CN107798541B - Monitoring method and system for online service - Google Patents
Monitoring method and system for online service Download PDFInfo
- Publication number
- CN107798541B CN107798541B CN201610799529.3A CN201610799529A CN107798541B CN 107798541 B CN107798541 B CN 107798541B CN 201610799529 A CN201610799529 A CN 201610799529A CN 107798541 B CN107798541 B CN 107798541B
- Authority
- CN
- China
- Prior art keywords
- information
- user
- target user
- data
- identified
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q30/00—Commerce
- G06Q30/018—Certifying business or products
- G06Q30/0185—Product, service or business identity fraud
Abstract
The embodiment of the invention discloses a monitoring method and a monitoring system for online business, relates to the technical field of big data, and can improve the detection efficiency and reduce the risk of network transaction. The invention comprises the following steps: inquiring a data source according to the identification information of a target user, and reading service information associated with the identification information of the target user from the data source; querying users having an association relation with the target user through a feature template, wherein the feature template corresponds to a service system where the target user is located; and sending an alarm aiming at the user having the association relation with the target user. The invention is suitable for automatically detecting the account which can be used for network fraud cases in real time.
Description
Technical Field
The invention relates to the technical field of big data, in particular to a monitoring method and a monitoring system for online business.
Background
With the rapid development of internet technology, businesses such as electronic commerce, internet financial services, online transactions/payments, and the like have come up with the advent and have a rapidly growing situation. But with rapid development, internet-based crime incidents frequently occur, causing consumers and enterprises to suffer huge economic losses, even further damaging the social reputations of individuals and companies, such as: according to relevant statistics, 50% -70% of bad accounts for internet finance come from network fraud events by 2015.
In addition, because the network fraud has the characteristics of low cost and huge benefit, the network fraud industry chain is formed, and a large number of fraud groups with strict organization and clear division of labor have appeared. According to the analysis and display of a hunting network platform (established by the combination of the Beijing's municipality's network security and defense headquarters and the 360 Internet security center), the underground industrial scale of the phishing is rapidly enlarged, mainly because the phishing crimes have the characteristics of long-distance crime making, small amount of multiple issues, difficult evidence obtaining and the like, and the attack difficulty is large.
Although the financial regulatory department has continuously issued the relevant regulatory documents, the requirements for anti-fraud work of the financial institution are provided, such as: the information technology risk dynamic monitoring index of commercial bank issued by the bank prisoner, and the security information system technology guide on the internet of securities company issued by the certificate prisoner. However, the analysis mode and the analysis tool mainly used for single fraud cases at present are difficult to effectively complete the analysis work on a large number of cases in time, and it is difficult to establish an accurate and efficient early warning and detecting system. Particularly, for the current group fraud behaviors using online payment tools, especially the more complex fraud behaviors using multiple account numbers, cross-business systems and multiple sets of disguised (user) information, the current detection means is difficult to accurately lock the suspected target in time, so that the current detection efficiency is low, and the risk of network transactions is always high.
Disclosure of Invention
Embodiments of the present invention provide a monitoring method and system for an online service, which can improve detection efficiency and reduce risk of network transaction.
In order to achieve the above purpose, the embodiment of the invention adopts the following technical scheme:
in a first aspect, an embodiment of the present invention provides a method, including: inquiring a data source according to identification information of a target user, and reading service information associated with the identification information of the target user from the data source, wherein the identification information at least comprises: the account information and/or account number code of the target user, the data source at least includes: the business information at least comprises the following components: order information, payment information and logistics information, and/or the business information at least comprises: device fingerprint information, member registration information, and member attribute information;
querying users having an association relation with the target user through a feature template, wherein the feature template corresponds to a service system where the target user is located;
and sending an alarm aiming at the user having the association relation with the target user.
With reference to the first aspect, in a first possible implementation manner of the first aspect, the method further includes:
receiving case identification sent by the monitoring platform, and reading data pointed by the case identification from the online trading platform;
and extracting the identification information of the target user from the data pointed by the case identification.
With reference to the first aspect or the first possible implementation manner of the first aspect, in a second possible implementation manner, the querying a data source according to identification information of a target user, and reading service information associated with the identification information of the target user from the data source includes:
according to the identification information of the target user, reading order information, payment information and logistics information under an account number pointed by the identification information of the target user from the online trading platform;
and/or reading device fingerprint information, member registration information and member attribute information under an account pointed by the identification information of the target user from the member management system according to the identification information of the target user.
With reference to the first aspect or the first possible implementation manner of the first aspect, in a third possible implementation manner, the querying, by using a feature template, a user having an association relationship with the target user includes:
determining a service system which generates service information associated with the identification information of the target user, and inquiring a characteristic template corresponding to the service system from a characteristic template library;
extracting feature data of the user to be identified from the identification information and the service information of the user to be identified according to the feature template;
and detecting whether the user to be identified is the user having the association relation with the target user or not according to the matching degree of the feature data and the feature template.
With reference to the third possible implementation manner of the first aspect, in a fourth possible implementation manner, the extracting, according to the feature template, feature data of a user to be identified from identification information and service information of the user to be identified includes:
reading the information type pointed by the characteristic template, wherein the pointed information type at least comprises: contact information, registration address information, and registration time information;
and extracting information which accords with the pointed information type from the identification information and the service information of the user to be identified as the characteristic data of the user to be identified.
With reference to the third possible implementation manner of the first aspect, in a fifth possible implementation manner, the detecting, according to the matching degree between the feature data and the feature template, whether the user to be identified is the user having an association relationship with the target user includes:
and detecting whether the specified data part in the feature data of the user to be identified is the same as the feature data of the target user, and if so, determining the user having the association relation with the target user.
