CN107103548A

CN107103548A - The monitoring method and system and risk monitoring and control method and system of network behavior data

Info

Publication number: CN107103548A
Application number: CN201710157776.8A
Authority: CN
Inventors: 陈春明
Original assignee: Alibaba Group Holding Ltd
Current assignee: Advanced New Technologies Co Ltd; Advantageous New Technologies Co Ltd
Priority date: 2011-11-17
Filing date: 2011-11-17
Publication date: 2017-08-29
Also published as: CN103123712A

Abstract

This application provides a kind of monitoring method of network behavior data and system and risk monitoring and control method and system, method therein is specifically included：The network behavior data of user periodically or are regularly obtained from application on site program, and are used as web-based history behavioral data to carry out cluster-based storage the network behavior data；According to the web-based history behavioral data of the user, it is determined that corresponding risk model；According to the definition of the risk model, the web-based history behavioral data of cluster-based storage is called to carry out historical risk identification, and the parameter of corresponding historical risk recognition result as the risk model is preserved；The online network behavior data of user in real；Online risk identification is carried out to the online network behavior data according to the risk model, online risk identification result is obtained；According to the online risk identification result, the credit object of the user-association is handled.The application can improve the promptness and accuracy of credit risk monitoring.

Description

Network behavior data monitoring method and system and risk monitoring method and system

The patent application is a divisional application of the application number 201110366881.5 patent application, the application date is 2011, 11 and 17, and the invention name is a monitoring method and system for network behavior data.

Technical Field

The present application relates to the field of computer network technologies, and in particular, to a method and a system for monitoring network behavior data and a method and a system for risk monitoring.

Background

The credit business is a main business category of the bank, is one of post businesses for the bank to obtain profits, and is one of the focuses of market competition of various commercial banks. However, credit services are also risky services. Therefore, the credit risk is monitored timely and accurately to improve the asset quality and reduce the poor asset proportion, and the method is an important link for the commercial bank to improve the self viability and competitiveness.

At present, a typical monitoring method for enterprise credit risk in the prior art is to collect enterprise operation data and risk-related information data by means of visiting by a bank user manager, enter the information data into a database system after the collection is completed, finally, measure risk by analyzing abnormal financial and newspaper indexes such as sudden increase of receivable, slow withdrawal, sudden increase of credit and the like, and initiate corresponding remedial measures if the risk exists.

The above monitoring method for business credit risk has the following disadvantages:

1. the whole process needs manual intervention, which undoubtedly increases the labor cost;

2. the mode that a user manager visits at regular intervals according to months enables the collection, the entry and the analysis of information data to be static, so that the credit risk of an enterprise is always generated or exposed during analysis, and the defects of untimely and delayed are overcome;

3. since the collection, entry and analysis of information data are all done manually, especially the risk metric is a qualitative analysis of the information data, which is done mainly by the intuition and experience of the analyst, it has the disadvantage of being subjective and inaccurate.

Currently, a typical monitoring method for a credit risk of a personal credit card in the prior art is to use the credit card as a point of sale (POS) machine of a merchant, transmit the amount of a transaction, time, and a name of the merchant back to an issuer data center, compare and analyze transaction data (including consumption amount, frequency, etc.) and the like by the issuer data center, determine a risk, and take corresponding measures.

The monitoring method aiming at the credit risk of the personal credit card carries out comparative analysis on the transaction data which has already occurred, although the information related to the risk, such as the total amount of the consumed money of each month of the personal user, whether the repayment is in time and the like, can be obtained according to the analysis of the transaction data; however, the transaction data is not regularly traceable, and the consumption habit, consumption preference and other behavior characteristics of the individual user cannot be analyzed by the transaction data alone, so that if the individual user has the habit of luxury consumption, the wage of the user is far less than the total consumption amount of each month, and even if the individual user does not have a bad record of overdue repayment, the credit card credit of the individual user still has a great risk. The above monitoring method is also a more biased post-loan monitoring and thus cannot monitor the risk in such a situation, i.e., the above monitoring method for the credit risk of the personal credit card has the disadvantage of untimely and inaccurate monitoring.

In summary, one of the technical problems that needs to be urgently solved by those skilled in the art is: how the timeliness and accuracy of credit risk monitoring can be improved.

Disclosure of Invention

The technical problem to be solved by the application is to provide a method and a system for monitoring network behavior data, which can improve the timeliness and accuracy of credit risk monitoring.

In order to solve the above problem, the present application discloses a method for monitoring network behavior data, including:

acquiring network behavior data of a user from an online application program regularly or regularly, and performing cluster storage on the network behavior data as historical network behavior data;

determining a corresponding risk model according to the historical network behavior data of the user;

according to the definition of the risk model, calling historical network behavior data stored in a cluster to carry out historical risk identification, and taking a corresponding historical risk identification result as a parameter of the risk model to be stored;

acquiring online network behavior data of a user in real time;

performing online risk identification on the online network behavior data according to the risk model to obtain an online risk identification result;

and processing the credit object associated with the user according to the online risk identification result.

Preferably, the step of performing online risk identification on the online network behavior data according to a risk model includes:

acquiring a historical risk identification result of the risk model aiming at the historical network behavior data of the user;

and inputting the online network behavior data to the risk model by taking the historical risk identification result as a parameter of the risk model to obtain a corresponding online risk identification result, and storing the online risk identification result.

Preferably, the step of periodically or periodically acquiring the network behavior data of the user from the online application includes:

establishing connection to an online application program through a calling interface regularly or regularly, and pushing network behavior data of a corresponding user to the calling interface by the online application program based on an interface calling mode;

network behavior data from a user of an online application is monitored at the invocation interface.

