which a certain user currently operates at the client end is a registration page, the link node to which the registration page corresponds is the head node of the link, after the user has successfully registered on the registration page, a login page is jumped to, then the link node to which the login page corresponds is the second node, so on and so forth, and it is thus possible to form different link nodes into a complete link according to the order of times.
[0094] As should be noted, plural links can be formed for one user, one link corresponds to the Date recue/Date received 2024-02-14 behavior track of one operation of the user, there may be different behavior tracks at each operation of the user, and the orders of all link nodes possessed by each link may also be different.
[0095] Specifically, after having obtained the behavior data produced by the user on the current page, the server judges whether the current page is the first page the user currently operates on the client end, if yes, determines that the current link node to which the current page corresponds is the head node of the link, and executes step S4, if not, determines that the current link node to which the current page corresponds is not the head node of the link, and executes step S5.
[0096] Step S4 - recording the risk information of the current page as risk information of the current link node.
[0097] Specifically, the risk level of the current page is recorded as the risk level of the current link node.
[0098] In this embodiment, plural different risk levels are classified in advance, including no risk, low risk, medium risk and high risk, when the risk level of the current link node is determined, it can then be determined that there is a 100% probability for the current link node to have this risk level, and that the probability for the current link node to have any other risk level is 0.
[0099] Exemplarily, if the risk level of the current link node is medium risk, there is a 100%
probability for the current link node to be medium risky, and the probabilities for being not risky, lowly risky and highly risky are all 0.
[0100] Step S5 - calculating the risk information of the current link node according to the risk information of the current page and risk information of a link node previous to the current link node on the link.
[0101] The risk information includes respective probabilities of plural risk levels.
[0102] Specifically, with respect to each risk level, the probability of the risk level of the current link node is calculated and obtained in accordance with a preset calculation formula according to the probability of the risk level of the current page and the probability of the risk level of the previous link node.
[0103] The preset calculation formula is as follows:

Date recue/Date received 2024-02-14 Mi' = Ni * a + Mi * (1 ¨ a);
[0104] where Ni is the probability of risk level i of the current page, Mi is the probability of risk level i of the previous link node, Mi' is the probability of risk level i of the current link node, a is a coefficient, and 0< a < 0.5.
[0105] Wherein a is preferably 0.2.
[0106] As can be understood, when the previous link node is the head node of the link, the risk information of the current link node is calculated according to the risk information of the current page and the risk information of the head node on the link.
[0107] As should be noted, after the probabilities of the various risk levels of each link node have been calculated and obtained, the probabilities of the various risk levels of the link node are recorded.
[0108] Exemplarily, suppose that the current page is a shopping page whose risk level is no risk, that is to say, the probabilities for the shopping page to be highly risky, medium risky, lowly risky and not risky are respectively 0%, 0%, 0% and 100%, and since the current link node to which the current page corresponds is not the head node of the link, the already recorded probabilities of the various risk levels possessed by the link node previous to the current link node are obtained, and the probabilities of being highly risky, medium risky, lowly risky and not risky possessed by the previous link node are respectively 64%, 36%, 0% and 0%, then the probabilities of being highly risky, medium risky, lowly risky and not risky possessed by the current link node are calculated and obtained respectively as 51%, 29%, 0% and 20% through the calculation formula Mi' = Ni *
a + Mi * (1 ¨ a), where a is 0.2.
[0109] Step S6 - identifying whether the user is a risk user according to the risk information of all link nodes including the current link node on the link.
[0110] Specifically, with respect to each link node in all of the link nodes, the risk level with the highest probability is determined from probabilities of the various risk levels of the link node, and the risk level with the highest probability is determined as the ultimate risk level of the link node;
the number of occurrences of the ultimate risk levels of all the link nodes is counted, and the Date recue/Date received 2024-02-14 ultimate risk level whose number of occurrences satisfies a preset condition is determined as the risk level of the user; it is judged whether the risk level of the user is in a preset level range, and it is determined according to the judging result whether the user is a normal user or a risk user.
[0111] Exemplarily, if probabilities for a certain link node to be highly risky, medium risky, lowly risky and not risky are respectively 51%, 29%, 0% and 20%, then the ultimate risk level of this link node is high risk.
[0112] The number of occurrences of the ultimate risk levels of all the link nodes on the link is counted, the number of occurrences of their respective high risk, medium risk, low risk and no risk on the link are obtained, and the ultimate risk level with the maximum number of occurrences is determined as the risk level of the user.
[0113] When the risk level of the user is in the preset level range, it is determined that the user is a risk user, and the user is marked with a corresponding risk level label;
otherwise it is determined that the user is a normal user. The preset level range can be set as practically required, and in actual application the preset level range can be set as medium risk and high risk.
[0114] Further, after step S6, the method can further comprise:
[0115] after having identified that the user is a risk user, making identity authentication on the user, or performing a corresponding restriction operation on the user.
[0116] The restriction operation includes disabling key functions on the page, and the key functions include, but are not limited to, checking, inputting and submitting.
[0117] In this embodiment, after the user has been judged as a risk user, it can be effectively controlled by making identity authentication on the user or performing a corresponding restriction operation on the user to prevent the risk user from making such malicious behaviors as malicious grabbing of coupons, malicious panic purchasing, putting invalid orders, and putting fake orders, etc., so as to help ensure legitimate rights and interests of e-commerce platforms and normal consumers.
[0118] As should be noted, the entire process of identifying risk users are imperceptible to normal users, and the normal users can do shopping and receive coupons imperceptibly, so it is Date recue/Date received 2024-02-14 made possible to avoid disturbing normal users and enhance user experience, whereas the risks of risk users (such as robots) on one page scenario or plural page scenarios on a link will be restricted.
[0119] In the risk user identifying method based on a link provided by the embodiment of the present invention, risk information of the current page is obtained by analyzing obtained behavior data on the current page, and when it is judged that the current link node to which the page corresponds is not the head node of the link, the risk information of the current link node is calculated according to the risk information of the current page and the risk information of a link node previous to the current link node, and cyclic iteration is so performed that the risk information of each link node is associated with the risk information of the previous link node, whereby is achieved continued tracking of operational behaviors of the user on a plurality of pages; moreover, the identification as to whether the user is a risk user according to the risk information containing all link nodes including the current link node on the link is more comprehensive and precise as compared with the analysis of user behavior data by a single node or a single page, whereby is achieved more precise and reliable identification of risk users based on a link.
[0120] A shopping client end is taken for example below to exemplarily describe the risk user identifying method based on a link provided by an embodiment of the present invention in conjunction with a link risk matrix table.

Date recue/Date received 2024-02-14 Table 1: Link Risk Matrix Table Link Page Pag Click Slide Gyroscope Accele Screen Page Link Node Link Node e ID ration Temperat Risk Risk Node ure Ultimate Risk node 1 regist 783 no no high no no high high-100% high ration 732 node 2 login 965 no mediu no no no mediu high-80%
high 345 m m medium-20%
node 3 rec,eiv 953 medi no no mediu no mediu high-64% high ing 700 um m m medium-coupo 36%
ns node 4 shopp 234 no no no no no no high-51%
high ing 534 medium-29%
no-20%
node 5 shopp 345 no 110 no mediu low mediu high-41%
medium ing 452 m m medium-3 43%
no-16%
node 6 order 765 no no no no low low high-33% medium 756 medium-3 34%
low-20%
no-13%
node 7 exit 765 no no no no no no high-27% no 759 medium-0 27%
low-16%
no-30%
Risk levels respectively mean: no ¨ no risk, low ¨ low risk, medium ¨ medium risk, high ¨ high risk.
[0121] Suppose that user a collects plural pieces of behavior data including clicking, sliding, gyroscope, acceleration, and screen temperature data on each page operated on the client end.
[0122] With reference to Table 1, if the registration page is the current page currently operated by user a on the client end, the server obtains the clicking, sliding, gyroscope, acceleration, and Date regue/Date received 2024-02-14 screen temperature data produced by user a operating the registration page, obtains corresponding behavior features, analyzes risk levels of the various behavior features, sequentially as no risk, no risk, high risk, no risk, and no risk, since the highest risk level occurring in the risk levels of the various behavior features is high risk, then the risk level to which the registration page corresponds is high risk, also since link node 1 to which the registration page corresponds is the head node of the link (that is, the registration page is the first page currently operated by the user on the client end), then the risk of link node 1 at this time is high risk, and the ultimate risk of link node 1 is also high risk.
[0123] With further reference to Table 1, after the login page has been jumped to from the registration page, then when the login page is the current page currently operated by user a on the client end, the server obtains the clicking, sliding, gyroscope, acceleration, and screen temperature data produced by user a operating the login page, obtains corresponding behavior features, analyzes risk levels of the various behavior features, sequentially as no risk, medium risk, no risk, no risk, and no risk, since the medium risk occurs in the risk levels of the various behavior features, then the risk level of the login page is medium risk, that is, the probabilities for the login page to be highly risky, medium risky and lowly risky are respectively 0%, 100% and 0%, also since current link node 2 to which the current page corresponds is not the head node of the link, the probabilities of the various risk levels possessed by link node 2 are calculated through the preset calculation formula Mi' = N1 * a + M1 * (1 ¨ a), where a is valuated as 0.2, with the specific calculation process as follows:
the probability of high risk: O*0.2+100%*(1-0.2) = 80%;
the probability of medium risk: 100%*0.2+0%*(1-0.2)= 20%;
the probability of low risk: 0*0.2+0%*(1-0.2)= 0%.
[0124] As can be determined, the probability for link node 2 to be highly risky is highest, then the ultimate risk level of link node 2 is high risk.
[0125] When user a continues to operate the client end to have jumped from the login page to the coupon-receiving page, at this time the coupon-receiving page serves as the current page Date recue/Date received 2024-02-14 currently operated by user a on the client end, the server calculates that the probabilities for the coupon-receiving page to be highly risky, medium risky and lowly risky are respectively 0%, 100%
and 0%, subsequently the probabilities of the various risk levels possessed by link node 3 are calculated through the preset calculation formula Mi' = Ni * a + Mi * (1 ¨ a), with the specific calculation process as follows:
the probability of high risk: 0*0.2+80%*(1-0.2) = 64%;
the probability of medium risk: 100%*0.2+20%*(1-0.2)= 36%;
the probability of low risk: 0*0.2+0%*(1-0.2)= 0%.
101261 The server determines that the probability for link node 3 to be highly risky is highest, then it is determined that the ultimate risk level of link node 3 is high risk.
[0127] So on and so forth, the risk levels of each page operated by user a on the client end are calculated, and the preset calculation formula is thereafter based on to calculate the risk information and the ultimate risk level of the corresponding link node.
[0128] As it is not difficult to be seen from Table 1, although the page to which link node 4 corresponds is not risky, since link node 3 is highly risky, it can be determined through risk calculation that the ultimate risk of link node 4 is also high risk; although link node 6 is not medium risky, since link node 5 is medium risky, it can be determined through risk calculation that the ultimate risk of link node 6 is medium risk. Link node 1 through link node 7 sequentially constitute a complete link, in all the link nodes of the entire link, node 4 is highly risky, node 2 is medium risky, node 1 is not risky, and it can be determined according to the risk level with the maximum number of occurrences that the account risk level of user a is a high risk account.
101291 Embodiment 2 [0130] An embodiment of the present invention provides a risk user identifying device based on a link, as shown in Fig. 2, the device comprises:
[0131] an obtaining module 21, for obtaining at least one behavior data produced by a user on a current page of a client end;
[0132] an analyzing module 22, for analyzing the at least one behavior data, and obtaining risk Date recue/Date received 2024-02-14 information of the current page;
[0133] a judging module 23, for judging whether a current link node to which the current page corresponds is a head node of the link, wherein link nodes to which at least one page corresponds are employed to chronologically form a link;
[0134] a recording module 24, for recording, when the judging module 23 judges positive, the risk information of the current page as risk information of the current link node;
[0135] a calculating module 25, for calculating, when the judging module 23 judges negative, the risk information of the current link node according to the risk information of the current page and risk information of a link node previous to the current link node on the link; and [0136] an identifying module 26, for identifying whether the user is a risk user according to the risk information of all link nodes including the current link node on the link.
[0137] Further, the analyzing module 22 is specifically employed for:
[0138] respectively obtaining at least one behavior feature from the at least one behavior data;
[0139] inputting various behavior features as obtained into a rule engine to be performed with rule evaluation, and obtaining risk levels of the various behavior features;
and [0140] determining the risk information of the current page according to the risk levels of the various behavior features.
[0141] Further, the analyzing module 22 is specifically employed for:
[0142] determining the highest risk level from the risk levels of the various behavior features;
and [0143] determining the risk information of the current page according to the highest risk level.
[0144] Preferably, the at least one behavior data includes at least one of the following:
[0145] coordinate position of a clicked page, time duration of a clicked page, sliding distance, sliding acceleration, sliding angle, equipment gyroscope data, equipment acceleration data, and screen temperature.
[0146] Further, the risk information includes respective probabilities of plural risk levels, and the calculating module 25 is specifically employed for:

Date recue/Date received 2024-02-14 [0147] with respect to each of the risk levels, calculating in accordance with a preset calculation formula to obtain the probability of the risk level of the current link node according to the probability of the risk level of the current page and the probability of the risk level of the previous link node;
[0148] preferably, the preset calculation formula is as follows:
Mi' = Ni * a + Mi * (1 ¨ a);
[0149] where Ni is the probability of risk level i of the current page, Mi is the probability of risk level i of the previous link node, M1' is the probability of risk level i of the current link node, a is a coefficient, and 0< a < 0.5.
[0150] Further, the identifying module 26 is specifically employed for:
[0151] with respect to each link node in all the link nodes, determining the risk level with the highest probability from probabilities of the various risk levels of the link node;
[0152] determining the risk level with the highest probability as the ultimate risk level of the link node;
[0153] counting the number of occurrences of the ultimate risk levels of all the link nodes, and determining the ultimate risk level whose number of occurrences satisfies a preset condition as the risk level of the user; and [0154] judging whether the risk level of the user is in a preset level range, and determining whether the user is a normal user or a risk user according to a judging result.
[0155] Further, the device further comprises:
[0156] a risk processing module 27, for making identity authentication on the user, or performing a corresponding restriction operation on the user, after the identifying module 26 has identified that the user is a risk user.
[0157] The risk user identifying device based on a link provided by the embodiment of the present invention pertains to the same inventive conception as the risk user identifying method based on a link provided by an embodiment of the present invention, can execute the risk user identifying method based on a link provided by an embodiment of the present invention, possesses Date recue/Date received 2024-02-14 corresponding functional modules to execute the risk user identifying method based on a link, and achieves advantageous effects. Technical details not comprehensively described in this embodiment can be inferred from the risk user identifying method based on a link provided by an embodiment of the present invention, and are not redundantly described in this context.
[0158] In addition, an embodiment of the present invention further provides a computer equipment that comprises:
[0159] one or more processor(s);
[0160] a memory; and [0161] a program, stored in the memory; when executed by the one or more processor(s), the program enables the processor(s) to execute the steps of the risk user identifying method based on a link as recited in the foregoing embodiment.
[0162] Another embodiment of the present invention further provides a computer-readable storage medium storing thereon a program that enables a processor to execute the steps of the risk user identifying method based on a link as recited in the foregoing embodiment when the program is executed by the processor.
[0163] As should be clear to persons skilled in the art, the embodiment of the present invention can be embodied as a method, a system or a computer program product.
Accordingly, in the embodiments of the present invention can be employed the form of complete hardware embodiment, complete software embodiment, or embodiment combining software with hardware.
Moreover, in the embodiments of the present invention can be employed the form of one or more computer program product(s) implemented on a computer available storage medium (including, but not limited to, a magnetic disk memory, a CD-ROM, an optical memory, etc.) containing computer available program codes.
[0164] The embodiments of the present invention are described with reference to flowcharts and/or block diagrams of the embodied method, device (system), and computer program product in the embodiments of the present invention. As should be understood, it is possible for computer program instructions to realize each flow and/or block in the flowcharts and/or block diagrams, Date recue/Date received 2024-02-14 and the combination of flows and/or blocks in the flowcharts and/or block diagrams. These computer program instructions can be supplied to a general computer, a dedicated computer, an embedded processor or the processor of any other programmable data processing device to generate a machine enabling the instructions executed by the computer or the processor of any other programmable data processing device to generate a device for realizing the functions specified in one or more flow(s) of the flowcharts and/or one or more block(s) of the block diagrams.
[0165] These computer program instructions can also be stored in a computer-readable memory capable of guiding a computer or any other programmable data processing device to operate in specific modes enabling the instructions stored in the computer-readable memory to generate a product containing instructing means that realizes the functions specified in one or more flow(s) of the flowcharts and/or one or more block(s) of the block diagrams.
[0166] These computer program instructions can also be loaded to a computer or any other programmable data processing device, enabling to execute a series of operational steps on the computer or the any other programmable device to generate computer-realized processing, so that the instructions executed on the computer or the any other programmable device supply steps for realizing the functions specified in one or more flow(s) of the flowcharts and/or one or more block(s) of the block diagrams.
[0167] Although preferred embodiments in the embodiments of the present invention have been described, it is still possible for persons skilled in the art to make additional modifications and amendments to these embodiments upon learning the basic inventive concept.
Accordingly, the attached Claims are meant to subsume the preferred embodiments and all modifications and amendments that fall within the scope of the embodiments of the present invention.
[0168] Apparently, it is possible for persons skilled in the art to make various modifications and variations to the present invention without departing from the spirit and scope of the present invention. Thusly, should such modifications and variations to the present invention fall within the range of the Claims and equivalent technology of the present invention, the present invention is Date recue/Date received 2024-02-14 also meant to cover such modifications and variations.

Date recue/Date received 2024-02-14

Claims (339)

Claims:
1. A device comprising:
an obtaining module, configured to obtain at least one behavior data produced by a user on a current page of a client end;
an analyzing module, configured to:
analyze the at least one behavior data;
obtain risk information of the current page;
a judging module, configured to judge whether a current link node to which the current page corresponds is a head node of a link, wherein link nodes to which at least one page corresponds chronologically form a link;
a recording module, configured to record, when the judging module judges positive, the risk information of the current page as the risk information of the current link node;
a calculating module, configured to calculate, when the judging module judges negative, the risk information of the current link node according to the risk information of the current page and the risk information of a link node previous to the current link node on the link; and an identifying module, configured to identify whether the user is a risk user according to the risk information of all link nodes including the current link node on the link.
2. The device of claim 1, wherein the analyzing module is further configured to:
obtain at least one behavior feature from the at least one behavior data;
input various behavior features as obtained into a rule engine is performed with rule evaluation;

Date re we/Date received 2024-02-14 obtain risk levels of the various behavior features; and determine the risk information of the current page according to the risk levels of the various behavior features.
3. The device of claim 2, wherein the analyzing module is further configured to:
determine highest risk level from the risk levels of the various behavior features; and determine the risk information of the current page according to the highest risk level.
4. The device of any one of claims 1 to 3, wherein the risk information includes respective probabilities of plural risk levels.
5. The device of claim 4, wherein the calculating module is further configured to:
with respect to each of the risk levels, calculate in accordance with a preset calculation formula to obtain probability of the risk level of the current link node according to the probability of the risk level of the current page and the probability of the risk level of previous link node;
wherein the preset calculation formula is:
Mi' = Ni * a + Mi * (1 ¨ a);
where N is probability of risk level i of the current page, Mi is probability of risk level i of the previous link node, Mi' is probability of risk level i of the current link node, a is a coefficient, and 0< a < 0.5.
6. The device of claim 5, wherein the identifying module is further configured to:
with respect to each link node in all the link nodes, determine the risk level with highest probability from probabilities of the risk levels of the link node;
determine the risk level with the highest probability as ultimate risk level of the link node;

Date recue/Date received 2024-02-14 count number of occurrences of the ultimate risk levels of all the link nodes;
determine the ultimate risk level whose number of occurrences satisfies a preset condition as the risk level of the user;
judge whether the risk level of the user is in a preset level range; and determine whether the user is a normal user or the risk user according to a judging result
7. The device of claim 1, further comprises a risk processing module configured to make identity authentication on the user or perform a corresponding restriction operation on the user.
8. The device of any one of claims 1 to 7, wherein the client end is installed in any electronic equipment having a processor and a memory.
9. The device of any one of claims 1 to 8, wherein the client end includes a shopping client end, a loan-borrowing client end.
10. The device of any one of claims 1 to 9, wherein the electronic equipment includes personal computers, notebook computers, smart mobile phones, panel computers, and portable wearable devices.
11. The device of any one of claims 1 to 10, wherein a data collecting tool is preconfigured on the client end, wherein the data collecting tool collects behavior data produced by the user on the current page of the client end, to upload the behavior data to a server.
12. The device of any one of claims 1 to 11, wherein an application (APP) client end, a software development kit (SDK) collecting tool is preconfigured at the APP
client end, and the behavior data produced when the user operates on a page of the APP
client end is collected via an SDK collecting interface.
Date recue/Date received 2024-02-14
13. The device of any one of claims 1 to 12, wherein a hypertext markup language (HTML) end or an applet end, a JavaScript collecting tool id preconfigured, and user behavior data is collected from a webpage or the applet end through a JavaScript.' collecting interface.
14. The device of any one of claims 1 to 13, wherein the user makes operations on the client end, including making a registration operation on a regisuation page, making a login operation on a login page, wherein corresponding behavior data is generated with respect to these operations, and wherein the behavior data includes clicking behavior data, including position coordinates and time durations of clicks, and sliding the behavior data, including sliding distance, acceleration, and angle.
15. The device of any one of claims 1 to 14, wherein the behavior data includes terminal equipment information, including equipment gyroscope data, equipment acceleration data, and screen temperature.
16. The device of any one of claims 1 to 15, wherein the server receives the behavior data produced by the user on the current page of the APP client end as collected by SDK, and/or receives the behavior data produced by the user on the current page of the HTML
end or the applet end as collected by JavaScriptTM.
17. The device of any one of claims 1 to 16, wherein the SDK collecting interface and the JavaScript' collecting interface support continuous collection, and realizes the collection of the user behavior data without interfering with business system.
18. The device of any one of claims 1 to 17, wherein the at least one behavior feature is obtained from the at least one behavior data.
19. The device of any one of claims 1 to 18, wherein the server performs statistical analysis includes plural pieces of the behavior data as coordinate position of a clicked page, the time duration of the clicked page, the sliding distance, the sliding acceleration, sliding angle, the equipment gyroscope data, the equipment acceleration data, and the screen temperature, and Date recue/Date received 2024-02-14
20. The device of any one of claims 1 to 19, wherein the server calculates to obtain plural behavior features including page clicking frequency, fluctuation in page clicking time durations, fluctuation in the sliding distances, interval of sliding accelerations, interval of the sliding angles, equipment motion information, screen temperature change information.
21. The device of any one of claims 1 to 20, wherein performing analytical comparison on the various behavior features with a corresponding preset normal range through the rule engine to obtain deviation degrees wherein the deviation degrees are degrees where the behavior features exceed the corresponding preset normal range, of the various behavior features, determines deviation degree interval ranges in which the deviation degrees of the various behavior features locate, and determines the risk levels of the various behavior features according to correspondence relations between preset deviation degree interval ranges and the risk levels.
22. The device of any one of claims 1 to 21, wherein the risk levels are classified as no risk, low risk, medium risk and high risk, wherein higher the deviation degree is, the higher is the risk level.
23. The device of any one of claims 1 to 22, wherein the risk information of the current page includes the risk levels, and the highest risk level is directly determined as the risk level of the current page.
24. The device of any one of claims 1 to 23, wherein each behavior of the user is taken as a node, and a series of nodes is chronologically linked together according to order of times user behavior occurred, wherein the link is formed in form of an event flow, wherein the link records a behavior track of current operation of the user.
25. The device of any one of claims 1 to 24, wherein plural links are formed for one user, wherein one link corresponds to the behavior track of one operation of the user, and different behavior tacks at each operation of the user, and orders of all link nodes possessed by each link is different.

Date recue/Date received 2024-02-14
26. The device of any one of claims 1 to 25, wherein plural different risk levels are classified in advance, including no risk, low risk, medium risk and high risk.
27. The device of any one of claims 1 to 26, wherein the risk level of the current link node is determined, there is a 100% probability for the current link node to have this risk level, and the probability for the current link node to have any other risk level is O.
28. The device of any one of claims 1 to 27, wherein a is 0.2.
29. The device of any one of claims 1 to 28, wherein the risk level of the user is in the preset level range, it is determined the user is the risk user, and the user is marked with a corresponding risk level label;
30. The device of any one of claims 1 to 29, wherein the risk level of the user is not in the preset level range, the user is the normal user.
31. The device of any one of claims 1 to 30, wherein the preset level range is set as practically required.
32. The device of any one of claims 1 to 31, wherein the preset level range is set as medium risk and high risk.
33. The device of any one of claims 1 to 32, wherein the restriction operation includes disabling key functions on the page, wherein the key functions include checking, inputting and submitting.
34. The device of any one of claims 1 to 33, wherein the at least one behavior data includes coordinate position of the clicked page, the time duration of the clicked page, sliding distance, the sliding acceleration, the sliding angle, the equipment gyroscope data, the equipment acceleration data, and the screen temperature.
35. A system comprising:
an obtaining module, configured to obtain at least one behavior data produced by a user on a current page of a client end;

Date recue/Date received 2024-02-14 an analyzing module, configured to:
analyze the at least one behavior data;
obtain risk information of the current page;
a judging module, configured to judge whether a current link node to which the current page corresponds is a head node of a link, wherein link nodes to which at least one page corresponds chronologically form a link;
a recording module, configured to record, when the judging module judges positive, the risk information of the current page as the risk information of the current link node;
a calculating module, configured to calculate, when the judging module judges negative, the risk information of the current link node according to the risk information of the current page and the risk information of a link node previous to the current link node on the link; and an identifying module, configured to identify whether the user is a risk user according to the risk infaimation of all link nodes including the current link node on the link.
36. The system of claim 35, wherein the analyzing module is further configured to:
obtain at least one behavior feature from the at least one behavior data;
input various behavior features as obtained into a rule engine is performed with rule evaluation;
obtain risk levels of the various behavior features; and determine the risk information of the current page according to the risk levels of the various behavior features.
37. The system of claim 36, wherein the analyzing module is further configured to:

Date recue/Date received 2024-02-14 determine highest risk level from the risk levels of the various behavior features; and determine the risk information of the current page according to the highest risk level.
38. The system of any one of claims 35 to 37, wherein the risk information includes respective probabilities of plural risk levels.
39. The system of claim 38, wherein the calculating module is further configured to:
with respect to each of the risk levels, calculate in accordance with a preset calculation formula to obtain probability of the risk level of the current link node according to the probability of the risk level of the current page and the probability of the risk level of previous link node;
wherein the preset calculation formula is:
Mi' = N1* a + Mi * (1 ¨ a);
where N1 is probability of risk level i of the current page, M1 is probability of risk level i of the previous link node, Mi' is probability of risk level i of the current link node, a is a coefficient, and 0< a < O.S.
40. The system of claim 39, wherein the identifying module is further configured to:
with respect to each link node in all the link nodes, determine the risk level with highest probability from probabilities of the risk levels of the link node;
detelinine the risk level with the highest probability as ultimate risk level of the link node;
count number of occurrences of the ultimate risk levels of all the link nodes;
determine the ultimate risk level whose number of occurrences satisfies a preset condition as the risk level of the user;
judge whether the risk level of the user is in a preset level range; and Date re we/Date received 2024-02-14 determine whether the user is a normal user or the risk user according to a judging result.
41. The system of claim 35, further comprises a risk processing module configured to make identity authentication on the user or perform a corresponding restriction operation on the user.
42. The system of any one of claims 35 to 41, wherein the client end is installed in any electronic equipment having a processor and a memory.
43. The system of any one of claims 35 to 42, wherein the client end includes a shopping client end, a loan-borrowing client end.
44. The system of any one of claims 35 to 43, wherein the electronic equipment includes personal computers, notebook computers, smart mobile phones, panel computers, and portable wearable devices.
45. The system of any one of claims 35 to 44, wherein a data collecting tool is preconfigured on the client end, wherein the data collecting tool collects behavior data produced by the user on the current page of the client end, to upload the behavior data to a server.
46. The system of any one of claims 35 to 45, wherein an application (APP) client end, a software development kit (SDK) collecting tool is preconfigured at the APP
client end, and the behavior data produced when the user operates on a page of the APP
client end is collected via an SDK collecting interface.
47. The system of any one of claims 35 to 46, wherein a hypertext markup language (HTML) end or an applet end, a JavaScripem collecting tool id preconfigured, and user behavior data is collected from a webpage or the applet end through a JavaScriptim collecting interface.

Date recue/Date received 2024-02-14
48. The system of any one of claims 35 to 47, wherein the user makes operations on the client end, including making a registration operation on a registration page, making a login operation on a login page, wherein corresponding behavior data is generated with respect to these operations, and wherein the behavior data includes clicking behavior data, including position coordinates and time durations of clicks, and sliding the behavior data, including sliding distance, acceleration, and angle.
49. The system of any one of claims 35 to 48, wherein the behavior data includes terminal equipment information, including equipment gyroscope data, equipment acceleration data, and screen temperature.
50. The system of any one of claims 35 to 49, wherein the server receives the behavior data produced by the user on the current page of the APP client end as collected by SDK, and/or receives the behavior data produced by the user on the current page of the HTML
end or the applet end as collected by JavaScriptTM.
51. The system of any one of claims 35 to 50, wherein the SDK collecting interface and the JavaScriptrm collecting interface support continuous collection, and realizes the collection of the user behavior data without interfering with business system.
52. The system of any one of claims 35 to 51, wherein the at least one behavior feature is obtained from the at least one behavior data.
53. The system of any one of claims 35 to 52, wherein the server performs statistical analysis includes plural pieces of the behavior data as coordinate position of a clicked page, the time duration of the clicked page, the sliding distance, the sliding acceleration, sliding angle, the equipment gyroscope data, the equipment acceleration data, and the screen temperature, and
54. The system of any one of claims 35 to 53, wherein the server calculates to obtain plural behavior features including page clicking frequency, fluctuation in page clicking time durations, fluctuation in the sliding distances, interval of sliding accelerations, interval of the sliding angles, equipment motion information, screen temperature change information.

Date recue/Date received 2024-02-14
55. The system of any one of claims 35 to 54, wherein performing analytical comparison on the various behavior features with a corresponding preset normal range through the rule engine to obtain deviation degrees wherein the deviation degrees are degrees where the behavior features exceed the corresponding preset normal range, of the various behavior features, determines deviation degree interval ranges in which the deviation degrees of the various behavior features locate, and determines the risk levels of the various behavior features according to correspondence relations between preset deviation degree interval ranges and the risk levels.
56. The system of any one of claims 35 to 55, wherein the risk levels are classified as no risk, low risk, medium risk and high risk, wherein higher the deviation degree is, the higher is the risk level.
57. The system of any one of claims 35 to 56, wherein the risk information of the current page includes the risk levels, and the highest risk level is directly determined as the risk level of the current page.
58. The system of any one of claims 35 to 57, wherein each behavior of the user is taken as a node, and a series of nodes is chronologically linked together according to order of times user behavior occurred, wherein the link is formed in form of an event flow, wherein the link records a behavior track of current operation of the user.
59. The system of any one of claims 35 to 58, wherein plural links are formed for one user, wherein one link corresponds to the behavior track of one operation of the user, and different behavior tracks at each operation of the user, and orders of all link nodes possessed by each link is different.
60. The system of any one of claims 35 to 59, wherein plural different risk levels are classified in advance, including no risk, low risk, medium risk and high risk.
61. The system of any one of claims 35 to 60, wherein the risk level of the current link node is determined, there is a 100% probability for the current link node to have this risk level, and the probability for the current link node to have any other risk level is O.

Date recue/Date received 2024-02-14
62. The system of any one of claims 35 to 61, wherein a is 0.2.
63. The system of any one of claims 35 to 62, wherein the risk level of the user is in the preset level range, it is determined the user is the risk user, and the user is marked with a corresponding risk level label;
64. The system of any one of claims 35 to 63, wherein the risk level of the user is not in the preset level range, the user is the normal user.
65. The system of any one of claims 35 to 64, wherein the preset level range is set as practically required.
66. The system of any one of claims 35 to 65, wherein the preset level range is set as medium risk and high risk.
67. The system of any one of claims 35 to 66, wherein the restriction operation includes disabling key functions on the page, wherein the key functions include checking, inputting and submitting.
68. The system of any one of claims 35 to 67, wherein the at least one behavior data includes coordinate position of the clicked page, the time duration of the clicked page, sliding distance, the sliding acceleration, the sliding angle, the equipment gyroscope data, the equipment acceleration data, and the screen temperature.
69. A method comprising:
obtaining at least one behavior data produced by a user on a current page of a client end;
analyzing the at least one behavior data;
obtaining risk information of the current page;
judging whether a current link node with the current page corresponds is a head node of a link, wherein link nodes to which at least one page corresponds to chronologically form a link;

Date recue/Date received 2024-02-14 wherein yes, recording the risk information of the current page as the risk information of the current link node;
wherein not, calculating the risk information of the current link node according to the risk information of the current page and the risk information of a link node before the current link node on the link; and identifying whether the user is a risk user according to the risk information of all link nodes including the current link node on the link.
70. The method of claim 69, wherein analyzing the at least one behavior data, and obtaining the risk information of the current page comprises:
obtaining at least one behavior feature from the at least one behavior data;
inputting various behavior features as obtained into a rule engine performed with rule evaluation;
obtaining risk levels of the various behavior features; and determining the risk information of the current page according to the risk levels of the various behavior features.
71. The method of claim 70, wherein determining the risk information of the current page according to the risk levels of the various behavior features comprises:
determining highest risk level from the risk levels of the various behavior features;
and determining the risk infolination of the current page according to the highest risk level.
72. The method of any one of claims 69 to 71, wherein the risk information includes respective probabilities of plural risk levels.

Date recue/Date received 2024-02-14
73. The method of claim 72, wherein calculating the risk information of the current link node according to the risk information of the current page and the risk information of the link node before the current link node on the link comprises:
with respect to each of the risk levels, calculating in accordance with a preset calculation formula to obtain probability of the risk level of the current link node according to the probability of the risk level of the current page and the probability of the risk level of previous link node;
wherein the preset calculation formula is:
Mi' = Ni * a + Mi * (1 ¨ a);
where Ni is probability of risk level i of the current page, Mi is probability of risk level i of the previous link node, Mi' is probability of risk level i of the current link node, a is a coefficient, and 0< a < 0.5.
74. The method of claim 73, wherein identifying whether the user is the risk user according to the risk information of all link nodes including the current link node on the link comprises:
with respect to each link node in all the link nodes, determining the risk level with highest probability from probabilities of the risk levels of the link node;
determining the risk level with the highest probability as ultimate risk level of the link node;
counting number of occurrences of the ultimate risk levels of all the link nodes;
determining the ultimate risk level whose number of occurrences satisfies a preset condition as the risk level of the user;
judging whether the risk level of the user is in a preset level range; and determining whether the user is a normal user or the risk user according to a judging result.

Date re we/Date received 2024-02-14
75. The method of claim 69, further comprising:
making identity authentication on the user or performing a corresponding restriction operation on the user.
76. The method of any one of claims 69 to 75, wherein the client end is installed in any electronic equipment having a processor and a memory.
77. The method of any one of claims 69 to 76, wherein the client end includes a shopping client end, a loan-borrowing client end.
78. The method of any one of claims 69 to 77, wherein the electronic equipment includes personal computers, notebook computers, smart mobile phones, panel computers, and portable wearable devices.
79. The method of any one of claims 69 to 78, wherein a data collecting tool is preconfigured on the client end, wherein the data collecting tool collects behavior data produced by the user on the current page of the client end, to upload the behavior data to a server.
80. The method of any one of claims 69 to 79, wherein an application (APP) client end, a software development kit (SDK) collecting tool is preconfigured at the APP
client end, and the behavior data produced when the user operates on a page of the APP
client end is collected via an SDK collecting interface.
81. The method of any one of claims 69 to 80, wherein a hypertext markup language (HTML) end or an applet end, a JavaScriptrm collecting tool id preconfigured, and user behavior data is collected from a webpage or the applet end through a JavaScriptim collecting interface.
82. The method of any one of claims 69 to 81, wherein the user makes operations on the client end, including making a registration operation on a registration page, making a login operation on a login page, wherein corresponding behavior data is generated with respect to these operations, and wherein the behavior data includes clicking behavior data, including position coordinates and time durations of clicks, and sliding the behavior data, including sliding distance, acceleration, and angle.

Date recue/Date received 2024-02-14
83. The method of any one of claims 69 to 82, wherein the behavior data includes terminal equipment information, including equipment gyroscope data, equipment acceleration data, and screen temperature.
84. The method of any one of claims 69 to 83, wherein the server receives the behavior data produced by the user on the current page of the APP client end as collected by SDK, and/or receives the behavior data produced by the user on the current page of the HTML
end or the applet end as collected by JavaScriptim.
85. The method of any one of claims 69 to 84, wherein the SDK collecting interface and the JavaScripe" collecting interface support continuous collection, and realizes the collection of the user behavior data without interfering with business system.
86. The method of any one of claims 69 to 85, wherein the at least one behavior feature is obtained from the at least one behavior data.
87. The method of any one of claims 69 to 86, wherein the server performs statistical analysis includes plural pieces of the behavior data as coordinate position of a clicked page, the time duration of the clicked page, the sliding distance, the sliding acceleration, sliding angle, the equipment gyroscope data, the equipment acceleration data, and the screen temperature, and
88. The method of any one of claims 69 to 87, wherein the server calculates to obtain plural behavior features including page clicking frequency, fluctuation in page clicking time durations, fluctuation in the sliding distances, interval of sliding accelerations, interval of the sliding angles, equipment motion information, screen temperature change information.