With reference to the fifth possible implementation manner of the first aspect, in a sixth possible implementation manner, the detecting whether there is a specified data portion in the feature data of the user to be identified that is the same as the feature data of the target user includes:
detecting whether the reserved name of the user to be identified is the same as that of the target user;
and/or detecting whether the reserved communication number of the user to be identified is the same as that of the target user;
and/or detecting whether the reserved communication address of the user to be identified is the same as that of the target user;
and/or detecting whether the IP address information of the user to be identified is the same as that of the target user during registration;
and/or detecting whether the time period of the registration of the user to be identified is the same as that of the target user.
With reference to the third possible implementation manner of the first aspect, in a seventh possible implementation manner, the method further includes:
reading the data pointed by the case identification from the online trading platform, and extracting trading layer data and account layer data of each business system, wherein the trading layer data comprises: the system comprises transaction time information, transaction attribution distribution information, payment terminal type information and payment channel information, wherein the account layer data comprises: registering address information, registering time information, registering channel information, user type information, registering terminal distribution information and member characteristic information;
and counting the information types in the transaction layer data and the account layer data according to the case involved frequency, and determining the information types pointed by the characteristic templates corresponding to the business systems.
With reference to the first aspect, in an eighth possible implementation manner of the first aspect, the method further includes:
acquiring service information generated in each service system aiming at the user with the association relation with the target user according to the identification information of the user with the association relation with the target user, and sending the service information to the monitoring platform;
and/or adding the identification information of the user having the association relation with the target user to a blacklist.
With reference to the eighth possible implementation manner of the first aspect, in a ninth possible implementation manner, the method further includes:
when detecting that at least one service system receives a transaction request sent by a user of the identification information in the blacklist, intercepting the transaction request;
feeding back a prompt message to a user of the identification information in the blacklist, wherein the prompt message comprises information for prompting to re-execute the account verification process;
and sending a status update message to the member management system, wherein the status update message is used for triggering the member management system to update the account status of the user with the identification information in the blacklist to be unverified.
In a second aspect, an embodiment of the present invention provides a system, where a case analysis server in the system is configured with at least: the system comprises a data extraction module, a data analysis module and a control module;
the data extraction module is configured to query a data source according to identification information of a target user, and read service information associated with the identification information of the target user from the data source, where the identification information at least includes: the account information and/or account number code of the target user, the data source at least includes: the business information at least comprises the following components: order information, payment information and logistics information, and/or the business information at least comprises: device fingerprint information, member registration information, and member attribute information;
the data analysis module is used for inquiring users having an association relation with the target user through a characteristic template, and the characteristic template corresponds to the business system where the target user is located;
and the management and control module is used for sending an alarm aiming at the user with the incidence relation with the target user.
With reference to the second aspect, in a first possible implementation manner of the second aspect, the data extraction module is further configured to receive a case identifier sent by the monitoring platform, and read data pointed by the case identifier from the online trading platform; extracting the identification information of the target user from the data pointed by the case identification;
the data extraction module is specifically configured to: according to the identification information of the target user, reading order information, payment information and logistics information under an account number pointed by the identification information of the target user from the online trading platform; and/or reading device fingerprint information, member registration information and member attribute information under an account pointed by the identification information of the target user from the member management system according to the identification information of the target user;
the data analysis module is specifically used for determining a service system which generates service information associated with the identification information of the target user, and querying a feature template corresponding to the service system from a feature template library; extracting the feature data of the user to be identified from the identification information and the service information of the user to be identified according to the feature template; detecting whether the characteristic data of the user to be identified has a specified data part which is the same as the characteristic data of the target user, if so, determining the user which has an association relation with the target user;
wherein, the detecting whether the specified data part in the feature data of the user to be identified is the same as the feature data of the target user comprises: detecting whether the reserved name of the user to be identified is the same as that of the target user; and/or detecting whether the reserved communication number of the user to be identified is the same as that of the target user; and/or detecting whether the reserved communication address of the user to be identified is the same as that of the target user; and/or detecting whether the IP address information of the user to be identified is the same as that of the target user during registration; and/or detecting whether the time period of the registration of the user to be identified is the same as that of the target user.
With reference to the second aspect or the first possible implementation manner of the second aspect, in a second possible implementation manner, the management and control module is further configured to obtain, in each service system, service information generated for the user having an association relationship with the target user according to the identification information of the user having an association relationship with the target user, and send the service information to the monitoring platform; and/or adding the identification information of the user having the association relation with the target user to a blacklist.
The monitoring method and the monitoring system for the online service provided by the embodiment of the invention utilize the networks such as social contact/IP address/mobile phone number/geographic information and the like constructed by various data sources, and inquire the users having the association relation with the target user through the characteristic template, so that the association between the fraudulent account numbers is quickly positioned, and the other suspicious high-risk users having the association with the fraudulent account numbers are reversely positioned through the service information such as the IP address, the machine equipment fingerprint, the mobile phone number, the receiving address and the like of the target user during the transaction. The suspected target can be timely and accurately locked, the corresponding warning message is sent to the monitoring platform, further batch freezing or cleaning can be adopted, real-time automatic detection is realized, account numbers which can be used for network fraud cases are limited, and therefore detection efficiency is improved, and risk of network transaction is reduced.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic overall architecture diagram of a monitoring system for online services according to an embodiment of the present invention;
fig. 2 is a schematic flow chart of a monitoring method for an online service according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a monitoring system for online services according to an embodiment of the present invention;
fig. 4a, 4b, 4c, and 4d are schematic diagrams of specific examples provided in the embodiments of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the present invention will be described in further detail with reference to the accompanying drawings and specific embodiments. Reference will now be made in detail to embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the accompanying drawings are illustrative only for the purpose of explaining the present invention, and are not to be construed as limiting the present invention. As used herein, the singular forms "a", "an", "the" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. It will be understood that when an element is referred to as being "connected" or "coupled" to another element, it can be directly connected or coupled to the other element or intervening elements may also be present. Further, "connected" or "coupled" as used herein may include wirelessly connected or coupled. As used herein, the term "and/or" includes any and all combinations of one or more of the associated listed items. It will be understood by those skilled in the art that, unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the prior art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.
