CN109120429B - Risk identification method and system - Google Patents

Risk identification method and system Download PDF

Info

Publication number
CN109120429B
CN109120429B CN201710497317.4A CN201710497317A CN109120429B CN 109120429 B CN109120429 B CN 109120429B CN 201710497317 A CN201710497317 A CN 201710497317A CN 109120429 B CN109120429 B CN 109120429B
Authority
CN
China
Prior art keywords
risk
data
algorithm
service
user terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710497317.4A
Other languages
Chinese (zh)
Other versions
CN109120429A (en
Inventor
周斌
吴礼阳
张侦
成敬业
李文海
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Xinglian Digital Technology Co.,Ltd.
Original Assignee
Nanjing Xingyun Digital Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Xingyun Digital Technology Co Ltd filed Critical Nanjing Xingyun Digital Technology Co Ltd
Priority to CN201710497317.4A priority Critical patent/CN109120429B/en
Publication of CN109120429A publication Critical patent/CN109120429A/en
Application granted granted Critical
Publication of CN109120429B publication Critical patent/CN109120429B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/147Network analysis or design for predicting network behaviour
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4016Transaction verification involving fraud or risk level assessment in transaction processing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/50Testing arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Finance (AREA)
  • Computer Security & Cryptography (AREA)
  • Strategic Management (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The embodiment of the invention discloses a risk identification method and a risk identification system, and relates to the technical field of internet. The invention comprises the following steps: when a risk identification request message is received, determining a user terminal to be detected according to the risk identification request message, and acquiring behavior data of the corresponding user terminal; requesting an algorithm system to acquire an algorithm model according to the behavior data, and requesting to call risk feature data matched with the algorithm model from a risk feature library according to the acquired algorithm model; performing risk analysis on the behavior data of the corresponding user terminal according to the algorithm model and the risk characteristic data matched with the algorithm model; and sending the result of the risk analysis to the business system. The method is suitable for risk identification in online and offline scenes.

Description

Risk identification method and system
Technical Field
The invention relates to the technical field of internet, in particular to a risk identification method and system.
Background
With the application and development of internet technology, especially the development of mobile internet technology, there are hundreds of millions of users who use internet application every day in real time, and how to control the security of various network applications and the risk of the network behavior of the users is a problem of urgent research.
The currently adopted scheme is mainly to accumulate network behavior data of a large number of users in a period of time to form black samples (e.g. abnormal network behavior data such as fraud, embezzlement and the like) and white samples (i.e. normal network behavior data); and updating the risk identification model periodically based on the black/white samples, and carrying out risk identification on the network behavior data through the risk identification model.
However, the risk identification model needs to be maintained regularly, as the latitude of the rule is relatively single, only some main risk behaviors can be identified, and for some special or suddenly-occurring network behaviors, such as online combined scenes, for example, online shopping at a store by an online payment tool, a suitable risk analysis scheme is lacked, and misjudgment often occurs.
Disclosure of Invention
The embodiment of the invention provides a risk identification method and system, and provides a risk analysis scheme in a scene with an online-offline combination.
In order to achieve the above purpose, the embodiment of the invention adopts the following technical scheme:
in a first aspect, an embodiment of the present invention provides a method, including:
when a risk identification request message is received, determining a user terminal to be detected according to the risk identification request message, and acquiring behavior data of the corresponding user terminal, wherein the behavior data of the corresponding user terminal is acquired from an appointed service link of a service system before the user terminal to be detected triggers the service system to start executing a service process when the risk identification request message is received;
requesting an algorithm system to acquire an algorithm model according to the behavior data, and requesting to retrieve risk feature data matched with the algorithm model from a risk feature library according to the acquired algorithm model, wherein the risk feature data are clustered and stored in the risk feature library, and the clustered feature label of each risk feature data corresponds to at least one algorithm model;
performing risk analysis on the behavior data of the corresponding user terminal according to the algorithm model and the risk characteristic data matched with the algorithm model;
and sending the result of the risk analysis to the business system.
With reference to the first aspect, in a first possible implementation manner of the first aspect, the method further includes:
and receiving the risk identification request message sent by the user terminal to be detected, wherein the risk identification request message is sent by the user terminal to be detected when sending a service trigger request to the service system.
With reference to the first aspect, in a second possible implementation manner of the first aspect, the method further includes:
and receiving the risk identification request message sent by the service system, wherein the risk identification request message is sent by the service system when receiving a service triggering request, and the service triggering request is sent to the service system by the user terminal to be detected.
With reference to the first or second possible implementation manner of the first aspect, in a third possible implementation manner, the requesting an algorithm system to obtain an algorithm model according to the behavior data includes:
determining a service scene identifier according to the behavior data;
acquiring a service scene identifier, wherein the service scene identifier comprises at least one of an identifier of the service system and an identifier of a designated service link of the service system;
and inquiring the algorithm model corresponding to the service scene identification from the algorithm system.
With reference to the first aspect, in a fourth possible implementation manner of the first aspect, the requesting an algorithm system to obtain an algorithm model according to the behavior data includes:
determining a model identifier according to the behavior data;
and sending a query request to the algorithm system according to the model identification, wherein the query request is used for the algorithm system to query the algorithm model conforming to the model identification.
With reference to the fourth possible implementation manner of the first aspect, in a fifth possible implementation manner, the determining a model identifier according to the behavior data includes:
detecting a service system accessed when the user terminal generates the behavior data, and identifying a service link executed by the service system when the user terminal generates the behavior data;
and acquiring a system identifier corresponding to the accessed service system and a service link identifier of the executed service link, and using the system identifier and the service link identifier as the model identifier.
With reference to the first or second possible implementation manner of the first aspect, in a sixth possible implementation manner, the method further includes: when a cashier desk system receives order information corresponding to the user terminal to be detected, the order information is used as the service triggering request; the checkout counter system sends a service side risk identification request message to a detection platform before calling an online payment tool; or after the user terminal to be detected sends the order information to the cashier desk system, a user side risk identification request message is sent to the detection platform.
In a second aspect, an embodiment of the present invention provides a system, including: the system comprises a detection platform, a risk identification request message and an algorithm system, wherein the detection platform is used for determining a user terminal to be detected according to the risk identification request message when receiving the risk identification request message, acquiring behavior data of the corresponding user terminal and requesting the algorithm system to acquire an algorithm model according to the behavior data, and before the user terminal to be detected triggers the service system to start executing a service process, the behavior data of the corresponding user terminal is acquired from a designated service link of the service system when receiving the risk identification request message;
the algorithm system is used for storing an algorithm model and providing the algorithm model according to the request of the detection platform;
the detection platform is further used for requesting to call risk feature data matched with the algorithm model from a risk feature library according to the obtained algorithm model, wherein the risk feature data are clustered and stored in the risk feature library, and the feature label of each cluster of the risk feature data corresponds to at least one algorithm model;
the risk characteristic library is used for clustering and storing the risk characteristic data, and performing risk analysis on the behavior data of the corresponding user terminal according to the algorithm model and the risk characteristic data matched with the algorithm model; and sending a risk analysis result to the business system, wherein the characteristic label of each cluster of the risk characteristic data corresponds to at least one algorithm model.
With reference to the second aspect, in a first possible implementation manner of the second aspect, the user terminal to be detected is configured to send the risk identification request message when sending a service trigger request to the service system; the detection platform is further configured to receive the risk identification request message sent by the user terminal to be detected;
or, the service system is configured to send the risk identification request message to the detection platform when receiving a service trigger request sent by the user terminal to be detected; the detection platform is further configured to receive the risk identification request message sent by the service system.
With reference to the second aspect, in a second possible implementation manner of the second aspect, the risk feature library is specifically configured to detect a service system that is accessed when the user terminal generates the behavior data, and identify a service link that is executed by the service system when the user terminal generates the behavior data; acquiring a system identifier corresponding to the accessed service system and a service link identifier of the executed service link, and using the system identifier and the service link identifier as the model identifier;
then sending a query request to the algorithm system according to the model identification, wherein the query request is used for the algorithm system to query the algorithm model conforming to the model identification;
the algorithm system is further used for sending an algorithm updating notice to the risk feature library, wherein the algorithm updating notice comprises the type of the risk feature data matched with the updated algorithm model;
the risk characteristic library is also used for sending a data request to the big data platform, and the data request points to the business system or points to a business link of the business system;
the risk feature library is further used for generating a data request according to the feature tag, sending the data request to a big data platform, updating risk feature data according to log data sent by the big data platform through the risk feature library, and updating the feature tag of the updated risk feature data;
the big data platform is used for extracting log data of a service system or a service link to which the data request points according to the data request, cleaning the acquired log data according to a data cleaning rule, and sending the cleaned log data to the risk feature library;
the algorithm system is further configured to extract intermediate parameter sets corresponding to the algorithm models, and send the intermediate parameter sets to the big data platform, where the intermediate parameter set of one algorithm model includes intermediate parameters associated with the operation and/or training of the algorithm system;
the big data platform is further used for updating the data cleaning rule by using the intermediate parameter set.
According to the risk identification method and the risk identification system provided by the embodiment of the invention, online real-time calling deployment of the algorithm model is realized by deploying the risk feature library and the algorithm system, test version commissioning and real-time change can be deployed, online real-time modeling deployment is finally realized, and a risk analysis scheme in an online and offline combined scene is provided, so that the problem that the deployment of the risk identification model is difficult to keep up with increasing network behaviors is solved, and the cost for an operator to perform risk analysis in the background can be reduced.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
FIG. 1a is a schematic diagram of a system architecture according to an embodiment of the present invention;
FIG. 1b is a schematic diagram of an embodiment of the present invention;
fig. 2 is a schematic flow chart of a method according to an embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the present invention will be described in further detail with reference to the accompanying drawings and specific embodiments. Reference will now be made in detail to embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the accompanying drawings are illustrative only for the purpose of explaining the present invention, and are not to be construed as limiting the present invention. As used herein, the singular forms "a", "an", "the" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. It will be understood that when an element is referred to as being "connected" or "coupled" to another element, it can be directly connected or coupled to the other element or intervening elements may also be present. Further, "connected" or "coupled" as used herein may include wirelessly connected or coupled. As used herein, the term "and/or" includes any and all combinations of one or more of the associated listed items. It will be understood by those skilled in the art that, unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the prior art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.
The method flow in this embodiment may be specifically executed on a system as shown in fig. 1a, where the system includes: the system comprises a detection platform, an algorithm system, a risk feature library, a big data platform and a user terminal. Wherein:
the detection platform may be integrated in an application server, or connected to a plurality of application servers (in practical applications, if one application server is used for operating a certain service system, the service system needs to use data related to a user in an operation process, such as account information, order information, logistics information, inventory information, and the like, and then the "service system" may be used instead of the "application server", that is, the application server is a hardware device that carries the operation of the service system), and detects behavior data sent by the user terminal obtained through the application server in real time, and the application server is mainly used for: providing a visual interface for a user terminal (where a program or APP for a merchant to perform a visualization operation is often run on the user terminal, and such a program or APP for performing a visualization operation may be referred to as a user terminal program, and in this embodiment, a user terminal running such a program or APP may also be referred to as a user terminal), for example: a merchant (i.e. a merchant residing on an e-commerce platform) accesses a certain service system (such as freight rate, timeliness, logistics orders, inventory system, customs declaration system, etc.) in the e-commerce platform system by operating a user terminal, and performs operations such as commodity inquiry, file download, report import/export, etc. through a browsing interface provided by a detection platform of the service system.
The algorithm system is specifically used for storing and updating algorithm models, and the algorithm models can be input into the algorithm system by technicians of an operator or uploaded to the algorithm system by third-party technicians through a network sharing tool.
The risk feature library is specifically used for storing risk feature data, wherein the risk feature data are clustered and stored in the risk feature library, and a feature tag of each type of risk feature data cluster corresponds to at least one algorithm model.
The big data platform is specifically used for cleaning the data collected from various application servers (or service systems) based on preset cleaning rules and clustering the data into risk characteristic data.
The detection platform, the algorithm system, the risk feature library and the big data platform disclosed in this embodiment may be specifically a service system, a workstation, a super computer, or the like on a hardware level, or a service system cluster system for data processing composed of a plurality of hardware devices.
The user terminal disclosed in this embodiment may be implemented as a single device, or integrated into various media data playing devices, such as a mobile phone, a Tablet Personal Computer (Tablet Personal Computer), a Laptop Computer (Laptop Computer), a Personal Digital Assistant (PDA), and so on.
An embodiment of the present invention provides a risk identification method, as shown in fig. 2, including:
and S1, when the risk identification request message is received, determining the user terminal to be detected according to the risk identification request message, and acquiring the behavior data of the corresponding user terminal.
And acquiring the behavior data of the corresponding user terminal from an appointed service link of the service system before the user terminal to be detected triggers the service system to start executing the service process when the risk identification request message is received. For example: the behavior data may specifically include: data generated by a user on each operation flow (or called a business link) in a business operation, such as: the data of logging in, registering, ordering, paying and the like representing user behaviors are included, and the data of time, account numbers, IDs, bank card numbers and the like, IP addresses, equipment numbers and the like representing user states are included.
The algorithm model may specifically include: at least one algorithm model (also referred to as algorithm, model, or algorithm and model), which in this embodiment can be classified according to functions, such as:
a data mining model: such as decision trees, neural networks, etc. Each model exists as a separate component. The data analysis engineer uses a decision tree algorithm or a neural network algorithm to model and generate an algorithm capable of judging whether the transaction is risky. The decision tree comprises N trees, leaf nodes of the trees are used as final results of the trees, and the algorithm carries out calculation according to the result of each tree, so that the final result of the algorithm is obtained.
And S2, requesting an algorithm system to acquire an algorithm model according to the behavior data, and requesting to retrieve risk feature data matched with the algorithm model from a risk feature library according to the acquired algorithm model.
And clustering the risk characteristic data and storing the risk characteristic data in the risk characteristic library, wherein the characteristic label of each cluster of the risk characteristic data corresponds to at least one algorithm model. For example: risk profile data refers to a generic term for data to which various types of risk label classifications are directed, including basic data, behavioral data, environmental data, statistical data, black lists, white lists, trusted devices, machine fingerprints, cattle, and the like. Such as: total amount of transactions, number of transactions, etc. by the user on the last day.
And clustering risk characteristic data and storing the risk characteristic data in the risk characteristic library, wherein the characteristic label of each cluster of the risk characteristic data corresponds to at least one algorithm model. And the risk characteristic data can be continuously updated, increased and reduced under the characteristic label of the same cluster, so that the risk characteristic data keeps dynamic updating and keeps synchronous with the updating of the algorithm model.
And S3, performing risk analysis on the behavior data of the corresponding user terminal according to the algorithm model and the risk characteristic data matched with the algorithm model.
In this embodiment, the specific manner of risk analysis may include:
before and during various business links such as payment transaction, ordering, purchasing and the like, corresponding risk rules are executed afterwards for analysis, and an engine tool for specifically executing analysis structurally comprises a feature tag, a feature tag library, an algorithm model version management, release, deployment, trial operation, measurement, business acceptance and production; the method comprises the steps of risk rule version management, release, deployment, commissioning, measurement, service acceptance and production;
the algorithm system is used as a channel of the detection platform, the detection platform calls the algorithm system to execute the called system, and the detection platform gives a corresponding algorithm name to the algorithm system. The obtained algorithm result is only one of the factors of the decision, and may further include parameters of other dimensions, for example, possible dimensions include: algorithm results, detection rules, and black lists.
And S4, sending the risk analysis result to the business system.
For example: the executing the feedback strategy to the user terminal comprises: the method comprises the steps of limiting the account number use permission of a user, freezing the account number, sending alarm information to a service system accessed by a user terminal and the like, and sending alarm information to the user terminal.
In the anti-fraud process, the behavior data are continuously collected and stored in the big data platform, the risk feature library is logically processed on the big data platform through an off-line algorithm, the risk feature library, the risk rules and the artificial intelligence algorithm components are continuously optimized along with the behavior data habits of users, and then a high-quality wind control capacity is provided outwards through a real-time wind control system in a rule and algorithm combination mode. For example: the mobile phone logs in at the abnormal use time of the user in the morning and the like, and at the moment, the algorithm can be called to detect the risk; and, in the event of sudden consumption of a high commodity, invoking an algorithm to detect risk. Because the risk characteristic data quantity required by the algorithm model is large, for example, more than 100 real data (obtained by first up and down analysis, and this data can be gradually expanded, a more accurate detection analysis model is provided for a certain transaction or other business behaviors). In this embodiment, online real-time calling deployment (existing needs) of the algorithm model is realized by deploying the risk feature library, and test versions can be deployed for commissioning and changing in real time, so that online real-time modeling deployment is finally realized. And effect data (such as intermediate parameters, result statistical data and the like) operated by the algorithm model realize backflow of the big data platform, so that a data cleaning rule of the optimized big data platform is fed back.
After knowing the service requirement, the common service system needs to modify the system code logic again, and renews the service logic in a service-off issuing mode, so that the service logic is long in period and slow in renewal; and after the service changes the demand, the artificial intelligence system can dynamically deploy new service logic in a mode of not restarting the application, can effectively shorten the development period, and can be updated quickly.
In this embodiment, the risk identification request message is sent by the to-be-detected user terminal when sending a service trigger request to the service system, and the detection platform receives the risk identification request message sent by the to-be-detected user terminal.
Or, the risk identification request message is sent by the service system when receiving a service triggering request, the service triggering request is sent to the service system by the user terminal to be detected, and the detection platform receives the risk identification request message sent by the service system.
Specifically, the requesting an algorithm system to acquire an algorithm model according to the behavior data includes:
determining a service scene identifier according to the behavior data; and acquiring a service scene identifier, and inquiring an algorithm model corresponding to the service scene identifier from the algorithm system.
The service scene identifier includes at least one of an identifier of the service system and an identifier of a designated service link of the service system.
For example, when a cashier desk system receives order information corresponding to the user terminal to be detected, the order information is used as the service triggering request; the checkout counter system sends a service side risk identification request message to a detection platform before calling an online payment tool; or after the user terminal to be detected sends the order information to the cashier desk system, a user side risk identification request message is sent to the detection platform. Specifically, the cashier desk sends a consultation request to the detection platform before calling the online payment tool to perform anti-fraud risk consultation, and the detection platform calls the underlying artificial intelligence algorithm system to request to acquire the algorithm model.
The detection platform (also called as a detection system) is used as a platform for judging the risk of the payment transaction, and the risk rule is executed to judge whether the order has the risk in the links of ordering and payment of the user. The detection platform acquires related data including order data; wherein, the event center (EPC) collects user behavior (logging in, registering, password modifying, real-time geographic position, time, PC behavior data, APP behavior data, commodity purchasing, payment request amount, consumption record and the like) from each service system and then counts the data; and acquiring processing data from the big data platform and the real-time data processing platform.
The algorithm system detects the service behavior data and the risk characteristic data provided by the platform, calculates a corresponding intelligent algorithm and returns a risk decision result to the cashier to judge whether the transaction is a fraud transaction. And calling risk characteristic data according to the algorithm model request.
And classifying the risk characteristic data in the risk characteristic library according to a preset rule and marking a relevant label.
The big data platform acquires platform data from each dimension, cleans and trains the data, and writes the cleaned data into a risk feature library; meanwhile, the big data offline processing platform can collect more data of internal, external and multi-latitude, and processes the data to form a special risk characteristic library for the payment tool.
For example: a user purchases a household appliance in a store and submits payment to a cashier of the store;
inputting a password of a personal account number on a user terminal (such as a smart phone of a user), sending the password of the personal account number to a background system (namely a service system bearing a payment function) of a cash register by the smart phone, and starting to call a detection platform; the detection platform obtains an algorithm name according to the received request and the service scene, sends the algorithm name and payment order data and calls an algorithm system; the algorithm system receives a detection platform calling request, obtains an algorithm name and payment order data and starts to call the algorithm; acquiring specific risk characteristics from a risk characteristic library according to the risk characteristics required to be used in the algorithm; after the risk characteristics are obtained, an algorithm is formally called; obtaining an algorithm execution result and returning to the detection platform; the detection platform judges whether the transaction has risks according to the algorithm result; and the detection platform judges the transaction risk and returns the judgment result to the background systems of the user equipment and the cashier desk.
According to the risk identification method provided by the embodiment of the invention, online real-time calling deployment of the algorithm model is realized by deploying the risk feature library and the algorithm system, test operation of the test version can be deployed and real-time change can be realized, online real-time modeling deployment is finally realized, and a risk analysis scheme in a scene combined online and offline is provided, so that the problem that the deployment of the risk identification model is difficult to keep up with increasing network behaviors is solved, and the cost of risk analysis performed by an operator in the background can be reduced.
In this embodiment, the requesting an algorithm system to obtain an algorithm model according to the behavior data includes: and determining a model identifier according to the behavior data, and sending a query request to the algorithm system according to the model identifier.
Specifically, the determining a model identifier according to the behavior data includes:
detecting a service system accessed when the user terminal generates the behavior data, and identifying a service link executed by the service system when the user terminal generates the behavior data;
and acquiring a system identifier corresponding to the accessed service system and a service link identifier of the executed service link, and using the system identifier and the service link identifier as the model identifier.
Wherein the query request is used for the algorithm system to query the algorithm model conforming to the model identification.
When the underlying algorithm is updated, the algorithm often needs to be re-modeled by an algorithm engineer based on the new risk. If a new risk profile is used for the new modeling, the corresponding risk profile data is also updated. The embodiment further provides a method for updating synchronous update risk features based on an algorithm, which specifically includes: the algorithm system sends an algorithm updating notice to the risk feature library, wherein the algorithm updating notice comprises the type of the risk feature data matched with the updated algorithm model;
and the risk feature library sends a data request to the big data platform, wherein the data request points to a service system or a service link of the service system.
Further, the method also comprises the following steps:
the risk feature library generates a data request according to the feature tag and sends the data request to a big data platform;
the big data platform extracts log data of a service system or a service link to which the data request points according to the data request, performs data cleaning on the obtained log data according to a data cleaning rule, and sends the cleaned log data to the risk feature library;
and the risk feature library updates risk feature data according to the log data sent by the big data platform, and updates the feature label of the updated risk feature data.
The risk characteristic data is the result obtained by calculation, the calculation is based on original basic data and the like, the value of the risk characteristic is obtained by calculation, and the cleaning rule is used for screening the basic data. In this embodiment, a specific way for improving the cleaning rule of the big data platform is further provided:
the algorithm system extracts the intermediate parameter sets corresponding to the algorithm models and sends the intermediate parameter sets to the big data platform, wherein the intermediate parameter sets of one algorithm model comprise intermediate parameters related to the algorithm system in operation and/or training of the algorithm model;
and the big data platform updates the data cleaning rule by using the intermediate parameter set.
In practical applications, a technician (e.g., an algorithm engineer) is often required to design an algorithm based on the maintenance needs of the current business system. And after the algorithm is designed, the algorithm effect is tested by deploying the algorithm to a corresponding system in an off-line mode, and after enough test data is collected, the algorithm is debugged again in the off-line mode. Due to the evolution of external fraud means and technology, the imperfection of wind control data, the rapid development of new services and the limitation of the existing anti-fraud system, the off-line design and debugging of the algorithm model are difficult to meet the development of new services in time. Therefore, partial user payment experience is influenced, wind control manual auditing cost is finally brought, and the prior risk behaviors cannot be effectively intercepted.
At present, wind control systems in the same industry mainly adopt artificial intelligence schemes. At present, the wind control engine of artificial intelligence is only applied to risk control of the whole process of fraud risk, such as account, transaction and cattle; in the future, the risk control of the whole flow and the whole scene can be established by applying the credit risk and other wind control related fields and scenes.
In the anti-fraud process, behavior data are continuously collected and stored in a big data platform, a risk feature library is processed on the big data platform through an off-line algorithm logic, the risk feature library, risk rules and artificial intelligence algorithm components are continuously optimized along with behavior data habits of users, and then a high-quality wind control capability is provided outwards through a real-time wind control system in a rule and algorithm combination mode. For example: the mobile phone logs in at the abnormal use time of the user in the morning and the like, and at the moment, the algorithm can be called to detect the risk; and, in the event of sudden consumption of a high commodity, invoking an algorithm to detect risk. Because the risk characteristic data quantity required by the algorithm model is large, for example, more than 100 real data (obtained by first up and down analysis, and this data can be gradually expanded, a more accurate detection analysis model is provided for a certain transaction or other business behaviors). In this embodiment, online real-time calling deployment (existing needs) of the algorithm model is realized by deploying the risk feature library, and test versions can be deployed for commissioning and changing in real time, so that online real-time modeling deployment is finally realized. And effect data (such as intermediate parameters, result statistical data and the like) operated by the algorithm model realize backflow of the big data platform, so that a data cleaning rule of the optimized big data platform is fed back.
After knowing the service requirement, the common service system needs to modify the system code logic again, and renews the service logic in a service-off issuing mode, so that the service logic is long in period and slow in renewal; and after the service changes the demand, the artificial intelligence system can dynamically deploy new service logic in a mode of not restarting the application, can effectively shorten the development period, and can be updated quickly.
An embodiment of the present invention further provides a system as shown in fig. 1a, where reference may be made to fig. 1b for an interaction process between each end in the system, where the system includes:
the system comprises a detection platform, a risk identification request message and an algorithm system, wherein the detection platform is used for determining a user terminal to be detected according to the risk identification request message when receiving the risk identification request message, acquiring behavior data of the corresponding user terminal and requesting the algorithm system to acquire an algorithm model according to the behavior data, and before the user terminal to be detected triggers the service system to start executing a service process, the behavior data of the corresponding user terminal is acquired from a designated service link of the service system when receiving the risk identification request message;
the algorithm system is used for storing an algorithm model and providing the algorithm model according to the request of the detection platform;
the detection platform is further used for requesting to call risk feature data matched with the algorithm model from a risk feature library according to the obtained algorithm model, wherein the risk feature data are clustered and stored in the risk feature library, and the feature label of each cluster of the risk feature data corresponds to at least one algorithm model;
the risk characteristic library is used for clustering and storing the risk characteristic data, and performing risk analysis on the behavior data of the corresponding user terminal according to the algorithm model and the risk characteristic data matched with the algorithm model; and sending a risk analysis result to the business system, wherein the characteristic label of each cluster of the risk characteristic data corresponds to at least one algorithm model.
The user terminal to be detected is used for sending the risk identification request message when sending a service triggering request to the service system; the detection platform is further configured to receive the risk identification request message sent by the user terminal to be detected;
or, the service system is configured to send the risk identification request message to the detection platform when receiving a service trigger request sent by the user terminal to be detected; the detection platform is further configured to receive the risk identification request message sent by the service system.
Specifically, the risk feature library is specifically configured to detect a service system accessed when the user terminal generates the behavior data, and identify a service link executed by the service system when the user terminal generates the behavior data; acquiring a system identifier corresponding to the accessed service system and a service link identifier of the executed service link, and using the system identifier and the service link identifier as the model identifier;
then sending a query request to the algorithm system according to the model identification, wherein the query request is used for the algorithm system to query the algorithm model conforming to the model identification;
the algorithm system is further used for sending an algorithm updating notice to the risk feature library, wherein the algorithm updating notice comprises the type of the risk feature data matched with the updated algorithm model;
the risk characteristic library is also used for sending a data request to the big data platform, and the data request points to the business system or points to a business link of the business system;
the risk feature library is further used for generating a data request according to the feature tag, sending the data request to a big data platform, updating risk feature data according to log data sent by the big data platform through the risk feature library, and updating the feature tag of the updated risk feature data;
the big data platform is used for extracting log data of a service system or a service link to which the data request points according to the data request, cleaning the acquired log data according to a data cleaning rule, and sending the cleaned log data to the risk feature library;
the algorithm system is further configured to extract intermediate parameter sets corresponding to the algorithm models, and send the intermediate parameter sets to the big data platform, where the intermediate parameter set of one algorithm model includes intermediate parameters associated with the operation and/or training of the algorithm system;
the big data platform is further used for updating the data cleaning rule by using the intermediate parameter set.
In practical applications, a technician (e.g., an algorithm engineer) is often required to design an algorithm based on the maintenance needs of the current business system. And after the algorithm is designed, the algorithm effect is tested by deploying the algorithm to a corresponding system in an off-line mode, and after enough test data is collected, the algorithm is debugged again in the off-line mode. Due to the evolution of external fraud means and technology, the imperfection of wind control data, the rapid development of new services and the limitation of the existing anti-fraud system, the off-line design and debugging of the algorithm model are difficult to meet the development of new services in time. Therefore, partial user payment experience is influenced, wind control manual auditing cost is finally brought, and the prior risk behaviors cannot be effectively intercepted.
At present, wind control systems in the same industry mainly adopt artificial intelligence schemes. At present, the wind control engine of artificial intelligence is only applied to risk control of the whole process of fraud risk, such as account, transaction and cattle; in the future, the risk control of the whole flow and the whole scene can be established by applying the credit risk and other wind control related fields and scenes.
In the anti-fraud process, behavior data are continuously collected and stored in a big data platform, a risk feature library is processed on the big data platform through an off-line algorithm logic, the risk feature library, risk rules and artificial intelligence algorithm components are continuously optimized along with behavior data habits of users, and then a high-quality wind control capability is provided outwards through a real-time wind control system in a rule and algorithm combination mode. For example: the mobile phone logs in at the abnormal use time of the user in the morning and the like, and at the moment, the algorithm can be called to detect the risk; and, in the event of sudden consumption of a high commodity, invoking an algorithm to detect risk. Because the risk characteristic data quantity required by the algorithm model is large, for example, more than 100 real data (obtained by first up and down analysis, and this data can be gradually expanded, a more accurate detection analysis model is provided for a certain transaction or other business behaviors). In this embodiment, online real-time calling deployment (existing needs) of the algorithm model is realized by deploying the risk feature library, and test versions can be deployed for commissioning and changing in real time, so that online real-time modeling deployment is finally realized. And effect data (such as intermediate parameters, result statistical data and the like) operated by the algorithm model realize backflow of the big data platform, so that a data cleaning rule of the optimized big data platform is fed back.
After knowing the service requirement, the common service system needs to modify the system code logic again, and renews the service logic in a service-off issuing mode, so that the service logic is long in period and slow in renewal; and after the service changes the demand, the artificial intelligence system can dynamically deploy new service logic in a mode of not restarting the application, can effectively shorten the development period, and can be updated quickly.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the apparatus embodiment, since it is substantially similar to the method embodiment, it is relatively simple to describe, and reference may be made to some descriptions of the method embodiment for relevant points. The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (2)

1. A method for risk identification, comprising:
when a risk identification request message is received, determining a user terminal to be detected according to the risk identification request message, and acquiring behavior data of the corresponding user terminal, wherein the behavior data of the corresponding user terminal is acquired from an appointed service link of a service system before the user terminal to be detected triggers the service system to start executing a service process when the risk identification request message is received;
requesting an algorithm system to acquire an algorithm model according to the behavior data, and requesting to retrieve risk feature data matched with the algorithm model from a risk feature library according to the acquired algorithm model, wherein the risk feature data are clustered and stored in the risk feature library, and the clustered feature label of each risk feature data corresponds to at least one algorithm model;
performing risk analysis on the behavior data of the corresponding user terminal according to the algorithm model and the risk characteristic data matched with the algorithm model;
sending a result of the risk analysis to the business system;
the requesting an algorithm system to acquire an algorithm model according to the behavior data comprises: determining a model identifier according to the behavior data; sending a query request to the algorithm system according to the model identification, wherein the query request is used for the algorithm system to query the algorithm model conforming to the model identification;
the determining a model identification from the behavioral data includes: detecting a service system accessed when the user terminal generates the behavior data, and identifying a service link executed by the service system when the user terminal generates the behavior data; acquiring a system identifier corresponding to the accessed service system and a service link identifier of the executed service link, and using the system identifier and the service link identifier as the model identifier;
the risk analysis comprises the steps of executing risk rules to analyze before, in and after the business link;
further comprising:
receiving the risk identification request message sent by the user terminal to be detected, wherein the risk identification request message is sent by the user terminal to be detected when sending a service triggering request to the service system;
further comprising:
receiving the risk identification request message sent by the service system, wherein the risk identification request message is sent by the service system when receiving a service triggering request, and the service triggering request is sent to the service system by the user terminal to be detected;
the requesting for obtaining the algorithm model from the algorithm system according to the behavior data comprises the following steps:
determining a service scene identifier according to the behavior data;
acquiring a service scene identifier, wherein the service scene identifier comprises at least one of an identifier of the service system and an identifier of a designated service link of the service system;
inquiring an algorithm model corresponding to the service scene identification from the algorithm system;
further comprising:
when a cashier desk system receives order information corresponding to the user terminal to be detected, the order information is used as the service triggering request;
the checkout counter system sends a service side risk identification request message to a detection platform before calling an online payment tool;
or after the user terminal to be detected sends the order information to the cashier desk system, a user side risk identification request message is sent to the detection platform.
2. A risk identification system, comprising:
the system comprises a detection platform, a risk identification request message and an algorithm system, wherein the detection platform is used for determining a user terminal to be detected according to the risk identification request message when receiving the risk identification request message, acquiring behavior data of the corresponding user terminal and requesting the algorithm system to acquire an algorithm model according to the behavior data, and before the user terminal to be detected triggers the service system to start executing a service process, the behavior data of the corresponding user terminal is acquired from a designated service link of the service system when receiving the risk identification request message;
the algorithm system is used for storing an algorithm model and providing the algorithm model according to the request of the detection platform;
the detection platform is further used for requesting to call risk feature data matched with the algorithm model from a risk feature library according to the obtained algorithm model, wherein the risk feature data are clustered and stored in the risk feature library, and the feature label of each cluster of the risk feature data corresponds to at least one algorithm model;
the risk characteristic library is used for clustering and storing the risk characteristic data, and performing risk analysis on the behavior data of the corresponding user terminal according to the algorithm model and the risk characteristic data matched with the algorithm model; sending a risk analysis result to the business system, wherein the characteristic label of each risk characteristic data cluster corresponds to at least one algorithm model;
the risk feature library is specifically used for detecting a service system accessed when the user terminal generates the behavior data, and identifying a service link executed by the service system when the user terminal generates the behavior data; acquiring a system identifier corresponding to the accessed service system and a service link identifier of the executed service link, and using the system identifier and the service link identifier as the model identifier;
then sending a query request to the algorithm system according to the model identification, wherein the query request is used for the algorithm system to query the algorithm model conforming to the model identification;
the algorithm system is further used for sending an algorithm updating notice to the risk feature library, wherein the algorithm updating notice comprises the type of the risk feature data matched with the updated algorithm model;
the risk characteristic library is also used for sending a data request to the big data platform, and the data request points to the business system or points to a business link of the business system;
the risk feature library is further used for generating a data request according to the feature tag, sending the data request to a big data platform, updating risk feature data according to log data sent by the big data platform through the risk feature library, and updating the feature tag of the updated risk feature data;
the big data platform is used for extracting log data of a service system or a service link to which the data request points according to the data request, cleaning the acquired log data according to a data cleaning rule, and sending the cleaned log data to the risk feature library;
the algorithm system is further configured to extract intermediate parameter sets corresponding to the algorithm models, and send the intermediate parameter sets to the big data platform, where the intermediate parameter set of one algorithm model includes intermediate parameters associated with the operation and/or training of the algorithm system;
the big data platform is further used for updating the data cleaning rule by using the intermediate parameter set;
the risk analysis comprises the steps of executing risk rules to analyze before, in and after the business link;
the user terminal to be detected is used for sending the risk identification request message when sending a service triggering request to the service system; the detection platform is further configured to receive the risk identification request message sent by the user terminal to be detected;
or, the service system is configured to send the risk identification request message to the detection platform when receiving a service trigger request sent by the user terminal to be detected; the detection platform is further configured to receive the risk identification request message sent by the service system.
CN201710497317.4A 2017-06-26 2017-06-26 Risk identification method and system Active CN109120429B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710497317.4A CN109120429B (en) 2017-06-26 2017-06-26 Risk identification method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710497317.4A CN109120429B (en) 2017-06-26 2017-06-26 Risk identification method and system

Publications (2)

Publication Number Publication Date
CN109120429A CN109120429A (en) 2019-01-01
CN109120429B true CN109120429B (en) 2022-04-15

Family

ID=64822585

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710497317.4A Active CN109120429B (en) 2017-06-26 2017-06-26 Risk identification method and system

Country Status (1)

Country Link
CN (1) CN109120429B (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109741065A (en) * 2019-01-28 2019-05-10 广州虎牙信息科技有限公司 A kind of payment risk recognition methods, device, equipment and storage medium
CN110147997A (en) * 2019-04-16 2019-08-20 深圳壹账通智能科技有限公司 Data processing method, device, equipment and storage medium
CN110543506B (en) * 2019-09-10 2022-09-09 百度在线网络技术(北京)有限公司 Data analysis method and device, electronic equipment and storage medium
CN110827032B (en) * 2019-09-26 2021-08-03 支付宝(杭州)信息技术有限公司 Intelligent wind control decision method and system and service processing method and system
CN111275348A (en) * 2020-02-05 2020-06-12 张�浩 Electronic order information processing method, server and electronic order information processing system
CN111325557B (en) * 2020-02-25 2022-04-29 支付宝(杭州)信息技术有限公司 Detection method, device and equipment for merchant risk
CN112734177B (en) * 2020-12-28 2023-07-21 四川新网银行股份有限公司 Wind control method for intelligent diversion automatic decision
CN112766977B (en) * 2021-01-27 2022-06-28 支付宝(杭州)信息技术有限公司 Risk identification method, device and system
CN113570468A (en) * 2021-07-06 2021-10-29 猪八戒股份有限公司 Enterprise payment wind control service platform
CN114119037B (en) * 2022-01-24 2022-05-17 深圳尚米网络技术有限公司 Marketing anti-cheating system based on big data

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104392381A (en) * 2014-10-29 2015-03-04 中国建设银行股份有限公司 Risk monitoring method of transaction data and system thereof
CN104408610A (en) * 2014-12-03 2015-03-11 苏州贝多环保技术有限公司 Third-party payment platform business processing method based on risk assessment
CN105556552A (en) * 2013-03-13 2016-05-04 加迪安分析有限公司 Fraud detection and analysis
CN105590158A (en) * 2014-12-30 2016-05-18 中国银联股份有限公司 Transaction risk real-time control system
CN105989441A (en) * 2015-02-11 2016-10-05 阿里巴巴集团控股有限公司 Model parameter adjustment method and device
CN106067088A (en) * 2016-05-30 2016-11-02 中国邮政储蓄银行股份有限公司 E-bank accesses detection method and the device of behavior
CN106815754A (en) * 2015-12-02 2017-06-09 阿里巴巴集团控股有限公司 The charging method and air control system server of a kind of risk control system

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2766029C (en) * 2011-01-28 2018-08-07 Janet Smith Method and system for determining fraud in a card-not-present transaction
KR101509131B1 (en) * 2013-03-19 2015-04-08 주식회사 다나와 Method for providing evaluation of online seller
US10402792B2 (en) * 2015-08-13 2019-09-03 The Toronto-Dominion Bank Systems and method for tracking enterprise events using hybrid public-private blockchain ledgers

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105556552A (en) * 2013-03-13 2016-05-04 加迪安分析有限公司 Fraud detection and analysis
CN104392381A (en) * 2014-10-29 2015-03-04 中国建设银行股份有限公司 Risk monitoring method of transaction data and system thereof
CN104408610A (en) * 2014-12-03 2015-03-11 苏州贝多环保技术有限公司 Third-party payment platform business processing method based on risk assessment
CN105590158A (en) * 2014-12-30 2016-05-18 中国银联股份有限公司 Transaction risk real-time control system
CN105989441A (en) * 2015-02-11 2016-10-05 阿里巴巴集团控股有限公司 Model parameter adjustment method and device
CN106815754A (en) * 2015-12-02 2017-06-09 阿里巴巴集团控股有限公司 The charging method and air control system server of a kind of risk control system
CN106067088A (en) * 2016-05-30 2016-11-02 中国邮政储蓄银行股份有限公司 E-bank accesses detection method and the device of behavior

Also Published As

Publication number Publication date
CN109120429A (en) 2019-01-01

Similar Documents

Publication Publication Date Title
CN109120429B (en) Risk identification method and system
CN109120428B (en) Method and system for wind control analysis
CN112559361A (en) Flow playback method, device, equipment and computer readable medium
CN110442712B (en) Risk determination method, risk determination device, server and text examination system
CN106656536A (en) Method and device for processing service invocation information
US20170109636A1 (en) Crowd-Based Model for Identifying Executions of a Business Process
CN110866820A (en) Real-time monitoring system, method, equipment and storage medium for banking business
CN103294592A (en) Leveraging user-to-tool interactions to automatically analyze defects in it services delivery
US20170109639A1 (en) General Model for Linking Between Nonconsecutively Performed Steps in Business Processes
CN115511501A (en) Data processing method, computer equipment and readable storage medium
CN112733045B (en) User behavior analysis method and device and electronic equipment
CN112330355B (en) Method, device, equipment and storage medium for processing consumption coupon transaction data
CN117971606B (en) Log management system and method based on elastic search
CN112650688A (en) Automated regression testing method, associated device and computer program product
CN113780329A (en) Method, apparatus, server and medium for identifying data anomalies
CN112561565A (en) User demand identification method based on behavior log
CN111371581A (en) Method, device, equipment and medium for detecting business abnormity of Internet of things card
CN111797942A (en) User information classification method and device, computer equipment and storage medium
Rajan Integrating iot analytics into marketing decision making: A smart data-driven approach
CN112347457A (en) Abnormal account detection method and device, computer equipment and storage medium
CA3128563A1 (en) Commodity information pushing method, device and system
US20170109670A1 (en) Crowd-Based Patterns for Identifying Executions of Business Processes
CN113918534A (en) Policy processing system and method
CN114723554B (en) Abnormal account identification method and device
CN113254781A (en) Model determination method and device in recommendation system, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: 210000, 1-5 story, Jinshan building, 8 Shanxi Road, Nanjing, Jiangsu.

Applicant after: SUNING.COM Co.,Ltd.

Address before: 210042 Suning Headquarters, No. 1 Suning Avenue, Xuanwu District, Nanjing City, Jiangsu Province

Applicant before: SUNING COMMERCE GROUP Co.,Ltd.

TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20210728

Address after: Room 834, Yingying building, 99 Tuanjie Road, yanchuangyuan, Jiangbei new district, Nanjing, Jiangsu 210000

Applicant after: Nanjing Xingyun Digital Technology Co.,Ltd.

Address before: 210000, 1-5 story, Jinshan building, 8 Shanxi Road, Nanjing, Jiangsu.

Applicant before: SUNING.COM Co.,Ltd.

GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20230302

Address after: 210000 building 4, No.5 Hengsheng Road, economic development zone, Gaochun District, Nanjing City, Jiangsu Province

Patentee after: Nanjing Xinglian Digital Technology Co.,Ltd.

Address before: Room 834, Yingying building, 99 Tuanjie Road, yanchuangyuan, Jiangbei new district, Nanjing, Jiangsu 210000

Patentee before: Nanjing Xingyun Digital Technology Co.,Ltd.