Date recue/Date received 2024-02-14
89. The method of any one of claims 69 to 88, wherein performing analytical comparison on the various behavior features with a corresponding preset normal range through the rule engine to obtain deviation degrees wherein the deviation degrees are degrees where the behavior features exceed the corresponding preset normal range, of the various behavior features, determines deviation degree interval ranges in which the deviation degrees of the various behavior features locate, and determines the risk levels of the various behavior features according to correspondence relations between preset deviation degree interval ranges and the risk levels.
90. The method of any one of claims 69 to 89, wherein the risk levels are classified as no risk, low risk, medium risk and high risk, wherein higher the deviation degree is, the higher is the risk level.
91. The method of any one of claims 69 to 90, wherein the risk information of the current page includes the risk levels, and the highest risk level is directly determined as the risk level of the current page.
92. The method of any one of claims 69 to 91, wherein each behavior of the user is taken as a node, and a series of nodes is chronologically linked together according to order of times user behavior occurred, wherein the link is formed in form of an event flow, wherein the link records a behavior track of current operation of the user.
93. The method of any one of claims 69 to 92, wherein plural links are formed for one user, wherein one link corresponds to the behavior track of one operation of the user, and different behavior tracks at each operation of the user, and orders of all link nodes possessed by each link is different.
94. The method of any one of claims 69 to 93, wherein plural different risk levels are classified in advance, including no risk, low risk, medium risk and high risk.
95. The method of any one of claims 69 to 94, wherein the risk level of the current link node is determined, there is a 100% probability for the current link node to have this risk level, and the probability for the current link node to have any other risk level is 0.

Date recue/Date received 2024-02-14
96. The method of any one of claims 69 to 95, wherein a is 0.2.
97. The method of any one of claims 69 to 96, wherein the risk level of the user is in the preset level range, it is determined the user is the risk user, and the user is marked with a corresponding risk level label;
98. The method of any one of claims 69 to 97, wherein the risk level of the user is not in the preset level range, the user is the normal user.
99. The method of any one of claims 69 to 98, wherein the preset level range is set as practically required.
100. The method of any one of claims 69 to 99, wherein the preset level range is set as medium risk and high risk.
101. The method of any one of claims 69 to 100, wherein the restriction operation includes disabling key functions on the page, wherein the key functions include checking, inputting and submitting.
102. The method of any one of claims 69 to 101, wherein the at least one behavior data includes coordinate position of the clicked page, the time duration of the clicked page, sliding distance, the sliding acceleration, the sliding angle, the equipment gyroscope data, the equipment acceleration data, and the screen temperature.
103. A computer equipment comprising:
one or more processor(s);
a memory; and a program, stored in the memory, executed by the one or more processor(s) configured to:
obtain at least one behavior data produced by a user on a current page of a client end;
Date recue/Date received 2024-02-14 analyze the at least one behavior data;
obtain risk information of the current page;
judge whether a current link node with the current page corresponds is a head node of a link, wherein link nodes to which at least one page corresponds to chronologically form a link;
wherein yes, record the risk information of the current page as the risk information of the current link node;
wherein not, calculate the risk information of the current link node according to the risk information of the current page and the risk information of a link node before the current link node on the link; and identify whether the user is a risk user according to the risk information of all link nodes including the current link node on the link.
104. The equipment of claim 103, wherein analyzing the at least one behavior data, and obtaining the risk information of the current page comprises:
obtaining at least one behavior feature from the at least one behavior data;
inputting various behavior features as obtained into a rule engine performed with rule evaluation;
obtaining risk levels of the various behavior features; and determining the risk information of the current page according to the risk levels of the various behavior features.
105. The equipment of claim 104, wherein determining the risk information of the current page according to the risk levels of the various behavior features comprises:
determining highest risk level from the risk levels of the various behavior features;
and Date recue/Date received 2024-02-14 determining the risk information of the current page according to the highest risk level.
106. The equipment of any one of claims 103 to 105, wherein the risk information includes respective probabilities of plural risk levels.
107. The equipment of claim 106, wherein calculating the risk information of the current link node according to the risk information of the current page and the risk information of the link node before the current link node on the link comprises:
with respect to each of the risk levels, calculating in accordance with a preset calculation formula to obtain probability of the risk level of the current link node according to the probability of the risk level of the current page and the probability of the risk level of previous link node;
wherein the preset calculation formula is:
Mi' = Ni * a + Mi * (1 ¨ a);
where Ni is probability of risk level i of the current page, Mi is probability of risk level i of the previous link node, Mi' is probability of risk level i of the current link node, a is a coefficient, and 0< a < 0.5.
108. The equipment of claim 107, wherein identifying whether the user is the risk user according to the risk information of all link nodes including the current link node on the link comprises:
with respect to each link node in all the link nodes, determining the risk level with highest probability from probabilities of the risk levels of the link node;
determining the risk level with the highest probability as ultimate risk level of the link node;
counting number of occurrences of the ultimate risk levels of all the link nodes;

Date re we/Date received 2024-02-14 determining the ultimate risk level whose number of occurrences satisfies a preset condition as the risk level of the user;
judging whether the risk level of the user is in a preset level range; and determining whether the user is a normal user or the risk user according to a judging result.
109. The equipment of claim 103, further comprising:
making identity authentication on the user or performing a corresponding restriction operation on the user.
110. The equipment of any one of claims 103 to 109, wherein the client end includes a shopping client end, a loan-borrowing client end.
111. The equipment of any one of claims 103 to 110, includes personal computers, notebook computers, smart mobile phones, panel computers, and portable wearable devices.
112. The equipment of any one of claims 103 to 111, wherein a data collecting tool is preconfigured on the client end, wherein the data collecting tool collects behavior data produced by the user on the current page of the client end, to upload the behavior data to a server.
113. The equipment of any one of claims 103 to 112, wherein an application (APP) client end, a software development kit (SDK) collecting tool is preconfigured at the APP
client end, and the behavior data produced when the user operates on a page of the APP
client end is collected via an SDK collecting interface.
114. The equipment of any one of claims 103 to 113, wherein a hypertext markup language (HTML) end or an applet end, a JavaScriptTm collecting tool id preconfigured, and user behavior data is collected from a webpage or the applet end through a JavaScript' collecting interface.

Date recue/Date received 2024-02-14
115. The equipment of any one of claims 103 to 114, wherein the user makes operations on the client end, including making a registration operation on a registration page, making a login operation on a login page, wherein corresponding behavior data is generated with respect to these operations, and wherein the behavior data includes clicking behavior data, including position coordinates and time durations of clicks, and sliding the behavior data, including sliding distance, acceleration, and angle.
116. The equipment of any one of claims 103 to 115, wherein the behavior data includes terminal equipment information, including equipment gyroscope data, equipment acceleration data, and screen temperature.
117. The equipment of any one of claims 103 to 116, wherein the server receives the behavior data produced by the user on the current page of the APP client end as collected by SDK, and/or receives the behavior data produced by the user on the current page of the HTML
end or the applet end as collected by JavaScriptTM.
118. The equipment of any one of claims 103 to 117, wherein the SDK collecting interface and the JavaScripem collecting interface support continuous collection, and realizes the collection of the user behavior data without interfering with business system.
119. The equipment of any one of claims 103 to 118, wherein the at least one behavior feature is obtained from the at least one behavior data.
120. The equipment of any one of claims 103 to 119, wherein the server performs statistical analysis includes plural pieces of the behavior data as coordinate position of a clicked page, the time duration of the clicked page, the sliding distance, the sliding acceleration, sliding angle, the equipment gyroscope data, the equipment acceleration data, and the screen temperature, and
121. The equipment of any one of claims 103 to 120, wherein the server calculates to obtain plural behavior features including page clicking frequency, fluctuation in page clicking time durations, fluctuation in the sliding distances, interval of sliding accelerations, interval of the sliding angles, equipment motion information, screen temperature change information.

Date recue/Date received 2024-02-14
122. The equipment of any one of claims 103 to 121, wherein performing analytical comparison on the various behavior features with a corresponding preset normal range through the rule engine to obtain deviation degrees wherein the deviation degrees are degrees where the behavior features exceed the corresponding preset normal range, of the various behavior features, determines deviation degree interval ranges in which the deviation degrees of the various behavior features locate, and determines the risk levels of the various behavior features according to correspondence relations between preset deviation degree interval ranges and the risk levels.
123. The equipment of any one of claims 103 to 122, wherein the risk levels are classified as no risk, low risk, medium risk and high risk, wherein higher the deviation degree is, the higher is the risk level.
124. The equipment of any one of claims 103 to 123, wherein the risk information of the current page includes the risk levels, and the highest risk level is directly determined as the risk level of the current page.
125. The equipment of any one of claims 103 to 124, wherein each behavior of the user is taken as a node, and a series of nodes is chronologically linked together according to order of times user behavior occurred, wherein the link is formed in form of an event flow, wherein the link records a behavior track of current operation of the user.
126. The equipment of any one of claims 103 to 125, wherein plural links are formed for one user, wherein one link corresponds to the behavior track of one operation of the user, and different behavior tracks at each operation of the user, and orders of all link nodes possessed by each link is different.
127. The equipment of any one of claims 103 to 126, wherein plural different risk levels are classified in advance, including no risk, low risk, medium risk and high risk.
128. The equipment of any one of claims 103 to 127, wherein the risk level of the current link node is determined, there is a 100% probability for the current link node to have this risk level, and the probability for the current link node to have any other risk level is 0.
Date recue/Date received 2024-02-14
129. The equipment of any one of claims 103 to 128, wherein a is 0.2.
130. The equipment of any one of claims 103 to 129, wherein the risk level of the user is in the preset level range, it is determined the user is the risk user, and the user is marked with a corresponding risk level label;
131. The equipment of any one of claims 103 to 130, wherein the risk level of the user is not in the preset level range, the user is the normal user.
132. The equipment of any one of claims 103 to 131, wherein the preset level range is set as practically required.
133. The equipment of any one of claims 103 to 132, wherein the preset level range is set as medium risk and high risk.
134. The equipment of any one of claims 103 to 133, wherein the restriction operation includes disabling key functions on the page, wherein the key functions include checking, inputting and submitting.
135. The equipment of any one of claims 103 to 134, wherein the at least one behavior data includes coordinate position of the clicked page, the time duration of the clicked page, sliding distance, the sliding acceleration, the sliding angle, the equipment gyroscope data, the equipment acceleration data, and the screen temperature.
136. A computer readable physical memory having stored thereon a computer program executed by a computer configured to:
obtain at least one behavior data produced by a user on a current page of a client end;
analyze the at least one behavior data;
obtain risk information of the current page;

Date recue/Date received 2024-02-14 judge whether a current link node with the current page corresponds is a head node of a link, wherein link nodes to which at least one page corresponds to chronologically form a link;
wherein yes, record the risk information of the current page as the risk information of the current link node;
wherein not, calculate the risk information of the current link node according to the risk information of the current page and the risk information of a link node before the current link node on the link; and identify whether the user is a risk user according to the risk information of all link nodes including the current link node on the link.
137. The memory of claim 136, wherein analyzing the at least one behavior data, and obtaining the risk information of the current page comprises:
obtaining at least one behavior feature from the at least one behavior data;
inputting various behavior features as obtained into a rule engine performed with rule evaluation;
obtaining risk levels of the various behavior features; and determining the risk information of the current page according to the risk levels of the various behavior features.
138. The memory of claim 137, wherein determining the risk information of the current page according to the risk levels of the various behavior features comprises:
determining highest risk level from the risk levels of the various behavior features;
and determining the risk information of the current page according to the highest risk level.

Date recue/Date received 2024-02-14
139. The memory of any one of claims 136 to 138, wherein the risk information includes respective probabilities of plural risk levels.
140. The memory of claim 139, wherein calculating the risk information of the current link node according to the risk information of the current page and the risk information of the link node before the current link node on the link comprises:
with respect to each of the risk levels, calculating in accordance with a preset calculation formula to obtain probability of the risk level of the current link node according to the probability of the risk level of the current page and the probability of the risk level of previous link node;
wherein the preset calculation formula is:
Mi' = Ni * a + Mi * (1 ¨ a);
where Ni is probability of risk level i of the current page, Mi is probability of risk level i of the previous link node, Mi' is probability of risk level i of the current link node, a is a coefficient, and 0< a < 0.5.
141. The memory of claim 140, wherein identifying whether the user is the risk user according to the risk information of all link nodes including the current link node on the link comprises:
with respect to each link node in all the link nodes, determining the risk level with highest probability from probabilities of the risk levels of the link node;
determining the risk level with the highest probability as ultimate risk level of the link node;
counting number of occurrences of the ultimate risk levels of all the link nodes;
determining the ultimate risk level whose number of occurrences satisfies a preset condition as the risk level of the user;
judging whether the risk level of the user is in a preset level range; and Date re we/Date received 2024-02-14 determining whether the user is a normal user or the risk user according to a judging result.
142. The memory of claim 136, further comprising:
making identity authentication on the user or performing a corresponding restriction operation on the user.
143. The memory of any one of claims 136 to 142, wherein the client end includes a shopping client end, a loan-borrowing client end.
144. The memory of any one of claims 136 to 143, wherein a data collecting tool is preconfigured on the client end, wherein the data collecting tool collects behavior data produced by the user on the current page of the client end, to upload the behavior data to a server.
145. The memory of any one of claims 136 to 144, wherein an application (APP) client end, a software development kit (SDK) collecting tool is preconfigured at the APP
client end, and the behavior data produced when the user operates on a page of the APP
client end is collected via an SDK collecting interface.
146. The memory of any one of claims 136 to 145, wherein a hypertext markup language (HTML) end or an applet end, a JavaScript. collecting tool id preconfigured, and user behavior data is collected from a webpage or the applet end through a JavaScriptim collecting interface.
147. The memory of any one of claims 136 to 146, wherein the user makes operations on the client end, including making a registration operation on a registration page, making a login operation on a login page, wherein corresponding behavior data is generated with respect to these operations, and wherein the behavior data includes clicking behavior data, including position coordinates and time durations of clicks, and sliding the behavior data, including sliding distance, acceleration, and angle.

Date recue/Date received 2024-02-14
148. The memory of any one of claims 136 to 147, wherein the behavior data includes terminal equipment information, including equipment gyroscope data, equipment acceleration data, and screen temperature.
149. The memory of any one of claims 136 to 148, wherein the server receives the behavior data produced by the user on the current page of the APP client end as collected by SDK, and/or receives the behavior data produced by the user on the current page of the HTML
end or the applet end as collected by JavaScriptTM.
150. The memory of any one of claims 136 to 149, wherein the SDK collecting interface and the JavaScriptrm collecting interface support continuous collection, and realizes the collection of the user behavior data without interfering with business system.
151. The memory of any one of claims 136 to 150, wherein the at least one behavior feature is obtained from the at least one behavior data.
152. The memory of any one of claims 136 to 151, wherein the server performs statistical analysis includes plural pieces of the behavior data as coordinate position of a clicked page, the time duration of the clicked page, the sliding distance, the sliding acceleration, sliding angle, the equipment gyroscope data, the equipment acceleration data, and the screen temperature, and
153. The memory of any one of claims 136 to 152, wherein the server calculates to obtain plural behavior features including page clicking frequency, fluctuation in page clicking time durations, fluctuation in the sliding distances, interval of sliding accelerations, interval of the sliding angles, equipment motion information, screen temperature change information.
Date recue/Date received 2024-02-14
154. The memory of any one of claims 136 to 153, wherein performing analytical comparison on the various behavior features with a corresponding preset normal range through the rule engine to obtain deviation degrees wherein the deviation degrees are degrees where the behavior features exceed the corresponding preset normal range, of the various behavior features, determines deviation degree interval ranges in which the deviation degrees of the various behavior features locate, and determines the risk levels of the various behavior features according to correspondence relations between preset deviation degree interval ranges and the risk levels.
155. The memory of any one of claims 136 to 154, wherein the risk levels are classified as no risk, low risk, medium risk and high risk, wherein higher the deviation degree is, the higher is the risk level.
156. The memory of any one of claims 136 to 155, wherein the risk information of the current page includes the risk levels, and the highest risk level is directly determined as the risk level of the current page.
157. The memory of any one of claims 136 to 156, wherein each behavior of the user is taken as a node, and a series of nodes is chronologically linked together according to order of times user behavior occurred, wherein the link is formed in form of an event flow, wherein the link records a behavior track of current operation of the user.
158. The memory of any one of claims 136 to 157, wherein plural links are formed for one user, wherein one link corresponds to the behavior track of one operation of the user, and different behavior tracks at each operation of the user, and orders of all link nodes possessed by each link is different.
159. The memory of any one of claims 136 to 158, wherein plural different risk levels are classified in advance, including no risk, low risk, medium risk and high risk.
160. The memory of any one of claims 136 to 159, wherein the risk level of the current link node is determined, there is a 100% probability for the current link node to have this risk level, and the probability for the current link node to have any other risk level is 0.

Date recue/Date received 2024-02-14
161. The memory of any one of claims 136 to 160, wherein a is 0.2.
162. The memory of any one of claims 136 to 161, wherein the risk level of the user is in the preset level range, it is determined the user is the risk user, and the user is marked with a corresponding risk level label;
163. The memory of any one of claims 136 to 162, wherein the risk level of the user is not in the preset level range, the user is the normal user.
164. The memory of any one of claims 136 to 163, wherein the preset level range is set as practically required.
165. The memory of any one of claims 136 to 164, wherein the preset level range is set as medium risk and high risk.
166. The memory of any one of claims 136 to 165, wherein the restriction operation includes disabling key functions on the page, wherein the key functions include checking, inputting and submitting.
167. The memory of any one of claims 136 to 166, wherein the at least one behavior data includes coordinate position of the clicked page, the time duration of the clicked page, sliding distance, the sliding acceleration, the sliding angle, the equipment gyroscope data, the equipment acceleration data, and the screen temperature.
168. A device comprising:
a judging module, configured to judge whether a current link node to which a current page corresponds is a head node of a link, wherein link nodes to which at least one page corresponds chronologically form a link-, a recording module, configured to record, when the judging module judges positive, risk information of the current page as the risk information of the current link node;

Date recue/Date received 2024-02-14 a calculating module, configured to calculate, when the judging module judges negative, the risk information of the current link node according to the risk information of the current page and the risk information of a link node previous to the current link node on the link; and an identifying module, configured to identify whether a user is a risk user according to the risk information of all link nodes including the current link node on the link.
169. The device of claim 168, further comprising:
an obtaining module, configured to obtain at least one behavior data produced by the user on the current page of a client end;
an analyzing module, configured to:
analyze the at least one behavior data; and obtain the risk information of the current page.
170. The device of claim 169, wherein the analyzing module is further configured to:
obtain at least one behavior feature from the at least one behavior data;
input various behavior features as obtained into a rule engine is performed with rule evaluation;
obtain risk levels of the various behavior features; and determine the risk information of the current page according to the risk levels of the various behavior features.
171. The device of claim 170, wherein the analyzing module is further configured to:
determine highest risk level from the risk levels of the various behavior features; and determine the risk information of the current page according to the highest risk level.

Date recue/Date received 2024-02-14
172. The device of any one of claims 169 to 171, wherein the risk information includes respective probabilities of plural risk levels.
173. The device of claim 172, wherein the calculating module is further configured to:
with respect to each of the risk levels, calculate in accordance with a preset calculation formula to obtain probability of the risk level of the current link node according to the probability of the risk level of the current page and the probability of the risk level of previous link node;
wherein the preset calculation formula is:
Iv1;' = N; * a + M; * (1 ¨ a);
where Ni is probability of risk level i of the current page, Mi is probability of risk level i of the previous link node, M1' is probability of risk level i of the current link node, a is a coefficient, and 0< a < O.S.
174. The device of claim 173, wherein the identifying module is further configured to:
with respect to each link node in all the link nodes, determine the risk level with highest probability from probabilities of the risk levels of the link node;
determine the risk level with the highest probability as ultimate risk level of the link node;
count number of occurrences of the ultimate risk levels of all the link nodes;
determine the ultimate risk level whose number of occurrences satisfies a preset condition as the risk level of the user;
judge whether the risk level of the user is in a preset level range; and determine whether the user is a normal user or the risk user according to a judging result.

Date recue/Date received 2024-02-14
175. The device of claim 169, further comprises a risk processing module configured to make identity authentication on the user or perform a corresponding restriction operation on the user.
176. The device of any one of claims 168 to 175, wherein the client end is installed in any electronic equipment having a processor and a memory.
177. The device of any one of claims 168 to 176, wherein the client end includes a shopping client end, a loan-borrowing client end.
178. The device of any one of claims 168 to 177, wherein the electronic equipment includes personal computers, notebook computers, smart mobile phones, panel computers, and portable wearable devices.
179. The device of any one of claims 168 to 178, wherein a data collecting tool is preconfigured on the client end, wherein the data collecting tool collects behavior data produced by the user on the current page of the client end, to upload the behavior data to a server.
180. The device of any one of claims 168 to 179, wherein an application (APP) client end, a software development kit (SDK) collecting tool is preconfigured at the APP
client end, and the behavior data produced when the user operates on a page of the APP
client end is collected via an SDK collecting interface.
181. The device of any one of claims 168 to 180, wherein a hypertext markup language (HTML) end or an applet end, a JavaScriptrm collecting tool id preconfigured, and user behavior data is collected from a webpage or the applet end through a JavaScriptrm collecting interface.
Date recue/Date received 2024-02-14
182. The device of any one of claims 168 to 181, wherein the user makes operations on the client end, including making a registration operation on a registration page, making a login operation on a login page, wherein corresponding behavior data is generated with respect to these operations, and wherein the behavior data includes clicking behavior data, including position coordinates and time durations of clicks, and sliding the behavior data, including sliding distance, acceleration, and angle.
183. The device of any one of claims 168 to 182, wherein the behavior data includes terminal equipment information, including equipment gyroscope data, equipment acceleration data, and screen temperature.
184. The device of any one of claims 168 to 183, wherein the server receives the behavior data produced by the user on the current page of the APP client end as collected by SDK, and/or receives the behavior data produced by the user on the current page of the HTML
end or the applet end as collected by JavaScriptTM.
185. The device of any one of claims 168 to 184, wherein the SDK collecting interface and the JavaScriptrm collecting interface support continuous collection, and realizes the collection of the user behavior data without interfering with business system.
186. The device of any one of claims 168 to 185, wherein the at least one behavior feature is obtained from the at least one behavior data.
187. The device of any one of claims 168 to 186, wherein the server performs statistical analysis includes plural pieces of the behavior data as coordinate position of a clicked page, the time duration of the clicked page, the sliding distance, the sliding acceleration, sliding angle, the equipment gyroscope data, the equipment acceleration data, and the screen temperature, and
188. The device of any one of claims 168 to 187, wherein the server calculates to obtain plural behavior features including page clicking frequency, fluctuation in page clicking time durations, fluctuation in the sliding distances, interval of sliding accelerations, interval of the sliding angles, equipment motion information, screen temperature change information.

Date recue/Date received 2024-02-14
189. The device of any one of claims 168 to 188, wherein performing analytical comparison on the various behavior features with a corresponding preset normal range through the rule engine to obtain deviation degrees wherein the deviation degrees are degrees where the behavior features exceed the corresponding preset normal range, of the various behavior features, determines deviation degree interval ranges in which the deviation degrees of the various behavior features locate, and determines the risk levels of the various behavior features according to correspondence relations between preset deviation degree interval ranges and the risk levels.
190. The device of any one of claims 168 to 189, wherein the risk levels are classified as no risk, low risk, medium risk and high risk, wherein higher the deviation degree is, the higher is the risk level.
191. The device of any one of claims 168 to 190, wherein the risk information of the current page includes the risk levels, and the highest risk level is directly determined as the risk level of the current page.
192. The device of any one of claims 168 to 191, wherein each behavior of the user is taken as a node, and a series of nodes is chronologically linked together according to order of times user behavior occurred, wherein the link is formed in form of an event flow, wherein the link records a behavior track of current operation of the user.
193. The device of any one of claims 168 to 192, wherein plural links are formed for one user, wherein one link corresponds to the behavior track of one operation of the user, and different behavior tracks at each operation of the user, and orders of all link nodes possessed by each link is different.
194. The device of any one of claims 168 to 193, wherein plural different risk levels are classified in advance, including no risk, low risk, medium risk and high risk.
195. The device of any one of claims 168 to 194, wherein the risk level of the current link node is determined, there is a 100% probability for the current link node to have this risk level, and the probability for the current link node to have any other risk level is 0.

Date recue/Date received 2024-02-14
196. The device of any one of claims 168 to 195, wherein a is 0.2.
197. The device of any one of claims 168 to 196, wherein the risk level of the user is in the preset level range, it is determined the user is the risk user, and the user is marked with a corresponding risk level label;
198. The device of any one of claims 168 to 197, wherein the risk level of the user is not in the preset level range, the user is the normal user.
199. The device of any one of claims 168 to 198, wherein the preset level range is set as practically required.
200. The device of any one of claims 168 to 199, wherein the preset level range is set as medium risk and high risk.
201. The device of any one of claims 168 to 200, wherein the restriction operation includes disabling key functions on the page, wherein the key functions include checking, inputting and submitting.
202. The device of any one of claims 168 to 201, wherein the at least one behavior data includes coordinate position of the clicked page, the time duration of the clicked page, sliding distance, the sliding acceleration, the sliding angle, the equipment gyroscope data, the equipment acceleration data, and the screen temperature.
203. A system comprising:
a judging module, configured to judge whether a current link node to which a current page corresponds is a head node of a link, wherein link nodes to which at least one page corresponds chronologically form a link-, a recording module, configured to record, when the judging module judges positive, risk information of the current page as the risk information of the current link node;

Date recue/Date received 2024-02-14 a calculating module, configured to calculate, when the judging module judges negative, the risk information of the current link node according to the risk information of the current page and the risk information of a link node previous to the current link node on the link; and an identifying module, configured to identify whether a user is a risk user according to the risk information of all link nodes including the current link node on the link.
204. The system of claim 203, further comprising:
an obtaining module, configured to obtain at least one behavior data produced by the user on the current page of a client end;
an analyzing module, configured to:
analyze the at least one behavior data; and obtain the risk information of the current page.
205. The system of claim 204, wherein the analyzing module is further configured to:
obtain at least one behavior feature from the at least one behavior data;
input various behavior features as obtained into a rule engine is performed with rule evaluation;
obtain risk levels of the various behavior features; and determine the risk information of the current page according to the risk levels of the various behavior features.
206. The system of claim 205, wherein the analyzing module is further configured to:
determine highest risk level from the risk levels of the various behavior features; and determine the risk information of the current page according to the highest risk level.

Date recue/Date received 2024-02-14
207. The system of any one of claims 204 to 206, wherein the risk information includes respective probabilities of plural risk levels.
208. The system of claim 207, wherein the calculating module is further configured to:
with respect to each of the risk levels, calculate in accordance with a preset calculation formula to obtain probability of the risk level of the current link node according to the probability of the risk level of the current page and the probability of the risk level of previous link node;
wherein the preset calculation formula is:
= N; * a + M; * (1 ¨ a);
where Ni is probability of risk level i of the current page, Mi is probability of risk level i of the previous link node, M1' is probability of risk level i of the current link node, a is a coefficient, and 0< a < 0.5.
209. The system of claim 208, wherein the identifying module is further configured to:
with respect to each link node in all the link nodes, determine the risk level with highest probability from probabilities of the risk levels of the link node;
determine the risk level with the highest probability as ultimate risk level of the link node;
count number of occurrences of the ultimate risk levels of all the link nodes;
determine the ultimate risk level whose number of occurrences satisfies a preset condition as the risk level of the user;
judge whether the risk level of the user is in a preset level range; and determine whether the user is a normal user or the risk user according to a judging result.
Date recue/Date received 2024-02-14
210. The system of claim 204, further comprises a risk processing module configured to make identity authentication on the user or perform a corresponding restriction operation on the user.
211. The system of any one of claims 203 to 210, wherein the client end is installed in any electronic equipment having a processor and a memory.
212. The system of any one of claims 203 to 211, wherein the client end includes a shopping client end, a loan-borrowing client end.
213. The system of any one of claims 203 to 212, wherein the electronic equipment includes personal computers, notebook computers, smart mobile phones, panel computers, and portable wearable devices.
214. The system of any one of claims 203 to 213, wherein a data collecting tool is preconfigured on the client end, wherein the data collecting tool collects behavior data produced by the user on the current page of the client end, to upload the behavior data to a server.
215. The system of any one of claims 203 to 214, wherein an application (APP) client end, a software development kit (SDK) collecting tool is preconfigured at the APP
client end, and the behavior data produced when the user operates on a page of the APP
client end is collected via an SDK collecting interface.
216. The system of any one of claims 203 to 215, wherein a hypertext markup language (HTML) end or an applet end, a JavaScriptrm collecting tool id preconfigured, and user behavior data is collected from a webpage or the applet end through a JavaScriptrm collecting interface.

Date recue/Date received 2024-02-14
217. The system of any one of claims 203 to 216, wherein the user makes operations on the client end, including making a registration operation on a registration page, making a login operation on a login page, wherein corresponding behavior data is generated with respect to these operations, and wherein the behavior data includes clicking behavior data, including position coordinates and time durations of clicks, and sliding the behavior data, including sliding distance, acceleration, and angle.
218. The system of any one of claims 203 to 217, wherein the behavior data includes terminal equipment information, including equipment gyroscope data, equipment acceleration data, and screen temperature.
219. The system of any one of claims 203 to 218, wherein the server receives the behavior data produced by the user on the current page of the APP client end as collected by SDK, and/or receives the behavior data produced by the user on the current page of the HTML
end or the applet end as collected by JavaScriptTM.
220. The system of any one of claims 203 to 219, wherein the SDK collecting interface and the JavaScripem collecting interface support continuous collection, and realizes the collection of the user behavior data without interfering with business system.
221. The system of any one of claims 203 to 220, wherein the at least one behavior feature is obtained from the at least one behavior data.
222. The system of any one of claims 203 to 221, wherein the server performs statistical analysis includes plural pieces of the behavior data as coordinate position of a clicked page, the time duration of the clicked page, the sliding distance, the sliding acceleration, sliding angle, the equipment gyroscope data, the equipment acceleration data, and the screen temperature, and
223. The system of any one of claims 203 to 222, wherein the server calculates to obtain plural behavior features including page clicking frequency, fluctuation in page clicking time durations, fluctuation in the sliding distances, interval of sliding accelerations, interval of the sliding angles, equipment motion information, screen temperature change information.

Date recue/Date received 2024-02-14
224. The system of any one of claims 203 to 223, wherein performing analytical comparison on the various behavior features with a corresponding preset normal range through the rule engine to obtain deviation degrees wherein the deviation degrees are degrees where the behavior features exceed the corresponding preset normal range, of the various behavior features, determines deviation degree interval ranges in which the deviation degrees of the various behavior features locate, and determines the risk levels of the various behavior features according to correspondence relations between preset deviation degree interval ranges and the risk levels.
225. The system of any one of claims 203 to 224, wherein the risk levels are classified as no risk, low risk, medium risk and high risk, wherein higher the deviation degree is, the higher is the risk level.
226. The system of any one of claims 203 to 225, wherein the risk information of the current page includes the risk levels, and the highest risk level is directly determined as the risk level of the current page.
227. The system of any one of claims 203 to 226, wherein each behavior of the user is taken as a node, and a series of nodes is chronologically linked together according to order of times user behavior occurred, wherein the link is formed in form of an event flow, wherein the link records a behavior track of current operation of the user.
228. The system of any one of claims 203 to 227, wherein plural links are formed for one user, wherein one link corresponds to the behavior track of one operation of the user, and different behavior tracks at each operation of the user, and orders of all link nodes possessed by each link is different.
229. The system of any one of claims 203 to 228, wherein plural different risk levels are classified in advance, including no risk, low risk, medium risk and high risk.
230. The system of any one of claims 203 to 229, wherein the risk level of the current link node is determined, there is a 100% probability for the current link node to have this risk level, and the probability for the current link node to have any other risk level is 0.

Date recue/Date received 2024-02-14
231. The system of any one of claims 203 to 230, wherein a is 0.2.
232. The system of any one of claims 203 to 231, wherein the risk level of the user is in the preset level range, it is determined the user is the risk user, and the user is marked with a corresponding risk level label;
233. The system of any one of claims 203 to 232, wherein the risk level of the user is not in the preset level range, the user is the normal user.
234. The system of any one of claims 203 to 233, wherein the preset level range is set as practically required.
235. The system of any one of claims 203 to 234, wherein the preset level range is set as medium risk and high risk.
236. The system of any one of claims 203 to 235, wherein the restriction operation includes disabling key functions on the page, wherein the key functions include checking, inputting and submitting.
237. The system of any one of claims 203 to 236, wherein the at least one behavior data includes coordinate position of the clicked page, the time duration of the clicked page, sliding distance, the sliding acceleration, the sliding angle, the equipment gyroscope data, the equipment acceleration data, and the screen temperature.
238. A method comprising:
judging whether a current link node with a current page corresponds is a head node of a link, wherein link nodes to which at least one page corresponds to chronologically form a link;
wherein yes, recording risk information of the current page as the risk information of the current link node;

Date recue/Date received 2024-02-14 wherein not, calculating the risk information of the current link node according to the risk information of the current page and the risk information of a link node before the current link node on the link; and identifying whether a user is a risk user according to the risk information of all link nodes including the current link node on the link.
239. The method of claim 238, further comprises:
obtaining at least one behavior data produced by the user on the current page of a client end;
analyzing the at least one behavior data; and obtaining the risk information of the current page.
240. The method of claim 239, wherein analyzing the at least one behavior data, and obtaining the risk information of the current page comprises:
obtaining at least one behavior feature from the at least one behavior data;
inputting various behavior features as obtained into a rule engine performed with rule evaluation;
obtaining risk levels of the various behavior features; and determining the risk information of the current page according to the risk levels of the various behavior features.
241. The method of claim 240, wherein determining the risk information of the current page according to the risk levels of the various behavior features comprises:
determining highest risk level from the risk levels of the various behavior features;
and determining the risk information of the current page according to the highest risk level.
Date recue/Date received 2024-02-14
242. The method of any one of claims 239 to 241, wherein the risk information includes respective probabilities of plural risk levels.
243. The method of claim 242, wherein calculating the risk information of the current link node according to the risk information of the current page and the risk information of the link node before the current link node on the link comprises:
with respect to each of the risk levels, calculating in accordance with a preset calculation formula to obtain probability of the risk level of the current link node according to the probability of the risk level of the current page and the probability of the risk level of previous link node;
wherein the preset calculation formula is:
Mi' = Ni * a + Mi * (1 ¨ a);
where Ni is probability of risk level i of the current page, Mi is probability of risk level i of the previous link node, Mi' is probability of risk level i of the current link node, a is a coefficient, and 0< a < 0.5.
244. The method of claim 243, wherein identifying whether the user is the risk user according to the risk information of all link nodes including the current link node on the link comprises:
with respect to each link node in all the link nodes, determining the risk level with highest probability from probabilities of the risk levels of the link node;
determining the risk level with the highest probability as ultimate risk level of the link node;
counting number of occurrences of the ultimate risk levels of all the link nodes;
determining the ultimate risk level whose number of occurrences satisfies a preset condition as the risk level of the user;
judging whether the risk level of the user is in a preset level range; and Date re we/Date received 2024-02-14 determining whether the user is a normal user or the risk user according to a judging result.
245. The method of claim 239, further comprising:
making identity authentication on the user or performing a corresponding restriction operation on the user.
246. The method of any one of claims 238 to 245, wherein the client end is installed in any electronic equipment having a processor and a memory.
247. The method of any one of claims 238 to 246, wherein the client end includes a shopping client end, a loan-borrowing client end.
248. The method of any one of claims 238 to 247, wherein the electronic equipment includes personal computers, notebook computers, smart mobile phones, panel computers, and portable wearable devices.
249. The method of any one of claims 238 to 248, wherein a data collecting tool is preconfigured on the client end, wherein the data collecting tool collects behavior data produced by the user on the current page of the client end, to upload the behavior data to a server.
250. The method of any one of claims 238 to 249, wherein an application (APP) client end, a software development kit (SDK) collecting tool is preconfigured at the APP
client end, and the behavior data produced when the user operates on a page of the APP
client end is collected via an SDK collecting interface.
251. The method of any one of claims 238 to 250, wherein a hypertext markup language (HTML) end or an applet end, a JavaScriptTm collecting tool id preconfigured, and user behavior data is collected from a webpage or the applet end through a JavaScriptrm collecting interface.

Date recue/Date received 2024-02-14
252. The method of any one of claims 238 to 251, wherein the user makes operations on the client end, including making a registration operation on a registration page, making a login operation on a login page, wherein corresponding behavior data is generated with respect to these operations, and wherein the behavior data includes clicking behavior data, including position coordinates and time durations of clicks, and sliding the behavior data, including sliding distance, acceleration, and angle.
253. The method of any one of claims 238 to 252, wherein the behavior data includes terminal equipment information, including equipment gyroscope data, equipment acceleration data, and screen temperature.
254. The method of any one of claims 238 to 253, wherein the server receives the behavior data produced by the user on the current page of the APP client end as collected by SDK, and/or receives the behavior data produced by the user on the current page of the HTML
end or the applet end as collected by JavaScriptTM.
255. The method of any one of claims 238 to 254, wherein the SDK collecting interface and the JavaScripem collecting interface support continuous collection, and realizes the collection of the user behavior data without interfering with business system.
256. The method of any one of claims 238 to 255, wherein the at least one behavior feature is obtained from the at least one behavior data.
257. The method of any one of claims 238 to 256, wherein the server performs statistical analysis includes plural pieces of the behavior data as coordinate position of a clicked page, the time duration of the clicked page, the sliding distance, the sliding acceleration, sliding angle, the equipment gyroscope data, the equipment acceleration data, and the screen temperature, and
258. The method of any one of claims 238 to 257, wherein the server calculates to obtain plural behavior features including page clicking frequency, fluctuation in page clicking time durations, fluctuation in the sliding distances, interval of sliding accelerations, interval of the sliding angles, equipment motion information, screen temperature change information.

Date recue/Date received 2024-02-14
259. The method of any one of claims 238 to 258, wherein performing analytical comparison on the various behavior features with a corresponding preset normal range through the rule engine to obtain deviation degrees wherein the deviation degrees are degrees where the behavior features exceed the corresponding preset normal range, of the various behavior features, determines deviation degree interval ranges in which the deviation degrees of the various behavior features locate, and determines the risk levels of the various behavior features according to correspondence relations between preset deviation degree interval ranges and the risk levels.
260. The method of any one of claims 238 to 259, wherein the risk levels are classified as no risk, low risk, medium risk and high risk, wherein higher the deviation degree is, the higher is the risk level.
261. The method of any one of claims 238 to 260, wherein the risk information of the current page includes the risk levels, and the highest risk level is directly determined as the risk level of the current page.
262. The method of any one of claims 238 to 261, wherein each behavior of the user is taken as a node, and a series of nodes is chronologically linked together according to order of times user behavior occurred, wherein the link is formed in form of an event flow, wherein the link records a behavior track of current operation of the user.
263. The method of any one of claims 238 to 262, wherein plural links are formed for one user, wherein one link corresponds to the behavior track of one operation of the user, and different behavior tracks at each operation of the user, and orders of all link nodes possessed by each link is different.
264. The method of any one of claims 238 to 263, wherein plural different risk levels are classified in advance, including no risk, low risk, medium risk and high risk.
265. The method of any one of claims 238 to 264, wherein the risk level of the current link node is determined, there is a 100% probability for the current link node to have this risk level, and the probability for the current link node to have any other risk level is 0.

Date recue/Date received 2024-02-14
266. The method of any one of claims 238 to 265, wherein a is 0.2.
267. The method of any one of claims 238 to 266, wherein the risk level of the user is in the preset level range, it is determined the user is the risk user, and the user is marked with a corresponding risk level label;
268. The method of any one of claims 238 to 267, wherein the risk level of the user is not in the preset level range, the user is the normal user.
269. The method of any one of claims 238 to 268, wherein the preset level range is set as practically required.
270. The method of any one of claims 238 to 269, wherein the preset level range is set as medium risk and high risk.
271. The method of any one of claims 238 to 270, wherein the restriction operation includes disabling key functions on the page, wherein the key functions include checking, inputting and submitting.
272. The method of any one of claims 238 to 271, wherein the at least one behavior data includes coordinate position of the clicked page, the time duration of the clicked page, sliding distance, the sliding acceleration, the sliding angle, the equipment gyroscope data, the equipment acceleration data, and the screen temperature.
273. A computer equipment comprising:
one or more processor(s);
a memory; and a program, stored in the memory, executed by the one or more processor(s) configured to:
judge whether a current link node with a current page corresponds is a head node of a link, wherein link nodes to which at least one page corresponds to chronologically form a link;
Date recue/Date received 2024-02-14 wherein yes, record risk information of the current page as the risk information of the current link node;
wherein not, calculate the risk information of the current link node according to the risk information of the current page and the risk information of a link node before the current link node on the link; and identify whether a user is a risk user according to the risk information of all link nodes including the current link node on the link.
274. The equipment of claim 273, further comprises:
obtaining at least one behavior data produced by the user on the current page of a client end;
analyzing the at least one behavior data; and obtaining the risk information of the current page.
275. The equipment of claim 274, wherein analyzing the at least one behavior data, and obtaining the risk information of the current page comprises:
obtaining at least one behavior feature from the at least one behavior data;
inputting various behavior features as obtained into a rule engine performed with rule evaluation;
obtaining risk levels of the various behavior features; and determining the risk information of the current page according to the risk levels of the various behavior features.
276. The equipment of claim 275, wherein determining the risk information of the current page according to the risk levels of the various behavior features comprises:
determining highest risk level from the risk levels of the various behavior features;
and Date recue/Date received 2024-02-14 determining the risk information of the current page according to the highest risk level.
277. The equipment of any one of claims 274 to 276, wherein the risk information includes respective probabilities of plural risk levels.
278. The equipment of claim 277, wherein calculating the risk information of the current link node according to the risk information of the current page and the risk information of the link node before the current link node on the link comprises:
with respect to each of the risk levels, calculating in accordance with a preset calculation formula to obtain probability of the risk level of the current link node according to the probability of the risk level of the current page and the probability of the risk level of previous link node;
wherein the preset calculation formula is:
Mi' = Ni * a + Mi * (1 ¨ a);
where Ni is probability of risk level i of the current page, Mi is probability of risk level i of the previous link node, Mi' is probability of risk level i of the current link node, a is a coefficient, and 0< a < 0.5.
279. The equipment of claim 278, wherein identifying whether the user is the risk user according to the risk information of all link nodes including the current link node on the link comprises:
with respect to each link node in all the link nodes, determining the risk level with highest probability from probabilities of the risk levels of the link node;
determining the risk level with the highest probability as ultimate risk level of the link node;
counting number of occurrences of the ultimate risk levels of all the link nodes;

Date re we/Date received 2024-02-14 determining the ultimate risk level whose number of occurrences satisfies a preset condition as the risk level of the user;
judging whether the risk level of the user is in a preset level range; and determining whether the user is a normal user or the risk user according to a judging result.
280. The equipment of claim 274, further comprising:
making identity authentication on the user or performing a corresponding restriction operation on the user.
281. The equipment of any one of claims 273 to 280, wherein the client end includes a shopping client end, a loan-borrowing client end.
282. The equipment of any one of claims 273 to 281, includes personal computers, notebook computers, smart mobile phones, panel computers, and portable wearable devices.
283. The equipment of any one of claims 273 to 282, wherein a data collecting tool is preconfigured on the client end, wherein the data collecting tool collects behavior data produced by the user on the current page of the client end, to upload the behavior data to a server.
284. The equipment of any one of claims 273 to 283, wherein an application (APP) client end, a software development kit (SDK) collecting tool is preconfigured at the APP
client end, and the behavior data produced when the user operates on a page of the APP
client end is collected via an SDK collecting interface.
285. The equipment of any one of claims 273 to 284, wherein a hypertext markup language (HTML) end or an applet end, a JavaScriptTm collecting tool id preconfigured, and user behavior data is collected from a webpage or the applet end through a JavaScript' collecting interface.

Date recue/Date received 2024-02-14
286. The equipment of any one of claims 273 to 285, wherein the user makes operations on the client end, including making a registration operation on a registration page, making a login operation on a login page, wherein corresponding behavior data is generated with respect to these operations, and wherein the behavior data includes clicking behavior data, including position coordinates and time durations of clicks, and sliding the behavior data, including sliding distance, acceleration, and angle.
287. The equipment of any one of claims 273 to 286, wherein the behavior data includes terminal equipment information, including equipment gyroscope data, equipment acceleration data, and screen temperature.
288. The equipment of any one of claims 273 to 287, wherein the server receives the behavior data produced by the user on the current page of the APP client end as collected by SDK, and/or receives the behavior data produced by the user on the current page of the HTML
end or the applet end as collected by JavaScriptTM.
289. The equipment of any one of claims 273 to 288, wherein the SDK collecting interface and the JavaScripem collecting interface support continuous collection, and realizes the collection of the user behavior data without interfering with business system.
290. The equipment of any one of claims 273 to 289, wherein the at least one behavior feature is obtained from the at least one behavior data.
291. The equipment of any one of claims 273 to 290, wherein the server performs statistical analysis includes plural pieces of the behavior data as coordinate position of a clicked page, the time duration of the clicked page, the sliding distance, the sliding acceleration, sliding angle, the equipment gyroscope data, the equipment acceleration data, and the screen temperature, and
292. The equipment of any one of claims 273 to 291, wherein the server calculates to obtain plural behavior features including page clicking frequency, fluctuation in page clicking time durations, fluctuation in the sliding distances, interval of sliding accelerations, interval of the sliding angles, equipment motion information, screen temperature change information.

Date recue/Date received 2024-02-14
293. The equipment of any one of claims 273 to 292, wherein performing analytical comparison on the various behavior features with a corresponding preset normal range through the rule engine to obtain deviation degrees wherein the deviation degrees are degrees where the behavior features exceed the corresponding preset normal range, of the various behavior features, determines deviation degree interval ranges in which the deviation degrees of the various behavior features locate, and determines the risk levels of the various behavior features according to correspondence relations between preset deviation degree interval ranges and the risk levels.
294. The equipment of any one of claims 273 to 293, wherein the risk levels are classified as no risk, low risk, medium risk and high risk, wherein higher the deviation degree is, the higher is the risk level.
295. The equipment of any one of claims 273 to 294, wherein the risk information of the current page includes the risk levels, and the highest risk level is directly determined as the risk level of the current page.
296. The equipment of any one of claims 273 to 295, wherein each behavior of the user is taken as a node, and a series of nodes is chronologically linked together according to order of times user behavior occurred, wherein the link is formed in form of an event flow, wherein the link records a behavior track of current operation of the user.
297. The equipment of any one of claims 273 to 296, wherein plural links are formed for one user, wherein one link corresponds to the behavior track of one operation of the user, and different behavior tracks at each operation of the user, and orders of all link nodes possessed by each link is different.
298. The equipment of any one of claims 273 to 297, wherein plural different risk levels are classified in advance, including no risk, low risk, medium risk and high risk.
299. The equipment of any one of claims 273 to 298, wherein the risk level of the current link node is determined, there is a 100% probability for the current link node to have this risk level, and the probability for the current link node to have any other risk level is O.
Date recue/Date received 2024-02-14
300. The equipment of any one of claims 273 to 299, wherein a is 0.2.
301. The equipment of any one of claims 273 to 300, wherein the risk level of the user is in the preset level range, it is determined the user is the risk user, and the user is marked with a corresponding risk level label;
302. The equipment of any one of claims 273 to 301, wherein the risk level of the user is not in the preset level range, the user is the normal user.
303. The equipment of any one of claims 273 to 302, wherein the preset level range is set as practically required.
304. The equipment of any one of claims 273 to 303, wherein the preset level range is set as medium risk and high risk.
305. The equipment of any one of claims 273 to 304, wherein the restriction operation includes disabling key functions on the page, wherein the key functions include checking, inputting and submitting.
306. The equipment of any one of claims 273 to 305, wherein the at least one behavior data includes coordinate position of the clicked page, the time duration of the clicked page, sliding distance, the sliding acceleration, the sliding angle, the equipment gyroscope data, the equipment acceleration data, and the screen temperature.
307. A computer readable physical memory having stored thereon a computer program executed by a computer configured to:
judge whether a current link node with a current page corresponds is a head node of a link, wherein link nodes to which at least one page corresponds to chronologically form a link;
wherein yes, record risk information of the current page as the risk information of the current link node;

Date recue/Date received 2024-02-14 wherein not, calculate the risk information of the current link node according to the risk information of the current page and the risk information of a link node before the current link node on the link; and identify whether a user is a risk user according to the risk information of all link nodes including the current link node on the link.
308. The memory of claim 307, further comprises:
obtaining at least one behavior data produced by the user on the current page of a client end;
analyzing the at least one behavior data; and obtaining the risk information of the current page.
309. The memory of claim 308, wherein analyzing the at least one behavior data, and obtaining the risk information of the current page comprises:
obtaining at least one behavior feature from the at least one behavior data;
inputting various behavior features as obtained into a rule engine performed with rule evaluation;
obtaining risk levels of the various behavior features; and determining the risk information of the current page according to the risk levels of the various behavior features.
310. The memory of claim 309, wherein determining the risk information of the current page according to the risk levels of the various behavior features comprises:
determining highest risk level from the risk levels of the various behavior features;
and determining the risk information of the current page according to the highest risk level.

Date recue/Date received 2024-02-14
311. The memory of any one of claims 308 to 310, wherein the risk information includes respective probabilities of plural risk levels.
312. The memory of claim 311, wherein calculating the risk information of the current link node according to the risk information of the current page and the risk information of the link node before the current link node on the link comprises:
with respect to each of the risk levels, calculating in accordance with a preset calculation formula to obtain probability of the risk level of the current link node according to the probability of the risk level of the current page and the probability of the risk level of previous link node;
wherein the preset calculation formula is:
Mi' = Ni * a + Mi * (1 ¨ a);
where Ni is probability of risk level i of the current page, Mi is probability of risk level i of the previous link node, Mi' is probability of risk level i of the current link node, a is a coefficient, and 0< a < 0.5.
313. The memory of claim 312, wherein identifying whether the user is the risk user according to the risk information of all link nodes including the current link node on the link comprises:
with respect to each link node in all the link nodes, determining the risk level with highest probability from probabilities of the risk levels of the link node;
determining the risk level with the highest probability as ultimate risk level of the link node;
counting number of occurrences of the ultimate risk levels of all the link nodes;
determining the ultimate risk level whose number of occurrences satisfies a preset condition as the risk level of the user;
judging whether the risk level of the user is in a preset level range; and Date re we/Date received 2024-02-14 determining whether the user is a normal user or the risk user according to a judging result.
314. The memory of claim 308, further comprising:
making identity authentication on the user or performing a corresponding restriction operation on the user.
315. The memory of any one of claims 307 to 314, wherein the client end includes a shopping client end, a loan-borrowing client end.
316. The memory of any one of claims 307 to 315, wherein a data collecting tool is preconfigured on the client end, wherein the data collecting tool collects behavior data produced by the user on the current page of the client end, to upload the behavior data to a server.
317. The memory of any one of claims 307 to 316, wherein an application (APP) client end, a software development kit (SDK) collecting tool is preconfigured at the APP
client end, and the behavior data produced when the user operates on a page of the APP
client end is collected via an SDK collecting interface.
318. The memory of any one of claims 307 to 317, wherein a hypertext markup language (HTML) end or an applet end, a JavaScript. collecting tool id preconfigured, and user behavior data is collected from a webpage or the applet end through a JavaScriptim collecting interface.
319. The memory of any one of claims 307 to 318, wherein the user makes operations on the client end, including making a registration operation on a registration page, making a login operation on a login page, wherein corresponding behavior data is generated with respect to these operations, and wherein the behavior data includes clicking behavior data, including position coordinates and time durations of clicks, and sliding the behavior data, including sliding distance, acceleration, and angle.

Date recue/Date received 2024-02-14
320. The memory of any one of claims 307 to 319, wherein the behavior data includes terminal equipment information, including equipment gyroscope data, equipment acceleration data, and screen temperature.
321. The memory of any one of claims 307 to 320, wherein the server receives the behavior data produced by the user on the current page of the APP client end as collected by SDK, and/or receives the behavior data produced by the user on the current page of the HTML
end or the applet end as collected by JavaScriptTM.
322. The memory of any one of claims 307 to 321, wherein the SDK collecting interface and the JavaScriptrm collecting interface support continuous collection, and realizes the collection of the user behavior data without interfering with business system.
323. The memory of any one of claims 307 to 322, wherein the at least one behavior feature is obtained from the at least one behavior data.
324. The memory of any one of claims 307 to 323, wherein the server performs statistical analysis includes plural pieces of the behavior data as coordinate position of a clicked page, the time duration of the clicked page, the sliding distance, the sliding acceleration, sliding angle, the equipment gyroscope data, the equipment acceleration data, and the screen temperature, and
325. The memory of any one of claims 307 to 324, wherein the server calculates to obtain plural behavior features including page clicking frequency, fluctuation in page clicking time durations, fluctuation in the sliding distances, interval of sliding accelerations, interval of the sliding angles, equipment motion information, screen temperature change information.
Date recue/Date received 2024-02-14
326. The memory of any one of claims 307 to 325, wherein performing analytical comparison on the various behavior features with a corresponding preset normal range through the rule engine to obtain deviation degrees wherein the deviation degrees are degrees where the behavior features exceed the corresponding preset normal range, of the various behavior features, determines deviation degree interval ranges in which the deviation degrees of the various behavior features locate, and determines the risk levels of the various behavior features according to correspondence relations between preset deviation degree interval ranges and the risk levels.
327. The memory of any one of claims 307 to 326, wherein the risk levels are classified as no risk, low risk, medium risk and high risk, wherein higher the deviation degree is, the higher is the risk level.
328. The memory of any one of claims 307 to 327, wherein the risk information of the current page includes the risk levels, and the highest risk level is directly determined as the risk level of the current page.
329. The memory of any one of claims 307 to 328, wherein each behavior of the user is taken as a node, and a series of nodes is chronologically linked together according to order of times user behavior occurred, wherein the link is formed in form of an event flow, wherein the link records a behavior track of current operation of the user.
330. The memory of any one of claims 307 to 329, wherein plural links are formed for one user, wherein one link corresponds to the behavior track of one operation of the user, and different behavior tracks at each operation of the user, and orders of all link nodes possessed by each link is different.
331. The memory of any one of claims 307 to 330, wherein plural different risk levels are classified in advance, including no risk, low risk, medium risk and high risk.
332. The memory of any one of claims 307 to 331, wherein the risk level of the current link node is determined, there is a 100% probability for the current link node to have this risk level, and the probability for the current link node to have any other risk level is 0.

Date recue/Date received 2024-02-14
333. The memory of any one of claims 307 to 332, wherein a is 0.2.
334. The memory of any one of claims 307 to 333, wherein the risk level of the user is in the preset level range, it is determined the user is the risk user, and the user is marked with a corresponding risk level label;
335. The memory of any one of claims 307 to 334, wherein the risk level of the user is not in the preset level range, the user is the normal user.
336. The memory of any one of claims 307 to 335, wherein the preset level range is set as practically required.
337. The memory of any one of claims 307 to 336, wherein the preset level range is set as medium risk and high risk.
338. The memory of any one of claims 307 to 337, wherein the restriction operation includes disabling key functions on the page, wherein the key functions include checking, inputting and submitting.
339. The memory of any one of claims 307 to 338, wherein the at least one behavior data includes coordinate position of the clicked page, the time duration of the clicked page, sliding distance, the sliding acceleration, the sliding angle, the equipment gyroscope data, the equipment acceleration data, and the screen temperature.

Date recue/Date received 2024-02-14
CA3152858A 2019-08-29 2020-06-24 Link-based risk user identification method and device Active CA3152858C (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
CN201910808683.6 2019-08-29
CN201910808683.6A CN110659807B (en) 2019-08-29 2019-08-29 Risk user identification method and device based on link
PCT/CN2020/097855 WO2021036455A1 (en) 2019-08-29 2020-06-24 Link-based risk user identification method and device

Publications (2)

Publication Number Publication Date
CA3152858A1 CA3152858A1 (en) 2021-03-04
CA3152858C true CA3152858C (en) 2024-05-21

Family

ID=69036777

Family Applications (1)

Application Number Title Priority Date Filing Date
CA3152858A Active CA3152858C (en) 2019-08-29 2020-06-24 Link-based risk user identification method and device

Country Status (3)

Country Link
CN (1) CN110659807B (en)
CA (1) CA3152858C (en)
WO (1) WO2021036455A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110659807B (en) * 2019-08-29 2022-08-26 苏宁云计算有限公司 Risk user identification method and device based on link
CN113434381B (en) * 2021-07-09 2024-03-22 青岛海尔科技有限公司 Method, device and medium for detecting performance of Internet of things platform
CN115829192B (en) * 2023-02-23 2023-04-21 中建安装集团有限公司 Digital management system and method for realizing engineering information security supervision
CN117635276B (en) * 2023-12-21 2024-07-19 爱来(广州)信息网络有限公司 Order processing method, device and system and computer readable storage medium

Family Cites Families (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104009964B (en) * 2013-02-26 2019-03-26 腾讯科技(深圳)有限公司 Network linking detection method and system
CN103605738B (en) * 2013-11-19 2017-03-15 北京国双科技有限公司 Web page access data statistical method and device
CN107040395B (en) * 2016-02-03 2019-11-15 腾讯科技(深圳)有限公司 A kind of processing method of warning information, device and system
CN107403251A (en) * 2016-05-20 2017-11-28 阿里巴巴集团控股有限公司 Risk checking method and device
CN107622072B (en) * 2016-07-15 2021-08-17 阿里巴巴集团控股有限公司 Identification method for webpage operation behavior, server and terminal
CN107645533A (en) * 2016-07-22 2018-01-30 阿里巴巴集团控股有限公司 Data processing method, data transmission method for uplink, Risk Identification Method and equipment
CN107958341A (en) * 2017-12-12 2018-04-24 阿里巴巴集团控股有限公司 Risk Identification Method and device and electronic equipment
CN108510280B (en) * 2018-03-23 2020-07-31 上海氪信信息技术有限公司 Financial fraud behavior prediction method based on mobile equipment behavior data
CN108550052A (en) * 2018-04-03 2018-09-18 杭州呯嘭智能技术有限公司 Brush list detection method and system based on user behavior data feature
CN109165514B (en) * 2018-10-16 2019-08-09 北京芯盾时代科技有限公司 A kind of risk checking method
CN109471782A (en) * 2018-11-20 2019-03-15 北京芯盾时代科技有限公司 A kind of risk detecting system and risk checking method
CN109933503A (en) * 2019-02-13 2019-06-25 平安科技(深圳)有限公司 User's operation risk factor determines method, apparatus and storage medium, server
CN110659807B (en) * 2019-08-29 2022-08-26 苏宁云计算有限公司 Risk user identification method and device based on link

Also Published As

Publication number Publication date
WO2021036455A1 (en) 2021-03-04
CA3152858A1 (en) 2021-03-04
CN110659807B (en) 2022-08-26
CN110659807A (en) 2020-01-07

Similar Documents

Publication Publication Date Title
CA3152858C (en) Link-based risk user identification method and device
CA2997583C (en) Systems and methods for detecting and preventing spoofing
US20170085587A1 (en) Device, method, and system of generating fraud-alerts for cyber-attacks
US9552470B2 (en) Method, device, and system of generating fraud-alerts for cyber-attacks
US20170118241A1 (en) Multi-Layer Computer Security Countermeasures
Yang et al. A comparative measurement study of web tracking on mobile and desktop environments
JP5454363B2 (en) Analysis program, analysis apparatus, and analysis method
US20180144283A1 (en) Identifying workers in a crowdsourcing or microtasking platform who perform low-quality work and/or are really automated bots
US11356472B1 (en) Systems and methods for using machine learning for geographic analysis of access attempts
US8756189B2 (en) Rule generation for event processing system
CN112003834B (en) Abnormal behavior detection method and device
CN117501658A (en) Evaluation of likelihood of security event alarms
CN112347457A (en) Abnormal account detection method and device, computer equipment and storage medium
Das et al. Smartphone fingerprinting via motion sensors: Analyzing feasibility at large-scale and studying real usage patterns
CN113269378A (en) Network traffic processing method and device, electronic equipment and readable storage medium
US11755700B2 (en) Method for classifying user action sequence
CN112003833A (en) Abnormal behavior detection method and device
Mihailescu et al. Unveiling Threats: Leveraging User Behavior Analysis for Enhanced Cybersecurity
Aberathne et al. Smart mobile bot detection through behavioral analysis
KR20090093143A (en) Method and Apparatus of cyber criminal activity analysis using markov chain and Recording medium using it
Wright Software Vulnerabilities--lifespans, Metrics, and Case Study
CN110298006A (en) For detecting the method and apparatus for usurping the website of link
Matsuda et al. A trade-off between estimation accuracy of worker quality and task complexity
US20240232775A9 (en) Facilitating experience-based modifications to interface elements in online environments by evaluating online interactions
Shuang et al. Dumviri: Detecting Trackers and Mixed Trackers with a Breakage Detector

Legal Events

Date Code Title Description
EEER Examination request

Effective date: 20220916

EEER Examination request

Effective date: 20220916

EEER Examination request

Effective date: 20220916

EEER Examination request

Effective date: 20220916

EEER Examination request

Effective date: 20220916

EEER Examination request

Effective date: 20220916

EEER Examination request

Effective date: 20220916

EEER Examination request

Effective date: 20220916

EEER Examination request

Effective date: 20220916