The method flow in this embodiment may be specifically executed on a system for monitoring an online service shown in fig. 1, where the system includes: the system comprises a case analysis server, a monitoring platform and a data source.
The case analysis server may be a server, a workstation, a super computer, or a server cluster system for data processing, which is composed of a plurality of servers. Such as: the case analysis server is deployed in the form of a master-slave cluster, and each slave server is responsible for requesting for query from a data source according to identification information of a target user and reading service information associated with the identification information of the target user from the data source. And the Master server is responsible for summarizing and clustering the service information acquired by each slave server from different data sources. And querying users having association relation with the target user through a feature template by the case analysis server based on the collected clustered service information. And then sending an alarm aiming at the user having the association relation with the target user. Specifically, the case analysis server may also be a single server device or a device cluster composed of a plurality of servers integrated in the online transaction platform or the member management system.
In this embodiment, a specific manner for issuing an alarm for a user having an association relationship with the target user may include: sending an alarm message to a monitoring platform aiming at the user having the association relation with the target user so that the monitoring platform can timely know the user having the association relation with the target user, and taking a further monitoring measure aiming at the user having the association relation with the target user, such as: freezing account number, seal number and the like; or aiming at the users having the association relation with the target user, the users are marked as high-risk users, alarm messages are sent to merchants and maintenance personnel of the online transaction platform, the credit level of the users having the association relation with the target user on the online transaction platform can be reduced, or other measures capable of limiting the activity degree of the users having the association relation with the target user on the online transaction platform are taken, so that a part of network fraud cases caused by the high-risk users can be prevented; the monitoring platform may specifically be a monitoring center for monitoring an online transaction platform in real time, and a server device or a server cluster for case analysis undertakes a main hardware execution process, for example: a risk monitoring system of an online transaction platform which is commonly used at present; for another example: a supervision platform for statistical supervision of network fraud cases, such as the monitoring system of the currently known and more mature 'hunting platform'.
Specifically, the case analysis server performs case warehousing from the monitoring platform, for example: and the data in the online transaction platform or the online payment platform, which is defined by the wind control service personnel as the case identification of the case, is collected and recorded into the case analysis server. The case analysis server can receive the case identification sent by the monitoring platform, read the data pointed by the case identification from the online trading platform, and extract the identification information of the target user from the data pointed by the case identification. In this embodiment, a case identifier may specifically be identification information for marking a transaction process, such as a transaction number for an online transaction operated by a user, an order number for an online shopping operated by the user, or a transaction number for transacting an online financial service operated by the user.
The data source may specifically be: the server equipment is used for storing business information such as order information, payment information, logistics information and the like in the online trading platform; and a server device in the member management system for storing service information such as device fingerprint information, member registration information, member attribute information, and the like. Or may be other devices, systems or platforms for storing business information.
It should be noted that, the "user" in this embodiment may be understood as a person who completes account registration operation in a system such as an online transaction platform or a member management system through user equipment, and performs subsequent operation behaviors such as online transaction, online shopping, account management, and the like through the user equipment. The user equipment may be implemented as a single Device, or integrated into various media data playing devices, such as a set-top box, a Mobile phone, a Tablet Personal Computer (Tablet Personal Computer), a Laptop Computer (Laptop Computer), a multimedia player, a digital camera, a Personal Digital Assistant (PDA), a navigation Device, a Mobile Internet Device (MID), or a Wearable Device (Wearable Device).
An embodiment of the present invention provides a monitoring method for an online service, as shown in fig. 2, including:
s1, inquiring a data source according to the identification information of the target user, and reading the service information associated with the identification information of the target user from the data source.
Wherein the identification information includes at least: and account information and/or account number code of the target user. The target user can be understood as: in various transaction activities of each user, account information and/or account number codes corresponding to each user are generated by the online transaction platform and are used for recording log data of the transaction activities. The log data is used for recording the information of the user in order, payment, logistics and the like. If the log data pointed to by the case identifier provided by the monitoring platform to the case analysis server includes log data of the corresponding transaction activities of one or more users, the one or more users may be the target users, for example: the case identification provided by the monitoring platform points to log data of a case which is determined to be an phishing case, and then a user corresponding to the log data is taken as a target user, and account information, a user head code and the like of the user are recorded into a blacklist; for another example: and the case identification provided by the monitoring platform points to the log data in the specified time period, and then the user corresponding to the log data is taken as a target user, and after the suspicion investigation is completed manually or by adopting the process of the embodiment, whether the account information, the account number code and the like are recorded in the blacklist is judged. In this embodiment, the case analysis server may perform suspicion investigation by presetting a specific feature template.
It should be noted that the account information described in this embodiment specifically includes but is not limited to: the account, the mailbox, the telephone number and the like which are input by the user during account registration have information for distinguishing different user functions. The account number described in this embodiment specifically includes but is not limited to: the bank card number, the online payment account number and the serial number distributed by the online transaction platform for the registered user are provided by the user, and the like have the functions of distinguishing different users and have unique information.
In this embodiment, the service information at least includes: order information, payment information and logistics information, and/or the business information at least comprises: device fingerprint information, member registration information, and member attribute information. For example: as shown in fig. 1, the data source includes at least: the business information at least comprises the following components: the order information, the payment information, the logistics information and other information provided by the online trading platform, and the service information at least comprises: device fingerprint information, member registration information, member attribute information, and the like provided by the member management system. The service information obviously corresponds to the identification information of one or more users, and if the "one or more users" are the target users, the service information can be understood as the service information associated with the identification information of the target users.
And S2, inquiring users having association relation with the target user through the characteristic template.
The feature templates correspond to the service system where the target user is located, and different service systems may correspond to one or a set (including multiple) of feature templates. The service system described in this embodiment may include, but is not limited to: the online sales system (such as various online shopping websites), the online financial system (such as various apps providing financial management servers and corresponding service end systems), the online promotion system (such as online issuing websites and apps of coupons available for online or offline transactions), the logistics system (such as a logistics progress tracking system), and the like, which are operated by the online transaction platform, and the member activity system (such as a community forum), the data service system (such as a network disk system, a data backup service system, and the like, which are operated by the member management system). It should be noted that the data source in this embodiment specifically includes a device or a device cluster on a hardware level, such as a server device and a server cluster; the service system in this embodiment includes a system for providing various services and services to a user, and a device or a device cluster serving as a data source may simultaneously undertake the operation of one or more service systems.
And S3, sending an alarm aiming at the user having the association relation with the target user.
Wherein the alert message at least comprises: the identification information of the user having the association relation with the target user is used for facilitating the monitoring platform to identify the user having the association relation with the target user; the alert message further includes: and identifying the system identification of the service system where the user with the association relation with the target user is located so as to facilitate the monitoring platform to identify the service system related to the user with the association relation with the target user. The service system involved by the user can be understood as: the user performs at least one operation of registration, login, browsing and the like on the related service system by operating the user terminal.
In the method for monitoring online services provided by this embodiment, a network such as a social contact/IP address/mobile phone number/geographic information constructed by multiple data sources is used, and a user having an association relationship with the target user is queried through a feature template, so that association between fraudulent account numbers is quickly located, and thus, other suspicious high-risk users having an association with the fraudulent account numbers are reversely located through service information such as an IP address, a machine equipment fingerprint, a mobile phone number, a receiving address and the like during transaction of the target user. The suspected target can be timely and accurately locked, and a corresponding warning message is sent to the monitoring platform, so that the detection efficiency is improved, and the risk of network transaction is reduced.
In this embodiment, a possible implementation means adopted in the step S1 is provided, that is, the case analysis server queries a data source according to the identification information of the target user, and reads the service information associated with the identification information of the target user from the data source, and an implementation means adopted in the method includes:
the case analysis server reads order information, payment information and logistics information under an account pointed by the identification information of the target user from the online trading platform according to the identification information of the target user; and/or reading device fingerprint information, member registration information and member attribute information under an account pointed by the identification information of the target user from the member management system according to the identification information of the target user.
Wherein, the information read from the online transaction platform and the member management system according to the identification information of the target user includes but is not limited to: order information (such as an order number, an order placing time and the like), payment information (such as a payment amount, a payment account, payment time and the like), logistics information (such as delivery time, packaging time, logistics progress information and the like), device fingerprint information (such as a device fingerprint adopted in the current anti-fraud technology), member registration information (such as information of registration time, a nickname, a mailbox, a telephone number and the like of a member), and member attribute information (such as authority and level information of the member). For example: the case analysis server can read the service information from a plurality of data sources and integrate the service information according to the identification information of the target user. In practical application, data from different sources can be associated according to transaction subjects (such as users represented by identification information of target users), as shown in fig. 3, a case analysis server can read case identifications from a risk case library of a monitoring platform, or directly read pre-stored business information; reading device fingerprint information from a machine fingerprint table of a member management system; reading member registration information from a member information table of a member management system; reading member attribute information from a member attribute table of a member management system; or reading order information, payment information, logistics information and the like from a payment transaction order table of the online transaction platform.
Further, the method also comprises the following steps: and the case analysis server reads the data pointed by the case identification from the online trading platform and extracts the trading layer data and the account layer data of each business system. And counting the information types in the transaction layer data and the account layer data according to the case involved frequency, and determining the information types pointed by the characteristic templates corresponding to the business systems.
Therefore, the dimensions of IP addresses, mobile phone numbers, geographic information of case-related transaction main bodies, such as receiving addresses, payment channels, payment terminals, registration time, concentration of payment time and the like are used as the characteristics for analyzing and summarizing the relevance of cases and group fraud, and the characteristics are imported into the characteristic template. So as to update the characteristic template corresponding to each service system in real time, or generate the corresponding characteristic template in real time when a new service system is on line.
In this embodiment, the transaction layer data includes: the system comprises transaction time information, transaction attribution distribution information, payment terminal type information and payment channel information, wherein the account layer data comprises: registration address information, registration time information, registration channel information, user type information, registration terminal distribution information, and member feature information. Wherein the member characteristics may further include: gender distribution, age distribution, account number attribution city, membership status, whether to work inside, whether to bind cards and the like.
It should be noted that the type of the service information queried by the case analysis server from the data source according to the identification information of the target user may be at least one or more of the above listed service information, or may be other types of service information besides the above listed service information, and the specific type of the service information to be specified may be determined according to a feature template adopted when querying a user having an association relationship with the target user.
In this embodiment, a possible implementation means adopted in the step S2 is provided, that is, a user having an association relationship with the target user is queried through the feature template, and a possible implementation means adopted in the step S21-S23 includes:
s21, determining the service system which generates the service information associated with the identification information of the target user, and inquiring the characteristic template corresponding to the service system from the characteristic template library.
And S22, extracting the feature data of the user to be identified from the identification information and the service information of the user to be identified according to the feature template.