Preferably, the interface call is an asynchronous call to the call interface.

Preferably, the step of acquiring online network behavior data of the user in real time includes:

and capturing online network behavior data of the user from the online application program in real time.

Preferably, the online network behavior data is attached to two or more users;

the step of performing online risk identification on the online network behavior data according to the risk model to obtain an online risk identification result includes:

aiming at each user to which the online network behavior data belongs, online risk identification is carried out on the online network behavior data according to corresponding risk models respectively, and corresponding sub online risk identification results are obtained;

and collecting the sub online risk identification results of all the users to obtain a total online risk identification result.

Preferably, the step of processing the credit object associated with the user according to the online risk identification result includes:

and judging whether the online risk identification result has risk, if so, determining the risk grade to which the online risk identification result belongs according to a preset risk grade standard, and performing risk processing corresponding to the determined risk grade on the credit object associated with the user.

On the other hand, the application also discloses a monitoring system of network behavior data, which comprises:

an offline risk identification device, comprising:

the off-line acquisition module is used for acquiring network behavior data of the user from the on-line application program regularly or regularly;

the cluster storage module is used for cluster storage by taking the network behavior data as historical network behavior data;

the determining module is used for determining a corresponding risk model according to the historical network behavior data of the user;

the historical risk identification module is used for calling historical network behavior data stored in the cluster to carry out historical risk identification according to the definition of the risk model so as to obtain a corresponding historical risk identification result; and

the first storage module is used for storing the historical risk identification result as a parameter of the risk model;

the real-time acquisition device is used for acquiring online network behavior data of a user in real time;

the online risk identification device is used for performing online risk identification on the online network behavior data according to the risk model to obtain an online risk identification result; and

and the processing device is used for processing the credit object associated with the user according to the online risk identification result.

Preferably, the online risk identification device includes:

a historical result obtaining module, configured to obtain a historical risk identification result of the risk model for the historical network behavior data of the user;

the online model identification module is used for inputting the online network behavior data to the risk model by taking the historical risk identification result as a parameter of the risk model to obtain a corresponding online risk identification result; and

and the second storage module is used for storing the online risk identification result.

Preferably, the offline acquisition module includes:

the connection establishing module is used for establishing connection to the online application program through a calling interface periodically or regularly, and the online application program pushes the network behavior data of the corresponding user to the calling interface based on an interface calling mode;

and the monitoring module is used for monitoring the network behavior data of the user from the online application program at the calling interface.

Compared with the prior art, the method has the following advantages:

firstly, the dynamic and automatic monitoring of enterprise credit or personal credit card credit risk is realized by monitoring the network behavior data of the user, and the method can be applied to the whole credit process including risk monitoring before, during and after the credit, so that compared with the risk monitoring after the credit in the prior art, the method can be more timely and accurate, and manual intervention is reduced as much as possible; for example, when the user applies for the loan, the user can know whether the credit application should be allowed or not, so that the timeliness of credit risk monitoring can be improved;

secondly, the risk model adopted by the risk identification is a mathematical model established according to the historical network behavior data of the user, and the risk model reflects the result of quantitative analysis on the historical network behavior data of the user, so that the accuracy of credit risk monitoring can be improved compared with the qualitative analysis in the prior art; for example, the quantitative analysis can analyze and obtain the behavior characteristics of decision habits, consumption preferences and the like of a personal credit user, so that when the analysis shows that the personal credit user has a luxury consumption habit and the wage of the personal credit user is far smaller than the total consumption amount of each month, even if the historical network behavior data shows that the personal credit user does not have a bad record of overdue repayment, the personal credit user is considered to have a great risk, and certain risk prompt and early warning strategies can be given for a bank to refer to see whether the credit card limit is reduced or not, or the credit authorization is frozen;

moreover, the method and the device can continuously acquire, analyze and identify the network behavior data of the user, ensure that the user applies for loan every day, and ensure that the online risk identification result is updated in real time, thereby ensuring the controllability of risk monitoring;

further, the method and the device perform cluster storage on the network behavior data of the user, adopt cluster cloud computing, and perform timely processing on large-scale data throughput in a parallel mode.

Drawings

FIG. 1 is a flow chart of an embodiment of a method for monitoring network behavior data according to the present application;

FIG. 2 is a business flow diagram of business credit of the present application;

FIG. 3 is an example of a flow chart for obtaining online behavior data for real-time transactions according to the present application;

FIG. 4 is a schematic diagram of a risk monitoring system according to the present application;

FIG. 5 is a schematic diagram of the relationship of the risk monitoring system of FIG. 4 to a business process;

FIG. 6 is a flowchart of an application of the risk monitoring system of FIG. 4 in post-loan risk monitoring;

FIG. 7 is a flow chart of the application of the risk monitoring system shown in FIG. 4 in fraud and account theft risk capture;

FIG. 8 is a block diagram of one embodiment of a network behavior data monitoring system of the present application;

fig. 9 is a schematic workflow diagram of the monitoring system shown in fig. 8.

Detailed Description

In order to make the aforementioned objects, features and advantages of the present application more comprehensible, the present application is described in further detail with reference to the accompanying drawings and the detailed description.

The existing monitoring method aiming at the credit risk of an enterprise or a personal credit card cannot acquire timely and sufficient user information, for example, a financial report provided by the enterprise is only collected before loan application, and the monthly financial report of the enterprise is collected every month after the loan application; as another example, the identification provided by the individual user may be collected just prior to the credit card application, and the total monthly amount of money consumed by the individual user may be calculated after the credit application. For the reasons, the prior art can only realize post-credit and static monitoring, so that the prior art has the defects of untimely and inaccurate monitoring.

At present, with the development of information technology, the internet has become an indispensable part of people's lives, and people perform various behaviors on the internet, such as entertainment behaviors, consumption behaviors, marketing behaviors, and the like.

If behavior data (hereinafter referred to as network behavior data) of a personal or enterprise credit user on the network can be acquired on the network and applied to monitoring of credit risks of enterprises or personal credit cards, full-process monitoring before, during and after credit can be achieved, automatic monitoring can be achieved, and timeliness and accuracy of monitoring can be improved.

One of the core concepts of the embodiment of the application is to acquire network behavior data of a user and realize dynamic, automatic and full-flow monitoring of enterprise credit or personal credit card credit risks by monitoring the network behavior data. The monitoring of the network behavior data may specifically include:

1. acquiring network behavior data of a user;

in practice, whether it is a personal credit user or an enterprise credit user, its network behavior data is user-authorized. For example, assuming that the credit object associated with a personal credit user is a credit card and the corresponding network behavior is a consumption behavior, its network behavior data typically includes, but is not limited to, the following data in addition to transaction data: registration information, authentication information, transaction types, conditions, evaluation information, community user activity information, and the like.

In order to realize dynamic, automatic and full-flow monitoring of credit risks of enterprises or personal credit cards, the method needs to continuously acquire the network behavior data of users, so that the network behavior data can be divided into two types: the historical network behavior data and the online network behavior data are limited by time, namely, the currently acquired online network behavior data is the online network behavior data, and the historical network behavior data is the previous online network behavior data.

2. Analyzing the network behavior data of the user;

in order to improve the objectivity and the accuracy of monitoring, qualitative analysis is not carried out like the prior art, but quantitative analysis of historical network behavior data is carried out, and specifically, a mathematical model is established according to the historical network behavior data of a user; the results of the quantitative analysis are reflected in the characteristics of the mathematical model, which may include, for example, the behavioral characteristics of the personal credit user, such as decision-making habits, consumption habits, and consumption preferences.

The prior art credit card bill shows the sum of money consumed in a certain store, but cannot know the specific attributes of the consumed goods, such as the purchase of beer, the selected brand, package, promotional price, etc. In addition, it is impossible to know which commodities the user compares before making a consumption decision, whether the commodities are price sensitive or the quality of the commodities is emphasized. According to the method and the device, the network behavior data of the user are obtained, so that timely and sufficient user information is provided for risk monitoring.

For example, if the analysis result of the network behavior data of an individual user indicates that a luxury purchase accounts for a large proportion of daily goods and an amount accounts for a large proportion of the total monthly consumption, it can be determined that the individual user has a habit of luxury consumption. In addition, the current payroll of the individual user may also be determined by analyzing registration information, authentication information, and the like. Further, the analysis results also indicate that the individual user will consume a large amount in the first half of a month.

3. Carrying out risk identification on online network behavior data of a user by using a risk model;

the online network behavior data of the user can be directly used as the input of the risk model, the output of the risk model is the risk identification result, and the risk identification result can be in the form of a risk assessment score, for example, the range of the risk assessment score can be 0-100, wherein the higher the risk assessment score is, the higher the risk is.

Corresponding to the above example, if the online network behavior data of the individual user is that, the individual user has consumed a huge amount at the beginning of a month; then, in a particular implementation, the calculations may be performed using various features of the risk model. Corresponding to the above example, it can be judged that the wage of the individual user is compared with the total amount of consumed money per month, if the wage is far smaller than the total amount of consumed money per month, the huge amount of consumed money is always compared with the amount of consumed money per month, and if the wage is larger than the total amount of consumed money per month, even if the characteristics of the risk model show that the individual user does not have the bad record of overdue repayment, the credit card credit of the individual user is considered to have a large risk, so that a high score of 80 points can be output.

4. And processing the credit object associated with the user according to the online risk identification result.

In practice, if the online risk identification result has no risk, the online risk identification result is only stored without being processed; however, if the risk exists, risk processing including early warning initiation, credit freezing, automatic deduction, entry into collection and the like should be adopted.

It should be noted that the online network behavior data of the user may be at any stage of the business process of the credit object associated with the user.

For example, if in the approval stage, the process may dynamically adjust approval decisions and credit limits according to the online risk identification result. The online risk identification method has the advantages that the online behavior data of the user are continuously acquired, analyzed and identified, the user can be guaranteed to apply for loan every day, and online risk identification results are updated in real time. For example, if the user was a regular user in the past, but yesterday made a large amount of false transactions, the user may be denied today when applying for a loan.

As another example, for the individual user of the above example, the credit card amount may be reduced, or the credit authorization may be frozen.

Firstly, the method realizes dynamic, automatic and full-flow monitoring of enterprise credit or personal credit card credit risk by monitoring the network behavior data of the user, can bring the post-loan risk monitoring of the prior art to the pre-loan risk, for example, when the user applies for loan, the user can know whether the credit application should be allowed or not, thereby improving the timeliness of credit risk monitoring;

secondly, the risk model adopted by the risk identification is a mathematical model established according to the historical network behavior data of the user, and the risk model reflects the result of quantitative analysis on the historical network behavior data of the user, so that the accuracy of credit risk monitoring can be improved compared with the qualitative analysis in the prior art;

and thirdly, the method and the device continuously acquire, analyze and identify the network behavior data of the user, can ensure that the user applies for the loan every day, and online risk identification results are updated in real time, thereby ensuring the controllability of risk monitoring.

Referring to fig. 1, a flowchart of an embodiment of a method for monitoring network behavior data according to the present application is shown, which may specifically include:

step 101, acquiring network behavior data of a user from an online application program regularly or regularly, and performing cluster storage by using the network behavior data as historical network behavior data;

step 102, determining a corresponding risk model according to the historical network behavior data of the user;

103, calling historical network behavior data stored in a cluster to identify historical risks according to the definition of the risk model, and storing corresponding historical risk identification results as parameters of the risk model;

104, acquiring online network behavior data of a user in real time;

in practice, the online network behavior data of the user may be captured in real time from the online application, and specifically, the present application may capture the online network behavior data of the user at any stage of the business process of the credit object associated with the user in real time from the online application.

In this embodiment, preferably, the online network behavior data of the user may include at least one or more of the following network behavior data:

the third party platform issues notice data aiming at user behaviors, physical address data of credit objects associated with the users in the business process, and transaction behavior data of the users on the network.

For example, where the user-associated credit object is business credit, the online network behavior data for the respective user may include one or more of the following data: financial data, registration information, identity verification information, upstream and downstream channel construction of users, distribution of large buyers and loyal users, industry price factors, advertising and promotion effect, user consumption preference and the like.

As another example, where the user-associated credit object is a personal credit card credit, the online network behavior data for the respective user may include one or more of the following: transaction data, registration information, authentication information, browsed goods before consumption of the user, price comparison behavior, and sharing behavior such as purchase consciousness and use experience of the user and other users.

Referring to fig. 2, a schematic diagram of a business process of enterprise credit according to the present application is shown, which may specifically include: the method comprises the steps of user loan application, service admission rules, admission and credit granting, loan approval, use and repayment and the like. For example, when a user applies for a loan from a bank, the bank may generate online network behavior data corresponding to the user's loan application.

When the method and the device are applied to risk monitoring after credit, announcement data issued by a third-party platform for user behaviors can be automatically captured by the third-party platform according to information acquisition standards set by a business department, for example, risk information is captured by the third-party platform such as real-time punishment information of a transaction platform, punishment information of a payment platform, industrial and commercial affairs, tax online platform announcement, court execution announcement and the like, and is used as online network behavior data of the user.

When the method and the device are applied to fraud and account theft risk capture, the physical address data of the credit object associated with the user in the business process can be acquired under the condition of user authorization. For example, historical network behavior data such as MAC (Message Authentication Code), IP (internet protocol) and access log in the whole loan process may be recorded and analyzed. Thus, when the user triggers an operation such as supporting, corresponding online network behavior data can be immediately acquired for later risk identification.

The method for acquiring the online network behavior data of the user in real time is described above by using several examples, and it can be understood that the application is not limited to the above examples, and a specific method for acquiring the online network behavior data of the user in real time is not limited.

105, performing online risk identification on the online network behavior data according to the risk model to obtain an online risk identification result;

because the risk model is a mathematical model established according to the historical network behavior data of the user, the objectivity and the accuracy of credit risk monitoring can be greatly improved compared with the qualitative analysis in the prior art.

In a specific implementation, the risk model may be a mathematical model established based on a machine learning method; wherein the machine learning method may include one or more of the following methods: correlation learning methods, boosting learning methods, Bayes (Bayes) learning methods, feature space (Eigen) learning methods, feature Vector (Vector) learning methods, and metaheuristic (Meta-Heuristics) learning methods. Of course, those skilled in the art may adopt other machine learning methods according to actual needs, or may also adopt other mathematical modeling methods, such as various linear or nonlinear modeling methods, etc., and the mathematical modeling method of a specific risk model is not limited in the present application.

In an application level, a person skilled in the art may define various risk models according to actual needs to continue risk identification for different users, and the specific risk models and definitions are not limited in the present application. Taking a commodity transaction as an example, it relates to both the buyer user and the seller user, so that the corresponding buyer fraud model and seller fraud model can be defined separately. In some cases, it is also necessary to define a behavior risk model to identify the risk of the commodity transaction itself. In some cases, it is also necessary to define a transaction prediction model to predict future transactions. The above examples of risk models are primarily directed to personal credit users, and similarly, business owner fraud models, business risk models, and the like may also be defined for business credit users.

In a preferred embodiment of the present application, the defined risk model can be flexibly established and updated based on the historical network behavior data, and accordingly, the method may further include:

a1, acquiring network behavior data of a user from an online application program periodically or regularly;

since the network behavior data has been authorized by the user, it can be obtained through the open data platform of the online application in practice. Here, the term "periodically" is understood to mean that the acquisition is performed at regular time intervals, for example, every 1 day, 2 days, 3 days, or the like; the timing may be understood as a fixed time of day, such as 10 o ' clock or 11 o ' clock or 12 o ' clock, etc. Those skilled in the art can flexibly use the meaning of periodic or timed according to the actual needs to obtain the network behavior data of the user from the online application program, and the application is not limited to the specific application.

In a preferred embodiment of the present application, the step of periodically or periodically acquiring the network behavior data of the user from the online application may include: establishing connection to an online application program through a calling interface regularly or regularly, and pushing network behavior data of a corresponding user to the calling interface by the online application program based on an interface calling mode;

Referring to fig. 3, in an application example of the present application, a flow chart for obtaining online behavior data of a real-time transaction is shown. The online transaction platform 301 calls a data interface of the risk monitoring center 302, and pushes data to the risk monitoring center 302 in time for processing through HTTP (HyperText Transfer Protocol) or RPCP (remote procedure Call Protocol). The invoking action may be initiated by the online trading platform 301, triggered by predefined trading flow, network behavior operation, and the risk monitoring center 302 is responsible for receiving and processing.

In order to ensure the robustness of the data transmission, in a preferred embodiment of the present application, the interface call may be an asynchronous call to the call interface. For synchronous calling, after a sender sends a data packet, the sender needs to block and wait until a receiver returns a response, and then can send the next data packet; in the case of asynchronous calls, the sender can send packets as desired without waiting for blocking.

Fig. 3 shows an example of an asynchronous transmission scheme, in which an online transaction platform 301 sends a real-time message to a message server 303, and a risk monitoring center 302 listens for the real-time message by establishing a long connection, and acquires the real-time message instantly. By the mechanism, the transaction information acquisition time delay is less than 0.5 second, so that the data transmission performance of the risk monitoring center is improved.

Step A2, cluster storage is carried out on the network behavior data as historical network behavior data;

generally, the access amount and the traffic amount of the online application are large, and the difficulty of implementing the historical network behavior data is mainly due to the high concurrency of the data amount. For example, the number of transactions occurring every ten minutes of the Taobao platform can reach several percent, and analyzing and modeling the legality of each transaction needs to deal with the problems of high concurrency, stability and accuracy of mass data. This results in the application acquiring huge network behavior data, for example, the network access log acquired by the application may be several TBs (terabytes or teramegabytes) per day on average.

For the situation, the network behavior data is used as historical network behavior data for cluster storage. The cluster storage has the advantages of open architecture (high expansibility), a distributed operating system, unified name space, easiness in management, load balancing, high performance and the like, and can be based on cloud storage and cloud computing, so that a solid foundation can be laid for later data analysis.

Step A3, determining a corresponding risk model according to the historical network behavior data of the user;

as mentioned above, those skilled in the art can define various risk models according to actual needs; here, a corresponding risk model may be determined for the historical network behavior data of the user. For example, the network behavior data of a transaction for an item, which may relate to both a buyer user and a seller user, may determine that the corresponding risk models may include both a buyer fraud model and a seller fraud model.

Step A4, according to the definition of the risk model, calling historical network behavior data stored in the cluster to perform historical risk identification, and saving a corresponding historical risk identification result as a parameter of the risk model.

In order to improve the objectivity and accuracy of monitoring, the application carries out quantitative analysis on historical network behavior data, and the result of the quantitative analysis is reflected in the characteristics of a risk model, for example, the characteristics of the risk model can comprise the behavior characteristics of decision habits, consumption preferences and the like of a personal credit user.

In a specific implementation, the historical network behavior data of the user can be directly used as the input of the risk model, the output of the risk model is the historical risk identification result, and the risk identification result can be in the form of a risk assessment score, for example, the range of the risk assessment score can be 0-100, wherein the higher the risk assessment score is, the higher the risk is. The historical risk identification result can be updated regularly or regularly along with the acquisition of the regular or regular network behavior data.

In practice, the risk model may perform parallel operations on the historical network behavior data using a MapReduce programming model. In practice, the risk model may store historical network behavior data in columns, where a column refers to a conceptual list of individual elements.

Then, the Map function may perform a specified operation on each element of the list, each element being operated on independently, without the original list being altered, since a new list is created to hold the new answer. That is, the Map function is highly parallelizable, which is very useful for high performance demanding applications and for requirements in the field of parallel computing. The Reduce function is a suitable combination of elements of a list, and although it is not as parallel as the mapping function, it is also useful in a highly parallel environment because it always has a simple answer and large scale operations are relatively independent.

In practical application, after receiving the network behavior data of the user, the Map function can process the log file of the corresponding webpage request and output the key value pair of < URL,1 >; the Reduce function then adds together the same URL visit number values and outputs a key-value pair of < URL, Total visit >.

In short, the risk model of the application calculates and identifies historical risk of large-data-volume historical network behavior data regularly (for example, by days), and controllability of risk prevention and control can be ensured.

Meanwhile, for a very large amount of data including transaction and online behavior data of 5T on average per day and more than 300 complicated query operation statements, the calculation is performed on the cluster storage, which takes less than 2 hours, which is incomparable with traditional databases such as Oracle, DB2, and the like.

And 106, processing the credit object associated with the user according to the online risk identification result.

In a preferred embodiment of the present application, the step of performing online risk identification on the online network behavior data according to a risk model may specifically include:

sub-step B1, obtaining the historical risk identification result of the risk model aiming at the historical network behavior data of the user;

and a substep B2, taking the historical risk identification result as a parameter of the risk model, inputting the online network behavior data into the risk model to obtain a corresponding online risk identification result, and storing the online risk identification result.

In another preferred embodiment of the present application, the step of processing the credit object associated with the user according to the online risk identification result may further include:

And assuming that the online risk identification result is represented by a risk assessment score, and the range of the risk assessment score is 0-100, wherein the higher the risk assessment score is, the higher the risk is, the online risk identification result with the risk assessment score being greater than or equal to 60 points can be considered to have risk.

The risk level may be preset by a person skilled in the art according to actual requirements, for example, the risk level may be divided into N risk levels, where each risk level corresponds to a certain risk level, where N is a natural number. For example, when N is 3, the three stages may be divided into low, medium, and high.

In a preferred embodiment of the present application, the online network behavior data may be affiliated with two or more users;

at this time, the step of performing online risk identification on the online network behavior data according to a risk model to obtain an online risk identification result may further include:

For example, the network behavior data of a commodity transaction may relate to both the buyer user and the seller user, so that the sub-online risk recognition results of the buyer fraud model and the seller fraud model are respectively collected and output according to the corresponding buyer fraud model and seller fraud model.

In fact, even if the online network behavior data is affiliated with only one user, it is possible to correspond to two or more risk models. For example, if tax payment data of a current month of an enterprise user is acquired from an enterprise and tax online platform announcement, risk identification can be performed on the tax payment data of the current month by using a corresponding enterprise owner fraud model and a corresponding operation risk model respectively, and then sub online risk identification results of the enterprise user and the tax payment data are output after being aggregated.

For a better understanding of the present application, the following description of the application in practice is given by means of a risk monitoring system as shown in fig. 4, which may in particular comprise: a data preparation layer 401, an intermediate model layer 402, an API service layer 403, a rule engine 404, an output layer 405; wherein,

the data preparation middle layer 401 acquires the network behavior data of the user such as real-time transaction data from the online application program in a communication manner of the HTTP protocol/RPCP and the message server, performs simple ETL (extract-Transformation-Loading) processing and arrangement, and triggers the model scheduler 421 in the middle model layer 402 after ensuring data filtering and cleaning;

the model scheduler 421 is responsible for managing all risk model data processing requests, for example, when transaction-related network behavior data is received, the transaction prediction model is invoked for risk identification. Summarizing corresponding risk identification results after the processing is finished;

the API service layer 403 plays an important role in data calling and preparing, for example, when the model scheduler 421 receives transaction information of a user, the API service layer 403 automatically calls the identity information (such as age, occupation, wage, eating habit, etc.) of the user from the basic data calling service 431, and/or calls the business information of the user from the business data calling service 432, and/or calls the logistics information used by the user from the logistics data calling service 433 to obtain the complete information of the user;

the aggregator 422 is mainly used for aggregating the sub online risk identification results of two or more risk models to obtain a total online risk identification result and outputting the total online risk identification result;

the rule engine 404 is mainly configured to trigger a rule to process the credit object associated with the user according to the output result, where the processing may be to take actions including initiating an early warning, freezing credit granting, automatically deducting money, entering into collection, and the like; in particular implementations, rules engine 404 may listen through a message queue, and when there is a message, the actions of rules engine 404 are automatically triggered.

The output layer 405 is specifically configured to output the processing result to a business system such as a bank.

In some cases, an auditing and feedback system may be further configured to audit the output processing results, and if not, the output processing results are fed back to the rule engine 404, and if the output processing results pass, the output processing results are returned to the data preparation middle layer 401.

It should be noted that the online network behavior data of the user acquired by the data preparation middle layer 401 may be in any stage of the business process of the credit object associated with the user; in addition, the method and the device can provide an interface for an external system flow to call the processing result.

In general, the basic data call service 431 may store the following levels of information:

product information: product level, product definition, product description, etc.;

user information: gender, age, occupation, industry, educational background, income, date of opening an account, purchased products, etc.;

generating easy information: time of purchase, number of purchases, frequency of purchases; consumption, investment, savings, transfer, financing, etc.

Referring to fig. 5, a schematic diagram of the relationship between the risk monitoring system and the business process shown in fig. 4 is shown, wherein the relationship between the monitoring system and the loan overall process is a loosely coupled relationship, and each functional module can receive the call of the business process in the service form at each stage of user application, business admission, approval, credit granting, use and repayment. The loose coupling relationship between the two can avoid the condition that the normal operation of the whole service is influenced by the fault of the subsystem, so that the whole service system is in high reliability.

In addition, when receiving calls of business processes, service modules in the basic data call service 431 can be freely combined, for example: when the user applies for loan, the blacklist checking module, the future transaction growth prediction module and the user behavior and habit preference analysis module can be combined for use, and the credit risk of the user is quantified and used as the basis for directly guiding the admittance or not.

Referring to fig. 6, a flowchart illustrating an application of the risk monitoring system shown in fig. 4 in risk monitoring after loan is shown, which may specifically include:

step 601, automatically capturing risk data from platforms such as transaction platform real-time punishment information, payment platform punishment information, industry and commerce, tax online platform bulletin, court execution bulletin and the like according to an information acquisition standard formulated by a business department;

step 602, performing data cleaning and sorting on the risk data;

here, the main purpose of data cleaning and sorting is to convert the historical data on-line and in the data warehouse into data units that can be identified and processed by the risk model, and to filter out erroneous information.

603, taking the historical risk identification result as a parameter of a risk model, and inputting the risk data after the data cleaning and sorting into the corresponding risk model to obtain a corresponding online risk identification result;

step 604, judging whether the online risk identification result has risk, if yes, executing step 605;

and 605, determining a risk level to which the online risk identification result belongs according to a preset risk level standard, and performing risk processing corresponding to the determined risk level on the credit object associated with the user.

Typically, for a medium and high risk level, this can be handled automatically by the rules engine 404 in the system; the low and medium risk level can be audited by the operator.

For example, when a certain user is put up a case by a court, the early warning rule can be automatically triggered through corresponding risk data crawled in real time, the credit of the user is temporarily frozen by the risk monitoring system, and then the risk personnel check the credit.

It should be noted that when the online risk identification result is not risky, the online risk identification result may be stored as a historical risk identification result without any risk processing, and in some cases, the online risk identification result may be reported to a risk person.

Referring to fig. 7, an application flow of the risk monitoring system shown in fig. 4 in fraud and account theft risk capture is shown, which may specifically include:

step 701, under the condition of user authorization, recording and analyzing historical network behavior data such as MAC, IP and access logs in the whole loan process to obtain corresponding historical risk identification results;

step 702, when the user triggers operation such as supporting, corresponding online network behavior data is immediately obtained;

step 703, inputting the online network behavior data after the data cleaning and sorting into a corresponding risk model by taking the historical risk identification result as a parameter of the risk model to obtain a corresponding online risk identification result;

step 704, judging whether the online risk identification result has risk, if yes, executing step 705;

step 705, determining a risk level to which the online risk identification result belongs according to a preset risk level standard, and performing risk processing corresponding to the determined risk level on the credit object associated with the user.

The identification process of the risk model can be that the online network behavior data after the data cleaning and sorting is compared with the past data to judge the geographic and unique identity information of the user, the result is returned immediately after the model matching, the account of the user is automatically frozen by the system for the result with the matching degree lower than a certain threshold value, and the safety information such as the account is checked by risk processing personnel and the user to eliminate the potential risk.

For example, a user applies for a loan in Hangzhou, the user operation activity mainly occurs in Hangzhou, the system monitors and finds that the user operation is supported in a remote area, and the system checks the identity to find that the user is possibly stolen, and the user automatically freezes the operation. The user can check with the customer service staff according to the prompt of the system and then release the frozen state.

This application has following advantage:

1. according to the method and the system, dynamic, automatic and full-flow monitoring of enterprise credit or personal credit card credit risks is realized by monitoring the network behavior data of the user, and post-loan and in-loan risk monitoring in the prior art can be advanced to the pre-loan, for example, when the user applies for a loan, the user can know whether the credit application is allowed or not, so that the timeliness of credit risk monitoring can be improved;

2. the risk model adopted by the application for risk identification is a mathematical model established according to the historical network behavior data of the user, and because the result of quantitative analysis on the historical network behavior data of the user is reflected in the risk model, the accuracy of credit risk monitoring can be improved compared with the qualitative analysis in the prior art;

3. the method and the system can continuously acquire, analyze and identify the network behavior data of the user, ensure that the user applies for loan every day, and ensure that the online risk identification result is updated in real time, thereby ensuring the controllability of risk monitoring;

4. the method and the device can be applied to the credit whole process including risk monitoring before, during and after the credit, so that compared with the risk monitoring after the credit in the prior art, the method and the device can be more timely and accurate, and manual intervention can be reduced as much as possible;

5. according to the method and the device, the network behavior data of the user are subjected to cluster storage, cluster cloud computing is adopted, and large-scale data throughput is processed in time in a parallel mode.

Corresponding to the foregoing monitoring method embodiment, the present application further discloses a monitoring system for network behavior data, and with reference to fig. 8, the monitoring system specifically may include:

offline risk identification apparatus 801 includes:

an offline acquisition module 811 for acquiring network behavior data of a user from an online application periodically or regularly;

a cluster storage module 812, configured to perform cluster storage on the network behavior data as historical network behavior data;

a determining module 813, configured to determine a corresponding risk model according to the historical network behavior data of the user;

a historical risk identification module 814, configured to call historical network behavior data stored in the cluster to perform historical risk identification according to the definition of the risk model, so as to obtain a corresponding historical risk identification result; and

a first saving module 815, configured to save the historical risk identification result as a parameter of the risk model;

a real-time obtaining device 802, configured to obtain online network behavior data of a user in real time;

an online risk recognition device 803, configured to perform online risk recognition on the online network behavior data according to the risk model to obtain an online risk recognition result; and

and the processing device 804 is configured to process the credit object associated with the user according to the online risk identification result.

In a preferred embodiment of the present application, the system may further include an offline risk identification device, which specifically includes:

the historical risk identification module is used for calling historical network behavior data stored in the cluster to carry out historical risk identification according to the definition of the risk model so as to obtain a corresponding historical risk identification result;

and the first storage module is used for storing the historical risk identification result as a parameter of the risk model.

In another preferred embodiment of the present application, the online risk identifying device may further include:

the online model identification module is used for inputting the online network behavior data to the risk model by taking the historical risk identification result as a parameter of the risk model to obtain a corresponding online risk identification result;

In yet another preferred embodiment of the present application, the offline acquisition module may further include:

In the embodiment of the present application, preferably, the interface call may be an asynchronous call to the call interface.

In this embodiment of the present application, preferably, the real-time obtaining device may be specifically configured to capture, in real time, online network behavior data of a user from an online application.

In the embodiment of the present application, it is preferable that the online network behavior data may be subordinate to two or more users;

in this case, the online risk identifying device may further include:

the individual identification module is used for carrying out online risk identification on the online network behavior data according to corresponding risk models respectively aiming at each user to which the online network behavior data belongs to obtain corresponding sub online risk identification results;

and the aggregation module is used for aggregating the sub online risk identification results of all the users to obtain a total online risk identification result.

In the embodiment of the present application, preferably, the processing apparatus may further include:

the judging module is used for judging whether the online risk identification result has risk or not;

the risk determining module is used for determining the risk level to which the online risk identification result belongs according to a preset risk level standard when the online risk identification result has risk;

and the risk processing module is used for carrying out risk processing corresponding to the determined risk level on the credit object associated with the user.

In the embodiment of the present application, it is preferable that the online network behavior data of the user may be at any stage of the business process of the credit object associated with the user.

In this embodiment, it is preferable that the online network behavior data of the user at least include one or more of the following network behavior data:

In order to make the present application better understood by those skilled in the art, the following description is provided for the practical application of the monitoring system shown in fig. 8 by referring to fig. 9, and the workflow may specifically include:

step 1: the monitoring system regularly calls transaction behavior data of the transaction platform every day;

step 2: storing the transaction behavior data to a mass data storage cluster;

and step 3: the mass data distributed computing cluster calls mass data to carry out computation according to the definition of the risk model;

and 4, step 4: storing the set of computed results into a credit management system.

And 5: the user applies for loan in the foreground;

step 6: the system can call the calculated result in real time and give feedback of the application result.

By the method, the user is guaranteed to apply for the loan every day, and the result is updated in real time. For example, if the user was a normal user in the past day, and yesterday had a large amount of false transactions, he may be denied today when applying for a loan.

For the system embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.

The embodiments in the present specification are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.

The method and the system for monitoring network behavior data provided by the application are introduced in detail, specific examples are applied in the method to explain the principle and the implementation manner of the application, and the description of the embodiments is only used for helping to understand the method and the core idea of the application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.

Claims

1. A risk monitoring system, comprising:

the data preparation layer acquires online network behavior data of a user from an online application program in a communication mode of an HTTP/RPCP and a message server; triggering a model scheduler in the intermediate model layer;

an intermediate mold layer comprising:

the model scheduler is used for managing data processing requests of all risk models and calling corresponding risk models to carry out risk identification according to the online network behavior data;

the aggregator is used for aggregating the sub online risk identification results of the at least two risk models to obtain a total online risk identification result and outputting the total online risk identification result;

the rule engine is used for triggering rules to process the credit objects associated with the users according to the output results;

and the output layer outputs the processing result to the service system.

2. The system of claim 1, wherein the system further comprises:

and the API service layer calls the identity information of the user from basic data calling service according to the online network behavior data of the user, and/or calls the operation information of the user from operation data calling service, and/or calls the logistics information of the user from logistics data calling service, and sends the logistics information as online network behavior data to the data preparation layer.

3. A risk monitoring method for use in post-loan risk monitoring, the method comprising:

capturing risk data in real time according to an information acquisition standard formulated by a business department to serve as online network behavior data;

carrying out data cleaning and sorting on the risk data;

taking a historical risk identification result as a parameter of a risk model, inputting risk data after the data cleaning and sorting into a corresponding risk model, and obtaining a corresponding online risk identification result;

judging whether the online risk identification result has risk or not;

if so, determining the risk grade affiliated to the online risk identification result according to a preset risk grade standard, and performing risk processing corresponding to the determined risk grade on the credit object associated with the user.

4. A risk monitoring method applied to fraud and account embezzlement risk capture is characterized by comprising the following steps:

under the condition of user authorization, recording and analyzing historical network behavior data of the user in the whole loan process to obtain a corresponding historical risk identification result;

when the user triggers operation, acquiring online network behavior data of the user;

taking the historical risk identification result as a parameter of a risk model, and inputting the online network behavior data after the data cleaning and sorting into a corresponding risk model to obtain an online risk identification result;

judging whether the online risk identification result has risk or not;

5. The method of claim 4, wherein the historical risk identification result is used as a parameter of a risk model, and online network behavior data after the data cleaning and sorting is input into the corresponding risk model to obtain an online risk identification result; judging whether the online risk identification result has risk or not; if so, determining the risk level to which the online risk identification result belongs according to a preset risk level standard, and performing risk processing corresponding to the determined risk level on the credit object associated with the user, wherein the risk processing comprises the following steps:

comparing the online network behavior data after the data cleaning and sorting with the previous data, judging the user geography and unique identity information, returning a result after model matching, automatically freezing a user account by the system for the result with the matching degree lower than a certain threshold value, and checking account safety information by risk processing personnel and the user to eliminate potential risks.

6. A method for monitoring network behavior data is characterized by comprising the following steps:

carrying out quantitative analysis on the historical network behavior data of the user, establishing a corresponding risk model, wherein the result of the quantitative analysis is reflected in the characteristics of the risk model;

according to the definition of the risk model, calling historical network behavior data stored in the cluster to perform historical risk identification, obtaining a corresponding historical risk identification result, and storing the historical risk identification result;

acquiring online network behavior data of a user in real time;

inputting the online network behavior data to the risk model by taking the historical risk identification result as a parameter of the risk model to obtain a corresponding online risk identification result, and storing the online risk identification result;

7. The method of claim 6, wherein the characteristics of the risk model include at least one of:

behavioral characteristics of personal credit user's decision-making habits, consumption preferences.

8. The method of claim 6, wherein the user's online network behavior data comprises at least one of the following network behavior data:

the third-party platform issues notice data aiming at the user behavior, the physical address data of the credit object associated with the user in the business process, and the transaction behavior data of the user on the network.

9. The method of claim 6, wherein the step of periodically or periodically obtaining network behavior data of the user from the online application comprises:

10. The method of claim 6, wherein the online network behavior data is affiliated with two or more users;

11. A system for monitoring network behavior data, comprising:

an offline risk identification device, comprising:

the determining module is used for carrying out quantitative analysis on the historical network behavior data of the user and establishing a corresponding risk model, and the result of the quantitative analysis is reflected in the characteristics of the risk model;

the first storage module is used for storing the historical risk identification result;

the online risk identification device is used for inputting the online network behavior data into the risk model by taking the historical risk identification result as a parameter of the risk model to obtain a corresponding online risk identification result; and

12. The system of claim 11, wherein the offline acquisition module comprises: