CN106355405A

CN106355405A - Method and device for identifying risks and system for preventing and controlling same

Info

Publication number: CN106355405A
Application number: CN201510411704.2A
Authority: CN
Inventors: 吴东杏; 何慧梅; 王峰伟; 何帝君; 付敏
Original assignee: Alibaba Group Holding Ltd
Current assignee: Alibaba Group Holding Ltd
Priority date: 2015-07-14
Filing date: 2015-07-14
Publication date: 2017-01-25

Abstract

The invention discloses a method and a device for identifying risks in network environments and a system for preventing and controlling the risks. The method includes carrying out cluster analysis on equipment nodes of medium networks in the network environments; dividing the medium networks into a plurality of groups; preventing risk groups in a focused manner when the groups are identified as the risk groups. The device comprises a medium network construction module, a cluster group division module and a risk group judgment module. The method, the device and the system have the advantages that unauthenticated equipment can be identified by the aid of the method, and the normal groups and the risk groups can be differentiated from one another in the complicated networks; cluster analysis can be carried out on the equipment nodes of the medium networks to divide the medium networks to obtain the groups, and accordingly the risk groups can be identified; the risk groups in the medium networks can be effectively identified by the device of the system, accordingly, users and the equipment can be prevented and controlled for the risk groups in the focused manner, and the method, the device and the system are beneficial to constructing the safe network environments.

Description

Risk Identification Method, device and risk prevention system system

Technical field

The application is related to network security technology, more particularly, to a kind of Risk Identification Method of Network Environment, dress Put and risk prevention system system.

Background technology

Flourishing with mobile interchange and ecommerce, online payment and mobile payment have had become as realization The main channel of funds transaction.But the system vulnerability due to the weak safety consciousness of user and payment platform, the criminal of allowing Guilty molecule has opportunity.Therefore, how in the Capital Flow of more than one hundred million, more efficiently prevention and control supervision has wind The transaction of danger, to stop transaction before normal users suffer the loss such as fund, prestige, has become as finance at present The matter of utmost importance of mechanism.

At present, network trading platform generally identifies transaction risk by monitoring emphasis user or emphasis equipment.Example As an equipment is associated with a lot of trading accounts and may be considered risk equipment, if certain account attempts to set with this Account on standby or this equipment is traded, and system can be determined that transaction risk, and interception thus can be taken to hand over Easily or the mode such as freezing data is to carry out prevention and control, user is thus avoided to sustain a loss.

However, whether monitoring emphasis user or emphasis equipment, it is both for unique user or equipment to identify Risk, network crime person identification to potential gathering contact is helpless, thus leads to network trading wind The effectiveness of dangerous prevention and control is had a greatly reduced quality.Additionally, individually identification risk subscribers or equipment certainly will increase network trading The computational load of platform, for more than one hundred million easily users in network trading environment and equipment, often because exceeding Computing capacity limit and cannot effectively carry out risk identification.Under network environment under other application scene There is also similar problem.In view of prior art exist many not enough it is necessary to propose one kind more effectively Network risks identification and prevention and control scheme.

Content of the invention

The defect existing for prior art, the purpose of the application is to provide a kind of risk of Network Environment to know Other method, device and risk prevention system system, to efficiently identify the risk group in magnanimity transaction data and to carry out Prevention and control, thus build safer network environment.

For solving above technical problem, the application provides a kind of Risk Identification Method, comprising:

Extract network, the user of this media network and the node that equipment is figure of description media network topological structure, User-equipment incidence relation is the side of figure；

By carrying out cluster analyses to the device node of media network, media network is divided into describe tool with subgraph There are some groups of corresponding cluster feature user-equipment incidence relation；

According to default risk assessment rule, judge whether each group is risk group.

More preferably, described regular according to default risk assessment, judge whether each group is in risk group step, Association user number according to equipment in group and/or occurred the equipment ratio of case to judge this group whether as wind Dangerous group.

More preferably, described network, the user of this media network and the equipment extracting description media network topological structure For the node of figure, after user-equipment incidence relation is the side step of figure, described by the equipment to media network Node carries out cluster analyses, media network is divided into describe with subgraph and has corresponding cluster feature user-equipment Before some groups step of incidence relation, comprising:

Non-authentication equipment in identifying medium network；

According to historical trading situation, confirm the non-authentication equipment needing to reject；

The non-authentication equipment needing to reject is filtered from media network.

More preferably, in the non-authentication device step in described identifying medium network, comprising:

Acquisition equipment association user number and equipment cluster coefficients；

According to equipment association user number and equipment cluster coefficients, carry out the non-authentication equipment in identifying medium network.

More preferably, in described acquisition equipment association user number and equipment cluster coefficients step, based on Distributed Calculation system The bsp framework message passing mechanism computing device association user number of system and equipment cluster coefficients.

More preferably, the described bsp framework message passing mechanism computing device association user based on distributed computing system In number and equipment cluster coefficients step, comprising:

User node in media network is wherein labeled as start node, to trigger by initialization media network Bsp message passing mechanism；

Each user node sends message, including the user node information sending message and the association of this user node Miscellaneous equipment information；

When device node receives message, calculate equipment association user number and the equipment cluster coefficients of this device node, Otherwise terminate the process of this device node；

Outut device node correlation calculation result information, including equipment association user number and equipment cluster coefficients.

More preferably, according to equipment association user number and equipment cluster coefficients, the non-authentication come in identifying medium network sets For afterwards, comprising:

The acquisition equipment association corresponding active regions of ip associate mobile phone count with equipment；

The bonding apparatus association corresponding active regions of ip associate mobile phone count with equipment, carry out further identifying medium network In non-authentication equipment.

More preferably, described according to historical trading situation, confirm to need in the non-authentication device step rejected, comprising:

Judge whether case occurs in the transaction of this non-authentication device history；

If so, this non-authentication equipment is confirmed as the non-authentication equipment needing to reject；

If it is not, this non-authentication equipment is confirmed as the non-authentication equipment that need not reject.

More preferably, described acquisition to describe the media network step of user in network trading-equipment incidence relation to scheme In, user is identified with user account, equipment is identified with EIC equipment identification code.

Meanwhile, the application also provides a kind of risk identification device, comprising:

Media network builds module, extracts the network of description media network topological structure, the user of this media network The node being figure with equipment, user-equipment incidence relation is the side of figure；

Cluster group division module, by carrying out cluster analyses to the device node of media network, media network is drawn It is divided into describing some groups with corresponding cluster feature user-equipment incidence relation with subgraph；

Risk group determination module, according to default risk assessment rule, judges whether each group is risk group.

More preferably, described risk group determination module, the association user number according to equipment in group and/or occurred The equipment ratio of case is judging this group whether as risk group.

More preferably, including non-authentication equipment processing module, described non-authentication equipment processing module has:

Non-authentication equipment identifying unit, for the non-authentication equipment in identifying medium network, and according to historical trading feelings Condition, confirms the non-authentication equipment needing to reject；

Non-authentication equipment filter element, for being filtered the non-authentication equipment needing to reject from media network；

Cluster group division unit, for carrying out cluster point to the device node filtering non-authentication equipment media network Analysis, has been filtered non-authentication equipment media network and has been divided into be described with subgraph and had corresponding cluster feature user-set Some groups of standby incidence relation.

More preferably, described non-authentication equipment identifying unit obtains equipment association user number and equipment cluster coefficients, to know Non-authentication equipment in other media network.

More preferably, described non-authentication equipment identifying unit distributed computing system, it passes through bsp framework message transmission Mechanism computing device association user number and equipment cluster coefficients.

More preferably, described distributed computing system has:

User node in media network, for initializing media network, is wherein labeled as initially by main control server Node, so that triggering bsp message passing mechanism；

Some workspace servers, send message for each user node, including the user node letter sending message Breath and the miscellaneous equipment information of this user node association；And, when device node receives message, calculate this and set The equipment association user number of slave node and equipment cluster coefficients, otherwise terminate the process of this device node；And, it is defeated Go out device node correlation calculation result information to described main control server, correlation calculation result information includes equipment and closes Combination amount and equipment cluster coefficients.

More preferably, described non-authentication equipment identifying unit obtains the equipment association corresponding active regions of ip and associates with equipment Mobile phone count, carrys out the non-authentication equipment in further identifying medium network.

More preferably, described non-authentication equipment identifying unit judges in the transaction of this non-authentication device history whether generation case Part；If so, this non-authentication equipment is confirmed as the non-authentication equipment needing to reject；If it is not, by this non-authentication equipment Confirm as the non-authentication equipment that need not reject.

On this basis, the application correspondingly provides a kind of risk prevention system system of network trading, has the above Risk identification device, risk processing meanss and vulnerability database, wherein:

Described risk identification device, for the risk group in identifying medium network, the mutually application in this risk group The information of family and equipment can be pushed to described risk processing meanss；

Described risk processing meanss, for the user in monitor in real time risk group and equipment, attempt in normal users When being traded with the user in this risk group and equipment, intercept and freeze respective transaction data；

Vulnerability database, for depositing the respective transaction data that described risk processing meanss intercept and freeze, with toilet State risk processing meanss to be verified and provide historical transactional information to described risk identification device.

More preferably, including risk learning device, according to the risk setup parameter receiving and historical transactional information, formed Risk assessment rule new accordingly.

Compared with prior art, the application represents the pass of user and equipment in network environment by constructing media network Connection relation, and using the cluster feature of localized network, user and equipment group are divided, therefrom identify latent In user and the equipment of risk, and excessive risk user and device populations are taken precautions against and is monitored.Due to the network crime Person gets used to shared device, the Risk Identification Method of the therefore this cluster analysis based on equipment, can be easier Identify the group of case risk occurred frequently, with equipment, key monitoring is carried out to the user in this group.Obviously, weight Point identification risk group simultaneously carries out prevention and control, for the risk of single monitoring user or equipment, greatly improves Risk identification rate, therefore ensures that the effectiveness of risk prevention system, ultimately helps to build safer network environment.

Especially, the adverse effect brought for non-authentication equipment, the application adopts bsp framework message passing mechanism Calculate the cluster feature based on equipment, utilize the features such as ip, the cell-phone number of equipment association to reject non-authentication equipment simultaneously The invalid connection bringing.Non-authentication equipment is thus avoided super large group to occur and cannot be distinguished by out normal group when adding With the problem of risk group, thus ensureing user and equipment can be carried out effectively in various complicated media networks Group division, finally reliably identify account and the equipment of potential risk, with reach build safer network The purpose of environment.

Brief description

By reading the detailed description of hereafter preferred implementation, various other advantages and benefit are general for this area Logical technical staff will be clear from understanding.Accompanying drawing is only used for illustrating the purpose of preferred implementation, and is not considered as Restriction to the application.And in whole accompanying drawing, represent identical part with identical reference markss.Attached In figure:

The flow chart that Fig. 1 illustrates one embodiment Risk Identification Method of the application；

Fig. 2 illustrates to form the example of media network；

Fig. 3 illustrates to carry out the example of media network group division；

The flow chart that Fig. 4 illustrates the Risk Identification Method of another embodiment of the application；

Fig. 5 illustrates the flow chart using bsp message passing mechanism computing device cluster coefficients；

Fig. 6 illustrates the example of message transmission in equipment cluster coefficients calculating process；

Fig. 7 illustrates to distinguish the example of normal device and non-authentication equipment according to equipment cluster coefficients；

Fig. 8 illustrates non-authentication equipment and normal device provinces and cities distributed areas comparison example；

Fig. 9 illustrates the block diagram of the risk identification device of the embodiment of the present application；

Figure 10 illustrates the block diagram of non-authentication equipment processing module；

Figure 11 illustrates the distributed computing system Organization Chart of computing device cluster coefficients；

Figure 12 illustrates the block diagram of the risk prevention system system of the embodiment of the present application.

Specific embodiment

Elaborate a lot of details in order to fully understand the application in the following description.But the application can Much to implement different from alternate manner described here, those skilled in the art can be without prejudice in the application Similar popularization is done, therefore the application is not limited by following public specific embodiment in the case of culvert.

For the ease of understanding the technical scheme referring in the embodiment of the present application, first some to be related in the application below Term carries out brief description.

Medium: user using multiple functional multimedia equipment, including desktop computer, notebook, puts down in the Internet Plate computer, mobile phone etc..

Mac address (medium access control, physical address): for representing each equipment on the Internet Identifier, current standard is to be represented using hexadecimal number, totally six bytes.

Imei (international mobile equipment identity, international mobile equipment identification number): mobile phone sets Standby unique identification number, is made up of 15 bit digital, can be used for recognizing different mobile phones.

Device code: or claim equipment mark code, it is the general designation of mac address and imei etc., the device code of a standard A corresponding equipment, the identification code of each normal device can be through the certification of official or third party authoritative institution.

Non-authentication equipment: the equipment of device identification code authentication cannot be passed through, mountain vallage equipment is exactly that the non-of a quasi-representative is recognized Card equipment.Mountain vallage equipment is often referred to that suspicion is pirate, function that is forging or imitate famous brand name equipment and pattern produce Equipment.The imei code of mountain vallage equipment and mac address are typically to forge, and device code may correspond to thousands of Platform equipment, thus also cannot pass through certification.

Media network: a kind of network topology structure based on figure is describing associating of user account and operation equipment System.In media network, identify a user with the user account in network, identify one with equipment mark code Individual equipment.In the application, user and equipment may be expressed as summit (abbreviation user node and the equipment section of figure Point), the incidence relation of user and equipment is the side of figure, and whole figure can be expressed as a matrix.Certainly also can use Alternate manner, to describe the network of media network, repeats no more.

Bsp (bulk synchronous parallel) model: the message transmission batch processing centered on scheming summit parallel Engine, is mainly based upon the software kit that the parallel figure realized is processed.Bsp is by Harvard University viliant and Oxford The parallel computational model that university bill mccoll proposes.One bsp model is by the processor that is mutually related in a large number (processor) formed, between them, defined a communication network.Each processor has quickly locally interior Deposit and different computational threads.One time bsp calculating process is made up of a series of overall situation superledges, and superledge is exactly in calculating An iteration.Wherein, each superledge mainly includes three assemblies: concurrent (concurrent computation), The processor that each participates in has the calculating task of itself, and they only read the value being stored in local memory, wherein this A little calculating are all asynchronous and independent；Communication (communication), the interchangeable data of processor faciation, its friendship The form changed is to initiate to push (put) by a side and obtain (get) operation；Fence is synchronous (barrier synchronisation), When a processor runs into roadblock, their calculation procedure, each of which can be completed when other all processors Subsynchronous be also a superledge complete and next superledge beginning.

Bsp message passing mechanism: the communication between summit is directly to pass through to send message, and every message all contains Message value and the title of representative points, wherein: the data type of message value is to be passed through the masterplate of vertex class by user Parameter is specifying；In a superledge, a summit can send arbitrarily many message；In this iterator not Ensure the order of message, but can ensure that message is bound to be transmitted and will not repeat；Message can be passed to and appoint Summit known to meaning identifier.

Present invention applicant is by carrying out data analysiss and data to the mass data in the transaction of certain electronic payment platform Excavate it was found that following objective fact, and propose effective solution accordingly:

1st, pass through to observe this electronic payment platform accounts all using the facility information in funds transaction business, send out The behavior of existing network network offender generally has a fixing pattern, especially the facility environment in network trading can have poly- Collection feature.The trading environment independently analyzing each transaction may be lost and potentially assembled between network crime person Contact, and excavating the contact between transaction using graph structure is a kind of very effective method.In fact, one The online funds transaction of pen would generally be related to the facility information that both parties and both sides use, such as mac, imei, Ip, cell-phone number etc..And user would generally be traded in multiple equipment, note interacted based on user and equipment Record just can set up media network.And be based on media network and just can carry out group division to user and equipment, by This is monitored to the account of case occurred frequently and equipment group to contain the behavior of offender.

It is analyzed finding, major part is just to this electronic payment platform account number of equipment association in media network The account of standing standby association is fewer, and that is, user generally will not be with other people's shared devices for privacy consideration Or using this electronic payment platform business on other people equipment.And network crime person then can steal other users Account so that network crime person use equipment can associate with substantial amounts of account.When an equipment associates Account number more when, this equipment is very possibly problematic greatly, probability and the risk system of case Number can be higher than miscellaneous equipment.The number of users therefore being connected according to equipment, can distinguish the exception of topical vehicle network Degree, monitoring system just only need to pay close attention to the trading activity in abnormal network.

As such, it is possible to excavate height by building the relational network between this electronic payment platform account and media device The risk group of danger, is thus monitored to risky account and the network equipment.When a normal account is attempted When being traded in risky facility environment or with excessive risk account, system can be prevented transaction at once and supervise Account to protect the fund security of user, to build safer network environment.It is understood that other should This mode may also be employed with the network environment under scene and identify risk group.2nd, because non-authentication equipment has Identical device code, leads to a non-authentication equipment especially mountain vallage device code often to correspond to thousands of equipment, In media network, this device code also will be associated with thousands of this electronic payment platform account, this and crime Aggregation on equipment for the molecule has identical feature, and that is, non-authentication equipment also can have aggregation characteristic.And Media network is carried out with the presence due to non-authentication equipment during group division more than 80% user and equipment can be drawn It is divided into same group, lead to not efficiently identify the group that positioning network crime person is located.

In media network, equipment is by equipment code labeling, and a usual device code can be propped up with this electronics multiple Pay platform account relating, i.e. multiple equipment of user's " sharing ".Normal device and non-authentication equipment main Difference is: the customer group of " sharing " normal device generally also can share miscellaneous equipment, and that is, customer group is raw in reality It is truly present common factor in work, therefore can be divided into same group；And the user of " sharing " non-authentication equipment is several Miscellaneous equipment will not be shared again, only because these users link together the reason non-authentication device code. The presence of these non-authentication equipment, has had a strong impact on the discovery of aggregation risk clique, because non-authentication equipment meeting The user having no to occur simultaneously and equipment in a large amount of reality are linked together, lead to occur more than one hundred million groups of users and cannot Distinguish normal group and risk group.

Equipment cluster coefficients are used to identify the users to share coefficient of an equipment, therefore can using this coefficient Lai Identification non-authentication equipment.More efficiently mode is, based on multiple spy such as equipment cluster coefficients, ip, cell-phone number Levy to identify non-authentication equipment, and rejected from media network, to reduce non-authentication equipment to group division Impact, more effectively to find to position really risky group.

3rd, with the rapid expanding developing rapidly with non-authentication equipment of mobile Internet, put down based on this E-Payment The media network complex structure of account number and user device constructs, nodal diversity, thereby increase analysis mining Difficulty, the simultaneously huge data volume also disposal ability beyond single computer.At present, due to medium net The huge data volume of network, the incidence relation of more than one hundred million user nodes and device node has had become as computing device cluster The bottleneck of coefficient.Therefore, adopt bsp (bulk synchronous parallel) message transmission in actual applications Model, to build media network to calculate the cluster coefficients of each device code, just has very real meaning.

4th, in an online transaction, trading environment information generally also includes ip information and the mobile phone of user's use Number, and pass through to parse the province, city and region geographical position that ip can position user place.One user enliven scope and The cell-phone number using is typically relatively more fixing, therefore for a normal device, its active regions and pass The cell-phone number of connection also can tend towards stability relatively.But because the device code of non-authentication equipment is the same, although lead to multiple What user used is not same equipment, but this corresponding device code of non-authentication equipment can be with media network Multiple cell-phone numbers associate, simultaneously according to the association active regions that parse of ip also than common normal device Wider.Actual research finds, spreads all over region non-authentication equipment the widest and cover 34 domestic provincial row Administrative division and 342 city-level administrative areas；The mobile phone count simultaneously having the association of part non-authentication equipment has exceeded 20,000, This is clearly distinguishable from the mobile phone count of normal device association.

Therefore, the active regions (conventional city represents) corresponding to the ip according to equipment association and the mobile phone associating Count can distinguish non-authentication equipment and normal device, it is to avoid will be big due to non-authentication equipment in media network The user of amount and equipment are connected to become super large group.

5th, using spies such as the abnormality degree of equipment, cluster coefficients, active provinces and cities' region, the mobile phone count of association Levy and just can efficiently differentiate non-authentication equipment and normal device.In media network, user and non-authentication equipment pair It is invalid that the connection of the device code answered may be considered, and can temporarily reject whether this connection (is specifically judging equipment When being non-authenticating device, need to be judged in conjunction with indexs such as the crime situations of cluster coefficients and equipment, if sending out Gave birth to case, then will not reject this connection).

In media network after filtering non-authentication equipment, group is carried out to the user in media network and equipment and draws Divide it is found that occurring the equipment of case to have aggregation, that is, the equipment of the group that it is located nearly all occurred case Account in part, therefore this group and equipment all have higher risk factor.Therefore, in actual business, System just can with key monitoring these risky equipment and account group, when normal account attempt in these risk rings The carrying out of transaction can be intercepted when being traded in border at once.

In order to identify the risk operations and risk group being hidden in the operation of magnanimity funds transaction, the applicant inventor Based on the above objective fact finding it is proposed that calculating the different of media device using the message passing mechanism of bsp framework Normal manner (equipment association user number) and cluster coefficients to filter out risky media network, based on media network pair This electronic payment platform account and media device carry out group division, thus identify potential risk customer group and The technology design of the network equipment, it includes following two aspect contents:

The first level, basic fundamental design is to carry out cluster analyses to media network, accordingly divides group to identify wind Danger.Have technical point that to describe the media network of user in network environment-equipment incidence relation to scheme；To medium The device node of network carries out cluster analyses, obtains describing with subgraph and has corresponding cluster feature user-equipment and close Some groups of connection relation；Risk assessment is carried out to the group obtaining, judge its no for risk group.So, base Excavate aggregation on network media equipment for the network crime person and relatedness in media network, to risky account It is controlled with the network equipment and takes precautions against, safer network environment can be built.

Second aspect, improved technology design is to identify and reject non-authentication equipment before group division.Technical essential Be: cluster feature based on equipment is calculated using bsp framework message passing mechanism, utilize simultaneously equipment association ip, The features such as cell-phone number reject the invalid connection that non-authentication equipment brings.After identifying and rejecting non-authentication equipment, can disappear Unless the adverse effect of authenticating device, prevent from having a strong impact on aggregation risk clique because of the presence of non-authentication equipment Find.

Above-mentioned technology design carries out data from present inventor to the mass data of certain electronic payment platform and divides Analysis and the result of data mining, meanwhile, the application following examples also to be carried out taking this electronic payment platform as a example Illustrate.But it should be recognized that the technical scheme of the application is not limited only to this electronic payment platform.? That is, the application indication " transaction " is the concept of a broad sense, and it is not restricted to various E-Payments There is fund and the commercial act of goods transfer in platform etc., in various network applications between user and transaction platform, The data exchange carrying out between different user also belongs to the category of the application " transaction ", as stepping on of social network sites Land event just belongs to " transaction " of the application indication.

Based on above-mentioned technology design, the application constructs a kind of Risk Identification Method adapting under network environment, dress Put and risk prevention system system technical scheme, it can be to user account and media device in complicated media network Effectively carry out group division, thus identifying user account and the network equipment of potential risk.To these wind User in dangerous group and equipment carry out key monitoring, are favorably improved risk identification rate it is ensured that the having of risk prevention system Effect property, to build safer network environment.

For a further understanding of the technical scheme of the application, to carry out with specific embodiment below in conjunction with the accompanying drawings Describe in detail.

Referring to Fig. 1, the flow chart illustrating the Risk Identification Method of one embodiment of the application.This embodiment is based on and sets The aggregation of the existing clique of preparation, carries out group division to the node of account in media network and media device, thus comes Identification is hidden in risk operations and risk group in the operation of magnanimity fund, to build safer network environment, It is detailed further below.

As shown in figure 1, this Risk Identification Method includes the steps such as s110～s130, in detail below each step is carried out in detail Describe in detail bright.

S110, acquisition to describe the media network of user in network-equipment incidence relation to scheme.

In a network environment, can be related to user equipment and its incidence relation of magnanimity, generally these users can with Identifying, equipment can be identified family account with EIC equipment identification code.For convenience, hereinafter user, user's account Number, user node point to media network user class node object, equipment, equipment mark code, device node point to The equipment class node object of media network；These concepts are identical general in the media network expression for the application indication Read, thus sometimes do not do strict differentiation, noted when please read.

In order to rightly express the incidence relation of user in media network, equipment and user and equipment, the application will Media network is expressed with the structure of topological diagram form, specifically can describe with the form of matrix.Wherein user, Equipment is figure summit, and these summits are as the row and column of matrix；User-equipment incidence relation is the side of figure, its work For the element in matrix, if certain user-association, to certain equipment, is represented with " 1 " in a matrix, otherwise with " 0 " Represent, the matrix so obtaining can serve as " source figure " and processed.

Fig. 2 is the example forming media network.In user's funds transaction, fund outflow side is Party A, money Golden inflow side is Party B.The funds are flowed to Party B from Party A's associate device 1 (being represented with ip1 or cell-phone number 1) and close In the path of connection equipment 2 (representing with ip2 or cell-phone number 2), there is many device nodes and user node, these There is complex incidence relation between node, thus constitute a media network, wherein distinct device associates Number of users has differences.Based on this media network, group division can be carried out by analyzing its cluster feature, Further details are as described below.

S120, by cluster analyses are carried out to the device node of media network, media network is divided into come with subgraph Description has some groups of corresponding cluster feature user-equipment incidence relation.

This step s120, by carrying out cluster analyses to media network, to divide group to media network.In fact, The figure of media network can be divided into some subgraphs, and wherein each connected graph can monitor as a group.That is, By cluster analyses are carried out to device node, media network is divided into describe with subgraph there is corresponding cluster feature Some groups of user-equipment incidence relation.If these group's association user numbers marking off in this way more or There is case, risk group will be identified as and give key monitoring.

Significantly, since the presence of non-authentication equipment (as mountain vallage equipment), often lead in media network Node is a lot, ultimately results in and cannot be distinguished by normal group and risk group.This needs to pass through further to identify non-authentication Equipment simultaneously rejects corresponding annexation to solve, and it is substantially and for figure to be further divided into the less subgraph of node, By rejecting uncorrelated user node, device node and the incidence relation between them so that the use of group internal Family, equipment and their incidence relation are simplified, and thus avoid the occurrence of super large group.So, for each group More easy to identify risk, it is possible to reduce the problem of risk identification inefficacy occurs.

Group division mean that such as a and b has shared equipment m, b and c has shared equipment c, then a, b, C and equipment m, n can be divided into a group.There is group division it is possible to according to the equipment inside group Abnormality degree (connect number of users) and there is the indexs such as the equipment ratio of case to judge this group be height Incidence of criminal offenses part group.

Fig. 3 is the example carrying out media network group division.In Fig. 3, this media network original state is larger for one Figure；After rejecting non-authentication equipment and carrying out group division, obtain 5 subgraphs, the user's section in each subgraph There is certain incidence relation in point and device node, i.e. each subgraph namely group.Come for these groups Identification risk is simultaneously monitored, and ratio monitors in whole media network each user node and device node more effectively.

It should be noted that eliminating non-authentication equipment in this Fig. 3, thus obtain 5 groups.If not rejecting this Non-authentication equipment, then whole media network is exactly a larger group.Therefore, for preventing the appearance of super large group, Identifying and reject non-authentication equipment will be an important link.With regard to how to identify non-authentication equipment and reject Detailed description, refer to further part more detailed description content.

S130, according to default risk assessment rule, judge whether each group is risk group.

After above-mentioned cluster analyses, the group's needs obtaining are scored according to the risk assessment rule presetting, if It is scored above the threshold value that sets then it is assumed that excessive risk (potential risk) group in fact, otherwise it is assumed that being normal group. Emphasis is needed to carry out prevention and control for the user of excessive risk group, equipment and the transaction and these user and equipment between, Carry out if necessary intercepting transaction or freezing data, prevent user from producing property or other loss.

The risk assessment rule being understandable that in this step can preset according to the property of transaction, such as root According to the association user number of equipment in group and/or occurred the equipment ratio of case to judge this group whether as risk Group, if association user number or occurred case equipment ratio to exceed the default threshold value of setting, assert this group For excessive risk group, otherwise it is assumed that it is normal group.After regarding as risk group, can be with emphasis to this group It is monitored, be traded if any the user in the normal users outside this group and this risk group or equipment, then It is considered risk trade, now take the measures such as interception transaction to avoid the loss of normal users.

In addition, risk rule is not unalterable.In fact, the technical scheme of the application can pass through risk Rule learning (Intelligent Recognition), to update risk rule, is believed according to the risk setup parameter receiving and historical trading Breath, to form risk assessment rule new accordingly.Afterwards, the group dividing out is accordingly scored, with Identify whether group is risk group, repeat no more.

Cluster analyses are carried out according to step s110～step s130 to media network and divides group, and filter out excessive risk After group, these excessive risk group emphasis prevention and control, the control and monitoring for other normal groups can be subtracted significantly Little.For unique user in the whole media network of monitoring or equipment, identify the lifting of risk by group Degree greatly increases, and which reduces system processing pressure, is conducive to more effectively wind present in prevention and control network environment Danger.

As it was noted above, the impact being brought due to non-authentication equipment in above-described embodiment, may lead to almost all of User and equipment all can be gathered in a group, and this is unfavorable for identifying real excessive risk group.For this reason, have must Non-authentication equipment in media network is identified, and is determined whether according to the concrete condition of this non-authentication equipment Need for this non-authentication equipment to filter out this media network.

Non-authentication equipment can be identified further in the following preferred embodiment of the application, and according to account of the history Lai Confirm the non-authentication equipment needing to reject, filtered it in the non-authentication equipment rejecting need from media network Afterwards, then by preceding method to carry out cluster analyses to device node, the media network after non-authentication equipment will be rejected Divide some groups with corresponding cluster feature, be further described below.

Referring to Fig. 4, the flow chart illustrating the Risk Identification Method of another embodiment of the application.This embodiment includes walking Rapid s210～step s240, the difference with embodiment illustrated in fig. 1 is to add step s220 to identify in advance and to pick Unless authenticating device, and step s210, s230,240 identical with the corresponding step of previous embodiment, below carry out Explanation.

As shown in figure 4, step s220 is in order to process to the non-authentication equipment in media network, so that after avoiding In continuous group division step s230, super large group occurs.The Optimizing Flow of this step s220 is as follows:

Non-authentication equipment in s221, identifying medium network.

After obtaining the media network data that step s210 builds, non-authentication is identified by this step s221 and sets It is standby, it is to avoid in media network, substantial amounts of user and equipment to be connected to become by super large group due to non-authentication equipment, Specific recognition methodss are divided into two classes:

First, passing through acquisition equipment association user number (abnormality degree) and equipment cluster coefficients, carry out identifying medium network In non-authentication equipment.May determine that an equipment is a non-authentication equipment by equipment cluster coefficients, this It is because that a non-authentication equipment would generally be associated with a large number of users, but these users seldom associate other simultaneously and set Standby, therefore its cluster coefficients value meeting very little, non-authentication equipment can be confirmed accordingly according to the size of cluster coefficients.Close In the method calculating cluster coefficients, will illustrate further below, first not launch herein.

Second, the active regions corresponding to the ip being associated by equipment are distinguished non-authentication with the mobile phone count associating and are set Standby and normal device.This is because the device code of each non-authentication equipment is the same, although leading to multiple users to use It is not same equipment, but this corresponding device code of non-authentication equipment can be sent out with multiple cell-phone numbers in media network Raw association, simultaneously also wider than common normal device according to the active regions that association ip parses.

In actual implementation process, above-mentioned both sides factor is combined identification, is conducive to more accurately identifying Go out non-authentication equipment, recognition effect is also more accurate and more stable.

S222, the non-authentication equipment rejected according to account of the history, confirmation needs.

This step s222, according to account of the history, confirms the non-authentication equipment needing to reject.In some cases, non-recognize Card equipment also should not be rejected.For example, once there is case in certain non-authentication equipment, if being rejected, undoubtedly can Cause to fail to judge.For this situation, need to determine whether whether case occurs in this non-authentication device history；If It is that this non-authentication equipment is confirmed as the non-authentication equipment needing to reject；If it is not, this non-authentication equipment is confirmed as The non-authentication equipment that need not reject.So, help avoid by occurred case non-authentication equipment reject after lead to Omit the problem of risk group.

S223, the non-authentication equipment rejecting needs are filtered from media network.

It is possible to temporarily filter it from media network, so after the non-authentication equipment that confirmation needs are rejected Enter step s230 afterwards, by the device node filtering non-authentication equipment media network is carried out with cluster analyses, will Filter non-authentication equipment media network and be divided into describe with subgraph and there is corresponding cluster feature user-equipment association Some groups of relation.

Afterwards, in step s230, cluster analyses are carried out to the network after filtering, after obtaining corresponding group, that is, enter Enter step s240, according to default risk assessment rule, judge whether each group is risk group, specifically refer to Embodiment illustrated in fig. 1, is not repeated explanation.

In Fig. 4 embodiment, by the non-authentication equipment in step 220 identifying medium network and rejected, can keep away Exempt from that super group occurs.It has been observed that needing computing device cluster coefficients when identifying non-authentication equipment.However, matchmaker The huge data volume of Jie's network, the incidence relation of more than one hundred million user nodes and device node will become computing device cluster The bottleneck of coefficient, needs for this using suitable solution.

The application adopts bsp Message-Passing Model to build media network to calculate the cluster coefficients of each device code, It is described below.Fig. 5 is the flow chart using bsp message passing mechanism computing device cluster coefficients.This Fig. 5 is based on and divides The bsp framework message passing mechanism computing device association user number of cloth computing system and equipment cluster coefficients, solve The Calculation bottleneck problem of single computer.

Fig. 5 using bsp initialization media network during, using following flow processs:

By executing step0, the figure of media network is initialized, wherein user node is labeled as start node, by Beginning node is triggering bsp message passing mechanism.Hereafter can perform corresponding superledge, using simultaneously wherein in each superledge Send out calculation to improve efficiency.

First carry out superledge superstep0, start node posts messages to downstream node.In this first round message iteration During, only user node can send message, can comprise the miscellaneous equipment of this user node association in message.

Execute superledge superstep1 again, judge whether device node receives message and have downstream node, if so, count Calculate the cluster coefficients of this device node, and the relevant information of outut device node；If it is not, then this device node terminates Process.In this second wheel message iterative process, device node can use according to the user that in message, it is associated Miscellaneous equipment information calculates the cluster coefficients of this node, till the process of each device node completes.

Fig. 6 is the example of message transmission in equipment cluster coefficients calculating process.Below in conjunction with this example, come to Fig. 5 Shown equipment cluster coefficients calculating process is further illustrated.In this Fig. 6, a, b, c, d are start nodes, 1st, 2,3 is device node, after initialization figure, will execute following superledge:

In the 0th superledge superstep0, the facility information of association can be passed to upstream device node by user node. The message of each node transmission is as follows:

Node a is " [] " to the message content that equipment 1 transmits, and that is, user a does not associate miscellaneous equipment；

Node b is " [b:3] " to the message content that device node 1 transmits, and represents that b is associated with another equipment 3；With Shi Jiedian b is " [b:1] " to the message content that device node 3 transmits, and represents that b is associated with another equipment 1；

Node c is associated with equipment 1, equipment 2, equipment 3 simultaneously, and therefore node c gives device node 1, equipment section respectively Point 2, the message content of device node 3 transmission are: " [c:2,3] ", " [c:1,3] ", " [c:1,2] "；

Node d is only associated with equipment 2, is " [] " therefore to the message content that device node 2 sends.

In the 1st superledge superstep1, device node 1,2,3 all can receive message, can be counted according to message content Calculate the cluster coefficients of this device node, computational methods are as follows:

γ = \frac{k}{c_{n}^{2}}

Wherein n represents the number of users associating with this equipment, and k represents that in these customer groups in addition to this equipment, how many is right User employs other identical devices.Therefore equipment 1, equipment 2, the cluster coefficients of equipment 3 are:

Equipment 1,

γ = \frac{k}{c_{n}^{2}} = \frac{1}{3 \underset{2}{*} 2} = \frac{1}{3}

(equipment 1 association user a, b, c, wherein a and b shared device 3)

Equipment 2,

γ = \frac{k}{c_{n}^{2}} = \frac{0}{\frac{2 + 1}{2}} = 0

(equipment 2 association user c, d, but c and no other shared device)

Equipment 3,

γ = \frac{k}{c_{n}^{2}} = \frac{1}{\frac{2 + 1}{2}} = 1

(equipment 3 association user b, c, wherein b and c shared device 1)

It is possible to select suitable threshold value to set distinguishing non-authentication after obtaining cluster coefficients k of the said equipment node and γ Standby and normal device.For the connection of user and non-authentication device code, that is, it is considered invalid connection, can temporarily pick Remove.

Fig. 7 is the example distinguishing normal device and non-authentication equipment according to equipment cluster coefficients.Wherein, non-authentication sets Standby it is associated with 4 accounts, its cluster coefficients k=0, γ=0；And normal device " 1 " be associated with 3 accounts, Its cluster coefficients k=1,The equipment " 2 " that case occurred is associated with 5 accounts, its cluster system Number is k=2,Therefore, the number of users in combination with equipment association and two features of cluster coefficients, Just can more accurately position risk group.

According to the computational methods of Fig. 5, each device node exports correlation calculation result information, generally includes equipment association Number of users and equipment cluster coefficients, these indexs can preferably distinguish non-authentication equipment.In addition to this it is possible to According to equipment association ip corresponding to urban area and the mobile phone count associating can also distinguish non-authentication equipment with Normal device.

Fig. 8 illustrates non-authentication equipment and normal device provinces and cities distributed areas comparison example.It can be seen that normal device Active regions and the cell-phone number associating also can relatively tend towards stability；Rather than authenticating device can be occurred with multiple cell-phone numbers Association, simultaneously also wider than common normal device according to the active regions that association ip parses.Therefore, according to With the cell-phone number associating, the active regions of equipment can determine whether whether equipment is non-authentication equipment.

In sum, using the abnormality degree (association user number) of equipment, cluster coefficients, active provinces and cities region, The features such as the mobile phone count of association can efficiently differentiate non-authentication equipment and normal device.In media network, use It is invalid that the connection of family device code corresponding with non-authentication equipment may be considered, and can temporarily reject this connection.This Sample, when carrying out group division to media network, eliminates the interference of non-authentication equipment, can avoid in medium net In network, substantial amounts of user and equipment are connected to become by super large group due to non-authentication equipment.

So, after identifying non-authentication equipment by the way and filtering, further group is carried out to media network Divide, afterwards according to the association user number of equipment, occurred the equipment ratio of case to judge this group whether as wind Dangerous group, to carry out key monitoring to the user in risk group and device node, when normal account is attempted at this The carrying out that can at once intercept when carrying out in a little risk environments, this contributes to building safer network environment.

Risk Identification Method to network (hereinafter referred to as method) has been described in detail above.On this basis, The application also correspondingly provides a kind of risk identification device (hereinafter referred to as device) of network, below carries out detailed Description.

Conveniently, such as it is described part not to the utmost in the present embodiment device, refer to retouching of method part above State content；Similarly, preceding method partly in such as relating to device structure it is also possible to introduction description below in Hold.

Referring to Fig. 9, the block diagram of the risk identification device of the embodiment of the present application is shown.This device 100 adopts bsp frame Structure message passing mechanism calculates the cluster feature based on equipment, utilizes the features such as ip, the cell-phone number of equipment association simultaneously Reject the invalid connection that non-authentication equipment brings, thus in complicated media network, user and equipment can be carried out Group division, thus identify user and the equipment of potential risk.

As shown in figure 9, this device 100 builds module 110, cluster group division module 130, risk by media network Group judgment module 140 grade part forms, and below each several part is illustrated.

Media network builds module 110, can obtain to describe the medium of user in network-equipment incidence relation to scheme Network.Generally, media network is to identify user with user account, to identify equipment with EIC equipment identification code.Should After media network structure module 110 initializes to the figure representing media network, you can for identifying non-authentication equipment, Carry out group division afterwards again.

Non-authentication equipment processing module 120, can be used for the non-authentication equipment in identifying medium network, and please its from Reject in media network, thus avoiding the occurrence of super large module.Non-authentication equipment processing module 120 as shown in Figure 10 Block diagram, non-authentication equipment processing module 120 is specifically by non-authentication equipment identifying unit 121, non-authentication equipment mistake Filter unit 122 grade part composition, wherein: non-authentication equipment identifying unit 121 is used for non-recognizing in identifying medium network Card equipment, and the non-authentication equipment needing to reject is confirmed according to account of the history；Non-authentication equipment filter element 122 For being filtered the non-authentication equipment needing to reject from media network, eliminate to lead to because of non-authentication equipment The problem of super large group occurs.

Cluster group division unit 130, can gather to the device node filtering non-authentication equipment media network Alanysis, has been filtered non-authentication equipment media network and has been divided into be described with subgraph and had corresponding cluster feature user Some groups of-equipment incidence relation.If these group's association user numbers identifying are more or case occurred, Risk group will be identified as and give key monitoring.If it is understood that not filtering non-authentication equipment, pin To be that whole media network to carry out group division, repeat no more.

According to default risk assessment rule, risk group determination module 140, can judge whether each group is wind Dangerous group.Specifically according to the association user number of equipment in group and/or occurred the equipment ratio of case Lai Judge this group whether as risk group, if the association user number of equipment is excessive or case occurs then it is assumed that this group Organize as excessive risk group, now need to carry out key monitoring to the user in this risk group and equipment.Just conventional When user in family view and this risk group or equipment are carried out, in time to intercepting.

Said apparatus 100 are provided with non-authentication equipment processing module 120, non-authentication equipment identifying unit 121 therein It is an important unit, it can pass through acquisition equipment association user number and equipment cluster coefficients, to identify Non-authentication equipment in media network.Herein, the purpose calculating cluster coefficients is to be not to distinguish device node It is a non-authentication equipment.A usual non-authentication equipment can be associated with a large number of users, but these users are seldom same Shi Guanlian miscellaneous equipment, therefore its cluster coefficients value can very littles.

In order to calculate each equipment cluster coefficients, this non-authentication equipment identifying unit 121 architecturally Distributed Calculation system System, it passes through bsp framework message passing mechanism computing device association user number and equipment cluster coefficients, so permissible Overcome the computing capability bottleneck problem of single computer.

In the distributed computing system Organization Chart of the computing device cluster coefficients shown in Figure 11, distributed computing system has Main control server and some workspace servers, wherein master server are used for traffic control server, and do not participate in super Step (iteration) calculates；Each workspace server then can be executed concurrently superledge and calculate, and independently carries out between superledge.

Described main control server, for initializing media network, wherein by the user node labelling in media network For start node, so that triggering bsp message passing mechanism.

Described workspace server, for independently executing superledge, to calculate the cluster coefficients of each equipment, specifically Work process is as follows:

Superledge superstep0: each user node sends message, including the user node information sending message and This user node association miscellaneous equipment information, specific message structure referring to above, also dependent on need adjust；

Superledge superstep1: when device node receives message, calculate this device node equipment association user number and Equipment cluster coefficients, otherwise terminate the process of this device node；

To main control server, correlation calculation result information includes equipment to outut device node correlation calculation result information Association user number and equipment cluster coefficients, this two indices is used for identifying non-authentication equipment, and identification stability is preferable.

Additionally, above-mentioned non-authentication equipment identifying unit 121 can also associate the corresponding active region of ip by acquisition equipment Domain associates mobile phone count with equipment, carrys out the non-authentication equipment in further identifying medium network.This is due to just standing Its active regions standby tend towards stability relatively with the cell-phone number associating, rather than authenticating device can be closed with multiple cell-phone numbers Connection, the wider array of reason of active regions simultaneously being parsed according to association ip.

Therefore, comprehensive in the present embodiment and using the abnormality degree (association user number) of equipment, cluster coefficients, active The features such as provinces and cities region, the mobile phone count of association, to distinguish non-authentication equipment and normal device, identify non-authentication equipment Effect also more stable more prominent.After identifying non-authentication equipment, this non-authentication equipment identifying unit 121 is also Can be according to whether occurring case to determine the strategy of filtration in non-authentication device history；If so, this non-authentication is set The standby non-authentication equipment confirming as needing to reject；If it is not, this non-authentication equipment is confirmed as the non-authentication that need not reject Equipment.After so rejecting the non-authentication equipment in media network, can avoid in media network due to non-authentication Equipment and substantial amounts of user and equipment are connected to become super large group, thereby guarantee that and distinguish in complicated media network Normal group and risk group.

Said apparatus 100 are based on network equipment medium and excavate the potential Assembling Behavior of risk clique, are not considering user On the premise of the impact to model adaptation and predictive ability of the dynamic change of equipment incidence relation, by constructing matchmaker Jie's network is representing the operative relationship of account and the network equipment, and and is set to user using the cluster feature of localized network Standby group is divided, and therefrom filters out user and the network equipment of potential risk, excessive risk colony can be carried out In real time, effectively take precautions against and monitor.

Above the risk identification device of the application network is described, it has preferable risk identification and distinguishes energy Power, and risk identification stability is preferable.On this basis, the application accordingly build network risk prevention system system (with Lower abbreviation system), below briefly it is described.

Referring to Figure 12, it is the risk prevention system system of the embodiment of the present application.This system have risk identification device 100, Risk processing meanss 200, vulnerability database 300 and risk learning device 400, each several part collaborative work, reach reality When monitoring network risks purpose, be further described below.

Risk identification device 100, its specific structure and function refer to above, and it can be used for identifying medium net Risk group in network, the relative users in this risk group and the information of equipment can be pushed to risk processing meanss 200.

Risk processing meanss 200, for the user in monitor in real time risk group and equipment, attempt in normal users When carrying out with the user in this risk group and equipment, intercept and freeze corresponding data.

Vulnerability database 300, for depositing the corresponding data that risk processing meanss 200 intercept and freeze, so that risk Processing meanss 200 are verified and are provided historical information to risk identifying device 100.

Risk learning device 400, can form new accordingly according to the risk setup parameter receiving and historical information Risk assessment rule.

This system 100 passes through the cluster feature using the calculating of bsp framework message passing mechanism based on equipment, simultaneously profit Reject the invalid connection that non-authentication equipment brings with features such as the ip of equipment association, cell-phone numbers, in complicated medium net In network to and equipment carry out group division, thus identification has the network user and the equipment of potential risk, can be effectively Prevention and control network risks, are conducive to building safer network environment.

The technique scheme of the application can use hive sql and figure calculating based on Distributed Computing Platform Graph framework, to realize, does not have special requirement to software and hardware, and adaptability is wider, has preferable market Prospect.

Although the application is open as above with preferred embodiment, it is not for limiting the application, any ability Field technique personnel, without departing from spirit and scope, can make possible variation and modification, because The protection domain of this application should be defined by the scope that the application claim is defined.

In a typical configuration, computing device includes one or more processing modules (cpu), input/defeated Outgoing interface, network interface and internal memory.

Internal memory potentially includes the non-permanent memory module in computer-readable medium, random access memory module (ram) and/or the form such as Nonvolatile memory, such as read-only memory module (rom) or flash memory (flash ram). Internal memory is the example of computer-readable medium.

1st, computer-readable medium include permanent and non-permanent, removable and non-removable media can by appoint What subsystem or technology is realizing information Store.Information can be computer-readable instruction, data structure, program Module or other data.The example of the storage medium of computer include, but are not limited to phase transition internal memory (pram), Static random access memory module (sram), dynamic random access memory module (dram), other types Random access memory module (ram), read-only memory module (rom), the read-only storage of electrically erasable Module (eeprom), fast flash memory bank or the read-only memory module of other memory techniques, read-only optical disc (cd-rom), digital versatile disc (dvd) or other optical storage, magnetic cassette tape, tape magnetic magnetic Disk storage or other magnetic storage apparatus or any other non-transmission medium, can be used for storage can be by computing device The information accessing.Define according to herein, computer-readable medium does not include non-temporary computer readable media (transitory media), the such as data signal of modulation and carrier wave.

2 it will be understood by those skilled in the art that embodiments herein can be provided as system, system or computer journey Sequence product.Therefore, the application using complete hardware embodiment, complete software embodiment or can combine software and hard The form of the embodiment of part aspect.And, the application can using one or more wherein include computer can Computer-usable storage medium (including but not limited to disk resident storage drive, cd-rom, light with program code Learn memory module etc.) form of the upper computer program implemented.

Claims

1. a kind of Risk Identification Method is it is characterised in that include:

By carrying out cluster analyses to the device node of media network, media network is divided into describe tool with subgraph There is at least one group of corresponding cluster feature user-equipment incidence relation；

2. the method for claim 1 it is characterised in that described according to default risk assessment rule, sentence Whether Duan Ge group is in risk group step, the association user number according to equipment in group and/or case occurred Equipment ratio judging this group whether as risk group.

3. the method for claim 1 is it is characterised in that described extraction describes media network topological structure After network step, described by cluster analyses are carried out to the device node of media network, media network is divided Before being some groups step to describe with subgraph and there is corresponding cluster feature user-equipment incidence relation, comprising:

Non-authentication equipment in identifying medium network；

4. method as claimed in claim 3 is it is characterised in that non-authentication equipment in described identifying medium network In step, comprising:

5. method as claimed in claim 4 is it is characterised in that described acquisition equipment association user number and equipment gather Bsp framework message passing mechanism computing device association user number in class coefficient step, based on distributed computing system With equipment cluster coefficients.

6. method as claimed in claim 5 is it is characterised in that the described bsp frame based on distributed computing system In structure message passing mechanism computing device association user number and equipment cluster coefficients step, comprising:

7. method as claimed in claim 4 is it is characterised in that described gather according to equipment association user number and equipment Class coefficient, after carrying out the non-authentication equipment in identifying medium network, comprising:

8. method as claimed in claim 3 it is characterised in that described according to historical trading situation, confirm to need In the non-authentication device step rejected, comprising:

9. the method stated as claim 1-8 office is it is characterised in that described acquisition describes media network topology knot In the network step of structure, user is identified with user account, equipment is identified with EIC equipment identification code.

10. a kind of risk identification device is it is characterised in that include:

11. devices as claimed in claim 10 it is characterised in that described risk group determination module, according to group The association user number of equipment and/or occurred the equipment ratio of case to judge this group whether as risk groups in group Group.

12. devices as claimed in claim 10 are it is characterised in that including non-authentication equipment processing module, described Non-authentication equipment processing module has:

Non-authentication equipment filter element, for being filtered the non-authentication equipment needing to reject from media network.

13. devices as claimed in claim 12 are it is characterised in that the acquisition of described non-authentication equipment identifying unit sets Standby association user number and equipment cluster coefficients, carry out the non-authentication equipment in identifying medium network.

14. devices as claimed in claim 13 are it is characterised in that described non-authentication equipment identifying unit is distributed Computing system, it passes through bsp framework message passing mechanism computing device association user number and equipment cluster coefficients.

15. devices as claimed in claim 14 are it is characterised in that described distributed computing system has:

16. devices as claimed in claim 13 are it is characterised in that the acquisition of described non-authentication equipment identifying unit sets The standby association corresponding active regions of ip associate mobile phone count with equipment, carry out the non-authentication in further identifying medium network Equipment.

17. devices as claimed in claim 12 are it is characterised in that described non-authentication equipment identifying unit judges to be somebody's turn to do Whether there is case in the transaction of non-authentication device history；If so, this non-authentication equipment is confirmed as needing the non-of rejecting Authenticating device；If it is not, this non-authentication equipment is confirmed as the non-authentication equipment that need not reject.

18. devices as described in any one of claim 10-17 are it is characterised in that described media network builds mould Block to identify user with user account, to identify equipment with EIC equipment identification code.

A kind of risk prevention system system of 19. network tradings is it is characterised in that include:

Risk identification device as described in any one of claim 10～18, for the risk groups in identifying medium network Group, the relative users in this risk group and the information of equipment can be pushed to described risk processing meanss；

20. systems as claimed in claim 19 it is characterised in that include risk learning device, according to receive Risk setup parameter and historical transactional information, form risk assessment rule new accordingly.