Specifically, the extracting, according to the feature template, the feature data of the user to be identified from the identification information and the service information of the user to be identified includes: firstly, reading the information type pointed by the characteristic template; and then extracting information which accords with the pointed information type from the identification information and the service information of the user to be identified as the characteristic data of the user to be identified. Wherein the pointed to information types at least include: contact information, registration address information, and registration time information. The feature templates corresponding to different service systems can point to different information types, and the case analysis server can extract information conforming to the information types pointed by the feature templates as feature data of the user to be identified. For example: for a system for undertaking logistics business, the characteristic template comprises: 1: counting the distribution conditions of the receiving contact persons and the receiving mobile phone numbers of the accounts with the specified number; 2: counting the condition of sharing the registered IP among different accounts; 3: and counting the condition that the registration time points are concentrated in a specified time period. The type of information pointed to by the feature template includes: registration IP address information, registration time information, contact information (contact name, receiving mobile phone number), and the like. The case analysis server may extract the member registration information from the member management system and statistically obtain characteristic data such as: the statistical characteristic data comprises: the method is characterized in that: receiving contacts and receiving mobile phone numbers related to a plurality of accounts are distributed, for example, the distribution of receiving mobile phone numbers related to a plurality of accounts shown in fig. 4a is obtained, and a main distribution city is Nanjing; and (2) feature: the situation of sharing the registered IP among different accounts, such as the distribution of the registered IP addresses of multiple accounts shown in fig. 4b, and the main street can be determined according to the counted IP addresses; and (3) feature: the registration time points are mainly concentrated on accounts between 1 and 2 days of month 3 in 2016, such as the distribution of registration time of a plurality of accounts shown in fig. 4c, and whether concentrated registration exists can be determined according to statistics, wherein one line in fig. 4a, 4b and 4c represents one account.
S23, detecting whether the user to be identified is the user having the association relation with the target user or not according to the matching degree of the feature data and the feature template.
Specifically, the detecting whether the user to be identified is the user having the association relationship with the target user according to the matching degree of the feature data and the feature template includes: and detecting whether the specified data part in the feature data of the user to be identified is the same as the feature data of the target user, and if so, determining the user having the association relation with the target user.
For example: for a system for undertaking financial loan transactions, a feature template includes: and verifying the information consistency, namely verifying the associated information, and taking the user based on the condition that some information is consistent and other information is inconsistent as the user having the association relation with the target user. For a system that undertakes financial loan transactions, the types of information that the feature templates point to include member registration information, such as: the third borrower Zhang is a target user, if the third borrower Zhang and the fourth borrower Li are the same as the contact telephone filled in the member registration information, but the company names are completely different, the third borrower Zhang can be judged as a risk point, and the case analysis server judges that the fourth borrower Li is a user having an association relation with the third borrower Zhang; for another example: the borrower king five is a target user, the account of the king five is judged to be a losslessly borrowed person, and if the member registration information of Zhang three and Li four has the same part (such as information of contact telephone, company name, address and the like) with the king five, the Zhang three and Li four are judged to be the users having the association relationship with the king five.
For another example: a characteristic template can be preset as a universal template and corresponds to a plurality of service systems so as to quickly identify group fraud. Such as: the characteristic template comprises: and verifying the information consistency, namely verifying the associated information, and taking the user based on the condition that some information is consistent and other information is inconsistent as the user having the association relation with the target user. One possible template set-up scenario is listed below, including: if the number information, address information, surname or device fingerprint information are consistent, and the first name and other member registration information are inconsistent, it is determined that the users having the correlated relationship between the accounts corresponding to the consistent information are related to each other, for example, as shown in fig. 4d, the users having the correlated relationship between the accounts corresponding to the same phone number and having different names are related to each other.
In addition to the above detection means, in this embodiment, several possible feature templates are further enumerated, and whether the specified data portion is the same as the feature data of the target user in the feature data of the user to be identified is detected, so as to determine whether the user to be identified is the user having the association relationship with the target user. For example: detecting whether the reserved name of the user to be identified is the same as that of the target user, such as: detecting that the names of consignees related to a plurality of accounts are identical in surnames but irregular in names, and the consignee mobile phone numbers share a few parts; and/or detecting whether the reserved communication number of the user to be identified is the same as that of the target user, such as: only a few receiving mobile phones are shared; and/or detecting whether the reserved communication address of the user to be identified is the same as that of the target user, such as: determining that the shipping address is in the same area by the means illustrated in S22; and/or detecting whether the IP address information of the user to be identified is the same as that of the target user during registration, such as: the condition of sharing the registered IP exists among different accounts; and/or detecting whether the time period of the registration of the user to be identified is the same as that of the target user, such as: are accounts that are continuously registered for a short period of time.
In this embodiment, the case analysis server may execute the following procedures, in addition to issuing an alarm for the user having the association relationship with the target user, where the procedures include:
acquiring service information generated in each service system aiming at the user with the incidence relation with the target user according to the identification information of the user with the incidence relation with the target user, and sending the service information to the monitoring platform, so as to support the case reverse-checking tracing data detail export function, so that the monitoring platform can receive the case query detail data through an existing automatic case analysis system or manually call the case query detail data by monitoring personnel, and perform case analysis;
and/or adding the identification information of the user having the association relation with the target user to a blacklist. For example: and after the users having the association relation with the target user are judged as other members in the committing group, the users having the association relation are subjected to blacklist entry (so as to intercept transaction requests sent by the users entering the blacklist) or account freezing and other processing.
Further, for the user entering the blacklist, the following processes may also be performed, which include:
when detecting that at least one service system receives a transaction request sent by a user of the identification information in the blacklist, intercepting the transaction request; feeding back a prompt message to the user of the identification information in the blacklist; and may simultaneously send status update messages to the member management system.
The prompting message comprises information for prompting to re-execute the account verification process; the state updating message is used for triggering the member management system to update the account number state of the user with the identification information in the blacklist to be unverified, so that the misjudged or stolen user can recover the account number function by re-executing the verification process.
In the method for monitoring online services provided by this embodiment, a network such as a social contact/IP address/mobile phone number/geographic information constructed by multiple data sources is used, and a user having an association relationship with the target user is queried through a feature template, so that association between fraudulent account numbers is quickly located, and thus, other suspicious high-risk users having an association with the fraudulent account numbers are reversely located through service information such as an IP address, a machine equipment fingerprint, a mobile phone number, a receiving address and the like during transaction of the target user. The suspected target can be timely and accurately locked, the corresponding warning message is sent to the monitoring platform, further batch freezing or cleaning can be adopted, real-time automatic detection is realized, account numbers which can be used for network fraud cases are limited, and therefore detection efficiency is improved, and risk of network transaction is reduced.
An embodiment of the present invention further provides a monitoring system for an online service, as shown in fig. 3, where a case analysis server in the system is configured with at least: the system comprises a data extraction module, a data analysis module and a control module;
the data extraction module is configured to query a data source according to identification information of a target user, and read service information associated with the identification information of the target user from the data source, where the identification information at least includes: the account information and/or account number code of the target user, the data source at least includes: the business information at least comprises the following components: order information, payment information and logistics information, and/or the business information at least comprises: device fingerprint information, member registration information, and member attribute information;
the data analysis module is used for inquiring users having an association relation with the target user through a characteristic template, and the characteristic template corresponds to the business system where the target user is located;
and the management and control module is used for sending an alarm aiming at the user with the incidence relation with the target user.
In this embodiment, the data extraction module is further configured to receive a case identifier sent by the monitoring platform, and read data pointed by the case identifier from the online trading platform; extracting the identification information of the target user from the data pointed by the case identification;
the data extraction module is specifically configured to: according to the identification information of the target user, reading order information, payment information and logistics information under an account number pointed by the identification information of the target user from the online trading platform; and/or reading device fingerprint information, member registration information and member attribute information under an account pointed by the identification information of the target user from the member management system according to the identification information of the target user;
the data analysis module is specifically used for determining a service system which generates service information associated with the identification information of the target user, and querying a feature template corresponding to the service system from a feature template library; extracting the feature data of the user to be identified from the identification information and the service information of the user to be identified according to the feature template; detecting whether the characteristic data of the user to be identified has a specified data part which is the same as the characteristic data of the target user, if so, determining the user which has an association relation with the target user;
wherein, the detecting whether the specified data part in the feature data of the user to be identified is the same as the feature data of the target user comprises: detecting whether the reserved name of the user to be identified is the same as that of the target user; and/or detecting whether the reserved communication number of the user to be identified is the same as that of the target user; and/or detecting whether the reserved communication address of the user to be identified is the same as that of the target user; and/or detecting whether the IP address information of the user to be identified is the same as that of the target user during registration; and/or detecting whether the time period of the registration of the user to be identified is the same as that of the target user.
In this embodiment, the management and control module is further configured to obtain, according to the identification information of the user having an association relationship with the target user, service information generated in each service system for the user having an association relationship with the target user, and send the service information to the monitoring platform; and/or adding the identification information of the user having the association relation with the target user to a blacklist.
In the online service monitoring system provided by this embodiment, through a network such as a social contact/IP address/mobile phone number/geographic information constructed by using multiple data sources, a user having an association relationship with the target user is queried through a feature template, so that association between fraudulent account numbers is quickly located, and thus, service information such as an IP address, a machine fingerprint, a mobile phone number, a receiving address and the like during transaction of the target user is used to reversely locate other suspicious high-risk users having an association with the fraudulent account numbers. The suspected target can be timely and accurately locked, the corresponding warning message is sent to the monitoring platform, further batch freezing or cleaning can be adopted, real-time automatic detection is realized, account numbers which can be used for network fraud cases are limited, and therefore detection efficiency is improved, and risk of network transaction is reduced.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the apparatus embodiment, since it is substantially similar to the method embodiment, it is relatively simple to describe, and reference may be made to some descriptions of the method embodiment for relevant points. The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (9)
1. A method for monitoring an online service, comprising:
inquiring a data source according to identification information of a target user, and reading service information associated with the identification information of the target user from the data source, wherein the identification information at least comprises: the account information and/or account number code of the target user, the service information at least includes: order information, payment information and logistics information, and/or the business information at least comprises: device fingerprint information, member registration information, and member attribute information;
querying users having an association relation with the target user through a feature template, wherein the feature template corresponds to a service system where the target user is located;
sending an alarm aiming at the user having the association relation with the target user;
the querying users having association relation with the target user through the feature template comprises:
determining a service system which generates service information associated with the identification information of the target user, and inquiring a characteristic template corresponding to the service system from a characteristic template library;
extracting feature data of the user to be identified from the identification information and the service information of the user to be identified according to the feature template;
detecting whether the user to be identified is the user having the incidence relation with the target user or not according to the matching degree of the feature data and the feature template;
further comprising:
the method comprises the following steps of reading data pointed by case identification from an online trading platform, and extracting trading layer data and account layer data of each business system, wherein the trading layer data comprises the following steps: the system comprises transaction time information, transaction attribution distribution information, payment terminal type information and payment channel information, wherein the account layer data comprises: registering address information, registering time information, registering channel information, user type information, registering terminal distribution information and member characteristic information;
counting the information types in the transaction layer data and the account layer data according to the case involved frequency, and determining the information types pointed by the characteristic templates corresponding to the business systems;
the extracting the feature data of the user to be identified from the identification information and the service information of the user to be identified according to the feature template comprises the following steps: firstly, reading the information type pointed by the characteristic template; extracting information which accords with the pointed information type from the identification information and the service information of the user to be identified as the characteristic data of the user to be identified; wherein the pointed to information types at least include: contact information, registration address information, and registration time information; and the feature templates corresponding to different service systems point to different information types, and the case analysis server extracts the information conforming to the information types pointed by the feature templates as the feature data of the user to be identified.
2. The method of claim 1, further comprising:
receiving case identification sent by a monitoring platform, and reading data pointed by the case identification from the online trading platform;
and extracting the identification information of the target user from the data pointed by the case identification.
3. The method according to claim 1 or 2, wherein the querying a data source according to the identification information of the target user and reading the service information associated with the identification information of the target user from the data source comprises:
according to the identification information of the target user, reading order information, payment information and logistics information under an account number pointed by the identification information of the target user from the online trading platform;
and/or reading the device fingerprint information, the member registration information and the member attribute information under the account pointed by the identification information of the target user from the member management system according to the identification information of the target user.
4. The method according to claim 1, wherein the detecting whether the user to be identified is the user having the association relationship with the target user according to the matching degree of the feature data and the feature template comprises:
and detecting whether the specified data part in the feature data of the user to be identified is the same as the feature data of the target user, and if so, determining the user having the association relation with the target user.
5. The method according to claim 4, wherein the detecting whether the specified data part is the same as the feature data of the target user exists in the feature data of the user to be identified comprises:
detecting whether the reserved name of the user to be identified is the same as that of the target user;
and/or detecting whether the reserved communication number of the user to be identified is the same as that of the target user;
and/or detecting whether the reserved communication address of the user to be identified is the same as that of the target user;
and/or detecting whether the IP address information of the user to be identified is the same as that of the target user during registration;
and/or detecting whether the time period of the registration of the user to be identified is the same as that of the target user.
6. The method of claim 1, further comprising:
acquiring service information generated in each service system aiming at the user with the association relation with the target user according to the identification information of the user with the association relation with the target user, and sending the service information to a monitoring platform;
and/or adding the identification information of the user having the association relation with the target user to a blacklist.
7. The method of claim 6, further comprising:
when detecting that at least one service system receives a transaction request sent by a user of the identification information in the blacklist, intercepting the transaction request;
feeding back a prompt message to a user of the identification information in the blacklist, wherein the prompt message comprises information for prompting to re-execute the account verification process;
and sending a status update message to a member management system, wherein the status update message is used for triggering the member management system to update the account status of the user with the identification information in the blacklist to be unverified.
8. A monitoring system for on-line business, characterized in that, the case analysis server in the system is at least provided with: the system comprises a data extraction module, a data analysis module and a control module;
the data extraction module is configured to query a data source according to identification information of a target user, and read service information associated with the identification information of the target user from the data source, where the identification information at least includes: the account information and/or account number code of the target user, the service information at least includes: order information, payment information and logistics information, and/or the business information at least comprises: device fingerprint information, member registration information, and member attribute information;
the data analysis module is used for inquiring users having an association relation with the target user through a characteristic template, and the characteristic template corresponds to the business system where the target user is located;
the management and control module is used for sending an alarm for the user having the incidence relation with the target user;
the data extraction module is also used for receiving case identification sent by the monitoring platform and reading data pointed by the case identification from the online trading platform; extracting the identification information of the target user from the data pointed by the case identification;
the data extraction module is specifically configured to: according to the identification information of the target user, reading order information, payment information and logistics information under an account number pointed by the identification information of the target user from the online trading platform; and/or reading equipment fingerprint information, member registration information and member attribute information under an account pointed by the identification information of the target user from a member management system according to the identification information of the target user;
the data analysis module is specifically used for determining a service system which generates service information associated with the identification information of the target user, and querying a feature template corresponding to the service system from a feature template library; extracting the feature data of the user to be identified from the identification information and the service information of the user to be identified according to the feature template; detecting whether the characteristic data of the user to be identified has a specified data part which is the same as the characteristic data of the target user, if so, determining the user which has an association relation with the target user;
wherein, the detecting whether the specified data part in the feature data of the user to be identified is the same as the feature data of the target user comprises: detecting whether the reserved name of the user to be identified is the same as that of the target user; and/or detecting whether the reserved communication number of the user to be identified is the same as that of the target user; and/or detecting whether the reserved communication address of the user to be identified is the same as that of the target user; and/or detecting whether the IP address information of the user to be identified is the same as that of the target user during registration; and/or detecting whether the time period of the registration of the user to be identified is the same as that of the target user;
the transaction layer data and the account layer data of each business system are extracted from the data pointed by the case identification read by the online transaction platform, wherein the transaction layer data comprises the following data: the system comprises transaction time information, transaction attribution distribution information, payment terminal type information and payment channel information, wherein the account layer data comprises: registering address information, registering time information, registering channel information, user type information, registering terminal distribution information and member characteristic information; counting the information types in the transaction layer data and the account layer data according to the case involved frequency, and determining the information types pointed by the characteristic templates corresponding to the business systems;
the extracting the feature data of the user to be identified from the identification information and the service information of the user to be identified according to the feature template comprises the following steps: firstly, reading the information type pointed by the characteristic template; extracting information which accords with the pointed information type from the identification information and the service information of the user to be identified as the characteristic data of the user to be identified; wherein the pointed to information types at least include: contact information, registration address information, and registration time information; and the feature templates corresponding to different service systems point to different information types, and the case analysis server extracts the information conforming to the information types pointed by the feature templates as the feature data of the user to be identified.
9. The system according to claim 8, wherein the management and control module is further configured to obtain, according to the identification information of the user having an association relationship with the target user, service information generated in each service system for the user having an association relationship with the target user, and send the service information to the monitoring platform; and/or adding the identification information of the user having the association relation with the target user to a blacklist.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610799529.3A CN107798541B (en) | 2016-08-31 | 2016-08-31 | Monitoring method and system for online service |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610799529.3A CN107798541B (en) | 2016-08-31 | 2016-08-31 | Monitoring method and system for online service |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107798541A CN107798541A (en) | 2018-03-13 |
| CN107798541B true CN107798541B (en) | 2021-12-07 |
Family
ID=61529665
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610799529.3A Active CN107798541B (en) | 2016-08-31 | 2016-08-31 | Monitoring method and system for online service |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107798541B (en) |
Families Citing this family (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110322573A (en) * | 2018-03-30 | 2019-10-11 | 北京红马传媒文化发展有限公司 | User authentication method, user authentication device and electronic equipment |
| CN108494796A (en) * | 2018-04-11 | 2018-09-04 | 广州虎牙信息科技有限公司 | Method for managing black list, device, equipment and storage medium |
| CN109377233B (en) * | 2018-09-10 | 2021-06-04 | 创新先进技术有限公司 | Risk monitoring method and device |
| CN109600250B (en) * | 2018-09-29 | 2023-07-18 | 中国平安人寿保险股份有限公司 | Service system fault notification method, device, electronic device and storage medium |
| CN111666346A (en) * | 2019-03-06 | 2020-09-15 | 京东数字科技控股有限公司 | Information merging method, transaction query method, device, computer and storage medium |
| CN110378707B (en) * | 2019-07-24 | 2023-04-18 | 北京慧眼智行科技有限公司 | Information processing method and device |
| CN111931048B (en) * | 2020-07-31 | 2022-07-08 | 平安科技(深圳)有限公司 | Artificial intelligence-based black product account detection method and related device |
| CN112070225B (en) * | 2020-09-01 | 2023-10-10 | 多点(深圳)数字科技有限公司 | Entity card abnormal binding alarm method based on unsupervised learning |
| CN112711623A (en) * | 2020-12-22 | 2021-04-27 | 青岛海尔科技有限公司 | Data pull-through method and device, storage medium and electronic device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1835014A (en) * | 2006-03-28 | 2006-09-20 | 阿里巴巴公司 | Method and system of monitoring on-line service risk |
| CN102194177A (en) * | 2011-05-13 | 2011-09-21 | 南京柯富锐软件科技有限公司 | System for risk control over online payment |
| WO2015120420A2 (en) * | 2014-02-07 | 2015-08-13 | Steelman Walter | Financial transaction system and method |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110231305A1 (en) * | 2010-03-19 | 2011-09-22 | Visa U.S.A. Inc. | Systems and Methods to Identify Spending Patterns |
-
2016
- 2016-08-31 CN CN201610799529.3A patent/CN107798541B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1835014A (en) * | 2006-03-28 | 2006-09-20 | 阿里巴巴公司 | Method and system of monitoring on-line service risk |
| CN102194177A (en) * | 2011-05-13 | 2011-09-21 | 南京柯富锐软件科技有限公司 | System for risk control over online payment |
| WO2015120420A2 (en) * | 2014-02-07 | 2015-08-13 | Steelman Walter | Financial transaction system and method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107798541A (en) | 2018-03-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107798541B (en) | Monitoring method and system for online service | |
| US11301855B2 (en) | Data verification in transactions in distributed network | |
| US11783028B2 (en) | Systems and methods for detecting resources responsible for events | |
| CN109816397B (en) | Fraud discrimination method, device and storage medium | |
| US9641528B2 (en) | Systems and methods for multi-stage identity authentication | |
| US11580259B1 (en) | Identity security architecture systems and methods | |
| CN103875015A (en) | Multi-factor identity fingerprinting with user behavior | |
| US8917939B2 (en) | Verifying vendor identification and organization affiliation of an individual arriving at a threshold location | |
| CN101383028A (en) | National commodity electronic monitoring method based on EPC article networking and system thereof | |
| WO2014008247A2 (en) | Systems and methods for detecting tax refund fraud | |
| CN111666346A (en) | Information merging method, transaction query method, device, computer and storage medium | |
| CN112506925A (en) | Data retrieval system and method based on block chain | |
| CN112445870A (en) | Knowledge graph string parallel case analysis method based on mobile phone evidence obtaining electronic data | |
| US20160112369A1 (en) | System and Method for Validating a Customer Phone Number | |
| CN109544179B (en) | Operation supporting system based on important product traceability data service | |
| CN112039893B (en) | Private transaction processing method and device, electronic equipment and readable storage medium | |
| CN114840519A (en) | Data labeling method, equipment and storage medium | |
| CN109815393B (en) | Information processing method and device, computer equipment and readable storage medium | |
| US20150348209A1 (en) | Method and system for linking forensic data with purchase behavior | |
| CN110930205A (en) | Invoice data analysis method | |
| US11797997B2 (en) | Data verification in transactions in distributed network | |
| CN111447082B (en) | Determination method and device of associated account and determination method of associated data object | |
| Zang et al. | Building A Collocation Detection System Using A Wi-Fi Sensor Array for COVID-19 Contact Tracing in A University Setting | |
| CN107292628B (en) | Service implementation method and device | |
| CN116342276A (en) | Method, device and server for determining abnormal object |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 210000, 1-5 story, Jinshan building, 8 Shanxi Road, Nanjing, Jiangsu. Applicant after: SUNING.COM Co.,Ltd. Address before: 210042 Suning Headquarters, No. 1 Suning Avenue, Xuanwu District, Nanjing City, Jiangsu Province Applicant before: SUNING COMMERCE GROUP Co.,Ltd. |
|
| CB02 | Change of applicant information | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20210802 Address after: Room 834, Yingying building, 99 Tuanjie Road, yanchuangyuan, Jiangbei new district, Nanjing, Jiangsu 210000 Applicant after: Nanjing Xingyun Digital Technology Co.,Ltd. Address before: 210000, 1-5 story, Jinshan building, 8 Shanxi Road, Nanjing, Jiangsu. Applicant before: SUNING.COM Co.,Ltd. |
|
| TA01 | Transfer of patent application right | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |