CN110232630A - The recognition methods of malice account, device and storage medium - Google Patents
The recognition methods of malice account, device and storage medium Download PDFInfo
- Publication number
- CN110232630A CN110232630A CN201910455922.4A CN201910455922A CN110232630A CN 110232630 A CN110232630 A CN 110232630A CN 201910455922 A CN201910455922 A CN 201910455922A CN 110232630 A CN110232630 A CN 110232630A
- Authority
- CN
- China
- Prior art keywords
- account
- node
- feature
- diagnostic
- malice
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q40/00—Finance; Insurance; Tax strategies; Processing of corporate or income taxes
- G06Q40/03—Credit; Loans; Processing thereof
Abstract
The embodiment of the present application discloses a kind of malice account recognition methods, device and storage medium, and wherein the recognition methods of malice account includes: to obtain the account use information and device using information of target account under different time points;Feature extraction is carried out to account use information and device using information, obtains multiple account node diagnostics and multiple equipment node diagnostic;The node incidence relation between multiple account node diagnostics and multiple equipment node diagnostic is constructed sequentially in time;Based on node incidence relation, node diagnostic sampling is carried out centered on the account node diagnostic that the sampling of target account under specified time point obtains, obtains associated nodes feature;The account node diagnostic and associated nodes feature obtained according to sampling, whether identification target account is malice account.Application scheme can identify in time malice account, and effectively promote the recognition accuracy of malice account using the surrounding neighbours node diagnostic identification malice account that time circulation bring timing information and sampling obtain.
Description
Technical field
This application involves technical field of information processing, and in particular to a kind of malice account recognition methods, device and storage are situated between
Matter.
Background technique
With the rise of internet and the development of mobile communications network, telecommunication fraud is becoming increasingly rampant.
After obtained by swindled, swindle user would generally will swindle resulting case-involving fund and pass through finance account incoming flow
Turn.If the finance account for the case-involving fund that circulates can be identified in time, and freezed in time, it is possible to recover use of being deceived
The loss at family.In the related technology, it is often deceived after user reports a case to the security authorities and handles.Swindle user is successfully by case-involving money at this time
Gold circulation, is difficult to the user that is deceived and retrieves property loss.
Summary of the invention
The embodiment of the present application provides a kind of malice account recognition methods, device and storage medium, can effectively promote malice account
Family recognition efficiency.
The embodiment of the present application provides a kind of malice account recognition methods, comprising:
Obtain the account use information and device using information of target account under different time points, the account use information
Include at least: the use information of described target account itself, the device using information include at least: the logged target account
The use information of the equipment at family;
Feature extraction is carried out to the account use information and device using information, obtains multiple account node diagnostics and more
A device node feature;
The node between the multiple account node diagnostic and the multiple device node feature is constructed sequentially in time
Incidence relation;
The account node diagnostic of the target account is sampled, and association section is obtained based on the node incidence relation
Point feature, the associated nodes feature include: with it is described sample the obtained associated device node feature of account node diagnostic and/
Or account node diagnostic;
Obtained account node diagnostic and the associated nodes feature are sampled according to described, whether identifies the target account
For malice account.
Correspondingly, the embodiment of the present application also provides a kind of malice account identification devices, comprising:
Acquiring unit, for obtaining the account use information and device using information of target account under different time points, institute
State account use information to include at least: the use information of described target account itself, the device using information include at least: stepping on
Recorded the use information of the equipment of the target account;
Extraction unit obtains multiple accounts for carrying out feature extraction to the account use information and device using information
Family node diagnostic and multiple equipment node diagnostic;
Construction unit, it is special for constructing the multiple account node diagnostic and the multiple device node sequentially in time
Node incidence relation between sign;
Sampling unit is sampled for the account node diagnostic to the target account, and is associated with based on the node
Relation acquisition associated nodes feature, the associated nodes feature include: and described to sample obtained account node diagnostic associated
Device node feature and/or account node diagnostic;
Recognition unit identifies institute for sampling obtained account node diagnostic and the associated nodes feature according to described
State whether target account is malice account.
Correspondingly, the storage medium is stored with a plurality of instruction, institute the embodiment of the present application also provides a kind of storage medium
It states instruction to be loaded suitable for processor, to execute the step in malice account recognition methods as described above.
Account node in account use information and device using information of the application scheme by extracting target account is special
It seeks peace device node feature, and the node between chronologically-based building account node diagnostic and device node feature is associated with
System identifies malice account using the surrounding neighbours node diagnostic that time circulation bring timing information and sampling obtain, can be timely
It identifies malice account, and effectively promotes the recognition accuracy of malice account.
Detailed description of the invention
In order to more clearly explain the technical solutions in the embodiments of the present application, make required in being described below to embodiment
Attached drawing is briefly described, it should be apparent that, the drawings in the following description are only some examples of the present application, for
For those skilled in the art, without creative efforts, it can also be obtained according to these attached drawings other attached
Figure.
Fig. 1 is a flow diagram of malice account recognition methods provided by the embodiments of the present application.
Fig. 2 is the schematic diagram of account usage behavior provided by the embodiments of the present application.
Fig. 3 is another flow diagram of malice account recognition methods provided by the embodiments of the present application.
Fig. 4 is the heterogeneous schematic diagram of timing provided by the embodiments of the present application.
Fig. 5 is sampled result schematic diagram provided by the embodiments of the present application.
Fig. 6 is the application scenario diagram of malice account recognition methods provided by the embodiments of the present application.
Fig. 7 is the system architecture schematic diagram of malice account recognition methods provided by the embodiments of the present application.
Fig. 8 is the structural schematic diagram of malice account identification device provided by the embodiments of the present application.
Fig. 9 is the structural schematic diagram of terminal provided by the embodiments of the present application.
Specific embodiment
Below in conjunction with the attached drawing in the embodiment of the present application, technical solutions in the embodiments of the present application carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of embodiments of the present application, instead of all the embodiments.It is based on
Embodiment in the application, those skilled in the art's every other implementation obtained without creative efforts
Example, shall fall in the protection scope of this application.
Based on the above issues, the embodiment of the present application provides a kind of malice account recognition methods, device and storage medium, can and
When identify malice account, and effectively promote the recognition accuracy of malice account.It is described in detail separately below.It should be noted
It is that the sequence of following embodiment is not as the restriction to embodiment preferred sequence.
In one embodiment, it will be described with the integrated angle in the server of the first malice account identification device.
Referring to Fig. 1, Fig. 1 is a kind of flow diagram of malice account recognition methods provided by the embodiments of the present application.It should
The detailed process of malice account recognition methods can be such that
101, the account use information and device using information of target account under different time points are obtained, wherein account makes
Included at least with information: the use information of target account itself, device using information include at least: logged target account is set
Standby use information.
Wherein, which can be used for storing virtual resource.The target account can be by turn of virtual resource in this account
Other accounts are moved to, also can receive the virtual resource of other accounts transfer.In the embodiment of the present application, which can be
Finance account (such as bank card account) can be used for the storage and transfer of fund.
In the embodiment of the present application, time point specifically can be a period.For example, the time point can be one small
When, one day, one week etc..
By taking bank card account as an example, during circulating after bank card opens card, whether each link can verify bank card
It can use, and usage behavior record can be left.Therefore, there are close ties before and after bank card account usage behavior.There is base
In this, in application scheme by analysis bank card account usage behavior (the account use information of i.e. above-mentioned target account and
Device using information) determine whether it is malice account.
Wherein, usage behavior may include usage behavior of the target account in equipment, such as logon account, check remaining sum,
Resource transfers, operation of trading, exit account etc..For the ease of record, different operations can be carried out in the embodiment of the present application
Coding, the corresponding different number of different operations.Wherein, number can be letter, number or other characters with identification
Deng.
For example, with reference to Fig. 2, it is assumed that a series of usage behavior is successively are as follows: logon account checks remaining sum, resource transfers, friendship
Easily, account is exited, if indicating that logon account, " N3 " expression check that remaining sum, " N4 " indicate that resource transfers, " N5 " indicate to hand over " N1 "
Easily, account is exited in " N31 " expression, then usage behavior sequence can be obtained are as follows: N1_N3_N4_N5_N31.
In the embodiment of the present application, the account usage behavior of acquisition, can refer to the following table 1:
Table 1
| Time | Account | Equipment | Usage behavior |
| 2019-01-05 10:08:32 | Account A | Equipment 1 | Behavior sequence 1 (N1_N31) |
| 2019-01-05 10:48:13 | Account B | Equipment 1 | Behavior sequence 2 (N1_N31) |
| 2019-01-15 14:13:22 | Account A | Equipment 2 | Behavior sequence 3 (N1_N31) |
| 2019-01-15 14:23:18 | Account B | Equipment 2 | Behavior sequence 4 (N1_N31) |
| 2019-01-20 10:30:05 | Account A | Equipment 3 | Behavior sequence 5 (N1_N3_N4_N4_N4_N31) |
| 2019-01-25 11:03:48 | Account B | Equipment 4 | Behavior sequence 6 (N1_N3_N4_N4_N4_N4_N31) |
| …… | …… | …… | …… |
Wherein, the use information of target account itself may include access times, using duration, most-often used behavior etc..
Device using information may include access times, using duration, logged account quantity etc..
102, feature extraction is carried out to account use information and device using information, obtains multiple account node diagnostics and more
A device node feature.
Specifically, for the different type Node extraction correlated characteristic in account usage behavior data.In some embodiments
In, the use information of target account itself includes at least: the facility information that target account logs under different time points;Login is looked over so as to check
The use information for marking the equipment of account includes at least: other logged account informations of the equipment under different time points.With reference to figure
3, step " carries out feature extraction to account use information and device using information, obtains multiple account node diagnostics and multiple set
Slave node feature ", it may include following below scheme:
1021, feature extraction is carried out to the facility information that target account under different time points logs in, obtains target account
Multiple account node diagnostics and multiple equipment node diagnostic;
1021, under different time points, other logged account informations of equipment carry out feature extraction, obtain other accounts
Multiple account node diagnostics.
In the embodiment of the present application, the facility information of Account Logon can extract Data Integration from the usage behavior of account and obtain
It arrives, with reference to the following table 2:
Table 2
| Time | Node | Access times | Use duration | The equipment of login | Most frequently used behavioral |
| 2019-01-05 | Account A | 3 | 15min | Equipment 1 | It logs in, exit |
| 2019-01-05 | Account B | 8 | 30min | Equipment 1 | It logs in, exit |
| 2019-01-15 | Account A | 7 | 20min | Equipment 2 | It logs in, exit |
| 2019-01-15 | Account B | 5 | 17min | Equipment 2 | It logs in, exit |
| 2019-01-20 | Account A | 38 | 150min | Equipment 3 | It transfers accounts |
| 2019-01-25 | Account B | 56 | 138min | Equipment 4 | It transfers accounts |
| …… | …… | …… | …… | …… | …… |
Specifically, can be carried out based on content shown in above-mentioned table 2 to the facility information that target account under different time points logs in
Feature extraction, therefrom extracts the multiple account node diagnostics for obtaining target account (being assumed to be account A) and multiple equipment node is special
Sign.
In the embodiment of the present application, the logged account information of the equipment of logged target account can be from the use row of account
It is obtained for middle extraction Data Integration, with reference to the following table 3:
Table 3
| Time | Node | Access times | Use duration | Logon account quantity | Logged account |
| 2019-01-05 | Equipment 1 | 11 | 45min | 15 | Account A, account B |
| 2019-01-15 | Equipment 2 | 12 | 37min | 15 | Account A, account B |
| 2019-01-20 | Equipment 3 | 38 | 150min | 2 | Account A |
| 2019-01-25 | Equipment 4 | 56 | 138min | 1 | Account B |
| …… | …… | …… | …… | …… | …… |
Specifically, can be based on content shown in above-mentioned table 3, under different time points, other logged accounts of above equipment
Information carries out feature extraction, therefrom extracts and obtains multiple account node diagnostics of other accounts (such as account B).Wherein, account is logged in
Amount amount may include the same account of repeat logon.
In some embodiments, in order to promote the validity of data, can before extracting feature to collected data into
Row pretreatment.That is, can also make to the account before carrying out feature extraction to account use information and device using information
Data cleansing is carried out with information and device using information, removes invalid data.For example, removing there are shortage of data, being worth exception
Data, with reference to the following table 4:
Table 4
| Time | Account | Logging device | Usage behavior sequence | Abnormal cause |
| 0000-00-00 00:00:00 | 62177****1234 | Equipment 1 | N1_N3_N4_N31 | Value is abnormal |
| 2019-02-10 12:32:12 | 62177****8653 | / | / | Numerical value missing |
103, the node association between multiple account node diagnostics and multiple equipment node diagnostic is constructed sequentially in time
Relationship.
Specifically, can be constructed between multiple account node diagnostics and multiple equipment node diagnostic according to the sequencing of time
Node incidence relation.With continued reference to Fig. 3, step " constructs multiple account node diagnostics and multiple equipment section sequentially in time
Node incidence relation between point feature ", may include following below scheme:
1031, sequentially in time construct target account multiple account node diagnostics and the multiple device node feature
Between the first incidence relation;
1032, the of building multiple equipment node diagnostic and multiple account node diagnostics of other accounts sequentially in time
Two incidence relations;
1033, node incidence relation is obtained according at least to the first incidence relation and the second incidence relation.
In some embodiments, the heterogeneous figure of timing as shown in Figure 4 can be constructed based on the node incidence relation.Such as Fig. 4 institute
Show, multiple account node diagnostics of target account include: " node diagnostic of 2019-01-05 account A ", " 2019-01-15 account
The node diagnostic of A ", " node diagnostic of 2019-01-20 account A ";Multiple equipment node diagnostic includes: " 2019-01-05 equipment
1 node diagnostic ", " node diagnostic of 2019-01-15 equipment 2 ", " node diagnostic of 2019-01-20 equipment 3 ", " 2019-
The node diagnostic of 01-25 equipment 4 ";Multiple account node diagnostics of other accounts include: that " node of 2019-01-05 account B is special
Sign ", " node diagnostic of 2019-01-15 account B ", 2019-01-20 account B node diagnostic ".When it is implemented, can be according to
The usage behavior data of account construct the heterogeneous figure of the timing.
104, the account node diagnostic of target account is sampled, and associated nodes spy is obtained based on node incidence relation
Sign, associated nodes feature include: that the associated device node feature of account node diagnostic obtained with sampling and/or account node are special
Sign.
Wherein, specified time point can be specified by those skilled in the art or staff, can also be come from by program
Dynamic configuration and dynamic adjust.The specified time point can be a time point, be also possible to multiple time points.In practical application,
The specified time point can be user and think that the target account is the time point of malice account, such as " 2019-10-15 ".
In some embodiments, in order to guarantee the comprehensive of sampling, node diagnostic can be carried out to all target accounts and adopted
Sample, to promote the accuracy of recognition result.
In some embodiments, step " is sampled the account node diagnostic of target account, and is closed based on node association
System obtains associated nodes feature ", may include following below scheme:
According to default number of samples, the account node of default number of samples is chosen from the account node diagnostic of target account
Feature;
Based on node incidence relation, according to default sampling depth and default number of samples from multiple account node diagnostics and more
In a device node feature, the associated associated nodes feature of account node diagnostic obtained with sampling is filtered out.
Specifically, be based on node incidence relation, filtered out from multiple account node diagnostics according to default sampling depth with
The associated candidate account node diagnostic of obtained account node diagnostic is sampled, then chooses default adopt from candidate account node diagnostic
The account node diagnostic of sample quantity;And it is based on node incidence relation, according to default sampling depth from multiple account node diagnostics
In, the associated institute's candidate device node diagnostic of account node diagnostic obtained with sampling is filtered out, then special from candidate device node
The device node feature of default number of samples is chosen in sign.
For example, by taking the heterogeneous figure of the timing in Fig. 4 as an example, and with default number of samples be 2, default sampling depth is 1, with
Node is sampled centered on " node diagnostic of 2019-01-15 account A ".It is then 1 according to sampling depth, the time got
The interlock account node diagnostic of choosing include: directly with " node diagnostic of 2019-01-15 account A " " 2019-01-05 account A
Node diagnostic ", " node diagnostic of 2019-01-20 account A ";Filtering out candidate associate device node diagnostic includes: " 2019-
The node diagnostic of 01-15 equipment 2 ".
When being sampled according to the different types of node of number of samples progress, sampling is repeated.With reference to Fig. 5, according to adopting
Sample quantity is 2, when to carrying out node diagnostic sampling centered on the node diagnostic of 2019-01-15 account A, can sample " 2019-
The node diagnostic of 01-05 account A " and " node diagnostic of 2019-01-20 account A ", can when sampling to device node
Repeated sampling twice " node diagnostic of 2019-01-15 equipment 2 ", to obtain sampled result.
105, according to obtained account node diagnostic and associated nodes feature is sampled, whether identification target account is malice account
Family.
It is applied in example in the application, associated nodes feature includes the node diagnostic of different dimensions (i.e. different type).For example, closing
Interlink point feature includes: that the associated interlock account node diagnostic of account node diagnostic obtained with sampling and associate device node are special
Sign.Then, with continued reference to Fig. 3, " the account node diagnostic and associated nodes feature obtained according to sampling, identifies target account to step
Whether it is malice account ", may include following below scheme:
1051, interlock account node diagnostic is merged with associate device node diagnostic, obtains the first fusion feature;
1052, the first fusion feature is merged with the corresponding obtained account node diagnostic that samples, obtains the second fusion feature;
1053, determine whether target account is malice account according to the second fusion feature.
Specifically, merging the neighbor node feature of different dimensions when whether identify target account is malice account, can mentioning
Rise the accuracy of recognition result.
In the embodiment of the present application, mode node diagnostic merged can there are many.In some embodiments, it walks
Suddenly " interlock account node diagnostic is merged, the first fusion feature is obtained " with associate device node diagnostic, may include to flow down
Journey:
Obtain interlock account node diagnostic first eigenvector and obtain associate device node diagnostic second feature to
Amount;
First eigenvector and second feature vector are converted into the feature vector of identical dimensional;
According to default weight information, to the first eigenvector after conversion dimension and the second feature vector after conversion dimension
It sums after being weighted processing, obtains fused feature vector;
The first fusion feature is obtained according to fused feature vector.
Specifically, first eigenvector and second feature vector are converted into identical dimension using the mode of matrixing
The feature vector of degree.For example, can be to first eigenvector and second feature vector respectively multiplied by different types of matrix, so that section
Point feature is mapped to identical dimension.
Wherein, default weight information can be set by those skilled in the art or staff.For example, can set
The weight of first eigenvector and second feature vector is respectively 0.2 and 0.8, can also set first eigenvector and the second spy
The weight of sign vector is respectively 0.5 and 0.5 or other weights proportion etc..
In some embodiments, step " first eigenvector for obtaining interlock account node diagnostic ", may include following
Process:
The characteristic parameter of the interlock account node diagnostic is obtained, the characteristic parameter of the interlock account node diagnostic is at least
It include: access times, using duration and usage behavior parameter;
It is normalized to the access times, using duration and usage behavior parameter;
Based on after normalized the access times, using duration and usage behavior parameter, construct the association account
The first eigenvector of family node diagnostic.
In some embodiments, step " the second feature vector for obtaining associate device node diagnostic ", may include following
Process:
Obtain the characteristic parameter of associate device node diagnostic, wherein the characteristic parameter of associate device node diagnostic at least wraps
It includes: access times, using duration and the quantity of logged account;
It is normalized to access times, using the quantity of duration and logged account;
Based on after normalized access times, use duration and the quantity of logged account, construct associate device section
The second feature vector of point feature.
Still with the data instance of above-mentioned table 1 to 3, then the characteristic parameter of the interlock account node diagnostic after normalized can
With reference to the following table 5:
Table 5
| Time | Node | Access times | Use duration | Most frequently used behavioral | …… |
| 2019-01-05 | Account A | 0.0789 | 0.1 | 10000...001 | …… |
| 2019-01-15 | Account A | 0.1842 | 0.1333 | 10000...001 | …… |
| 2019-01-20 | Account A | 1 | 1 | 00010...000 | …… |
| …… | …… | …… | …… | …… | …… |
The characteristic parameter of associate device node diagnostic after normalized then can refer to the following table 6:
Table 6
| Time | Node | Access times | Use duration | Use the quantity of card | …… |
| 2019-01-05 | Equipment 1 | 0.2895 | 0.3 | 1 | …… |
| 2019-01-15 | Equipment 2 | 0.3158 | 0.2467 | 1 | …… |
| 2019-01-20 | Equipment 3 | 1 | 1 | 0.1333 | …… |
| …… | …… | …… | …… | …… | …… |
With reference to Fig. 6, when it is implemented, to the feature of the 2019-01-05 account A and 2019-01-20 account A sampled to
Amount averages to obtain matrix A1*a[0.539,0.55 ...], wherein a represents the characteristic dimension of account node.To what is sampled
The feature vector of 2019-01-15 equipment 2 average (it is repeated sampling) obtain D1*d[0.3158,0.2467 ...], wherein d
Represent the characteristic dimension of device node.Then, to obtained matrix A1*aAnd D1*d, respectively multiplied by different types of matrixWith(having been subjected to model training), so that Feature Mapping obtains matrix to new dimensionWithIf the weight for setting first eigenvector and second feature vector is respectively 0.5 and 0.5, press
According to the weight information, by the matrix of the different type node newly obtainedWithIt sums after being weighted processing, obtains new matrix M1*O[0.76,0.59 ...], by first
Feature vector and second feature Vector Fusion.
In some embodiments, the first fusion feature " is merged with the corresponding obtained account node diagnostic that samples, is obtained by step
To the second fusion feature ", it may comprise steps of:
Obtain the feature vector for the account node diagnostic that corresponding sampling obtains;
The feature vector for the account node diagnostic that corresponding sampling obtains is converted into the identical dimensional from current dimension;
The feature vector that the account node diagnostic that corresponding sampling after dimension obtains will be converted, with fused feature vector into
Row merging treatment, the feature vector after obtaining merging treatment;
The second fusion feature is obtained according to the feature vector after merging treatment.
Wherein, the feature vector acquisition modes for the account node diagnostic which obtains, can refer to above-mentioned interlock account section
The acquisition modes of point feature repeat no more this.
Specifically, the feature vector in the account node diagnostic for obtaining sampling is converted into the identical dimensional from current dimension
When, can according to the feature vector of above-mentioned interlock account node diagnostic it is corresponding multiplied by matrix, the account node obtained with the sampling
Feature vector do product processing, by the eigenmatrix A ' of 2019-01-15 account A1*a[0.184,0.13 ...] multiplied byLater, it is mapped to new dimension, obtains M '1*O[0.337,0.25,...]。
By the feature M ' of new 2019-01-15 account A1*O[0.337,0.25 ...] with the next feature M of neighbours' convergence1*O
[0.76,0.59 ...] it is stitched together, obtain matrix M1*2O[0.337,0.25,...,0.76,0.59,...]。
In some embodiments, when determining whether target account is malice account according to the second fusion feature, specifically may be used
To carry out probabilistic forecasting to the second fusion feature using predetermined probabilities model, probabilistic forecasting is obtained as a result, and based on probabilistic forecasting
As a result determine whether target account is malice account.
For example, with continued reference to Fig. 6, by the feature vector (feature vector i.e. after merging treatment) of above-mentioned second fusion feature
As input, probabilistic forecasting is carried out using trained predetermined probabilities model.And it can be based on the probability and predetermined probabilities predicted
Threshold value is compared, and determines whether target account is malice account based on comparative result.Wherein, predetermined probabilities threshold value can be by this
Field technical staff sets, and value range can be any real number between 0 to 1.
For example, it is assumed that predetermined probabilities threshold value is 0.5, if the probability that finally obtained 2019-01-15 is malice account is
0.9, it is greater than predetermined probabilities threshold value 0.5, therefore, it is determined that 2019-01-15 account A is malice account.
Malice account recognition methods provided in this embodiment by the account use information by extraction target account and is set
Account node diagnostic and device node feature in standby use information, and chronologically-based building account node diagnostic and equipment
Node incidence relation between node diagnostic, the surrounding neighbours section obtained using time circulation bring timing information and sampling
Point feature identifies malice account, can identify malice account in time, and effectively promotes the recognition accuracy of malice account.
With reference to Fig. 7, Fig. 7 is the system architecture diagram of malice account recognition methods provided by the embodiments of the present application.
As shown in fig. 7, the system includes two subsystems, online recognition subsystem and off-line training subsystem.
Online recognition subsystem after carrying out data prediction, data cleansing to it, is mentioned according to the data of each financial institution
ASSOCIATE STATISTICS feature is taken, then further according to time order and function relationship, by the node being related in data (such as account, equipment, use
Behavior etc.), it is connected according to correlativity and constitutes the heterogeneous figure of timing.Then, the heterogeneous figure neural network good using pre-training
Model judges whether certain account is malice account.Further according to whether having circulated into malicious user hand at present, it is pushed to and opens an account
Mechanism disposal system is freezed.
If freeze it is wrong, by the result feed back to off-line training subsystem, model is adjusted.
Off-line training subsystem is fed back in history usage behavior data and on-line system using account as a result, taking out
It takes ASSOCIATE STATISTICS feature and serializing coding is in chronological sequence carried out to usage behavior.It, will be various and according to time order and function relationship
The node of type is connected according to corresponding relationship, constitutes the heterogeneous figure of timing, then above-mentioned model is trained and is adjusted,
And synchronized update is to the malice account identification module of online recognition subsystem.
Online recognition subsystem is the external interface that malice account analysis is carried out based on account usage behavior.User passes through
The interface imports corresponding account usage behavior data, so that it may find out corresponding malice account.Online recognition subsystem is main
Including three modules: data acquisition module, malice account identification module, the mechanism that opens an account disposal system module.Wherein:
(11) data acquisition module is mainly responsible for the account usage behavior data for acquiring major financial institution, and carries out phase
The pretreatment answered, such as unified format, Uniform Name etc. are subsequently introduced in database.The data for mainly including have using the time,
Account, the device identification used and usage behavior sequence etc..
(12) malice account identification module cleans collected account usage behavior data, removes invalid number
According to.Then correlated characteristic is extracted, and constructs the heterogeneous figure of timing.Then the heterogeneous figure of timing is carried out using trained model
Analysis, identifies malice account.Malice account identification module is segmented into three parts again: data cleansing, feature extraction and when
The heterogeneous figure building of sequence and the identification of malice account.
Data cleansing is mainly exactly the invalid data removed in account usage behavior, such as there are shortage of data, value is abnormal
Deng.
Feature extraction and the heterogeneous figure building of timing, mainly aiming at the different type node in account usage behavior data
Statistical correlation feature respectively obtains account node diagnostic and device node feature, and operation then is normalized to node diagnostic,
Account usage behavior data are constructed into the heterogeneous figure of timing further according to time sequencing.
Account node diagnostic, device node feature and the heterogeneous figure of timing are all input to heterogeneous figure mind by the identification of malice account
Through carrying out probabilistic forecasting by trained heterogeneous figure neural network model in network model.And based on the knot finally determined
Fruit pushes it in mechanism disposal system of opening an account and is handled.
(13) account of identification is pushed to the disposition for the mechanism that opens an account by the mechanism that opens an account disposal system, malice account identification module
In system, if it is determined that malice account, then freezed.In addition if the case where wrong jelly, by result feedback to offline
Training subsystem.
Off-line training subsystem is threshold value of the model errors rate higher than setting for working as the mechanism disposal system feedback that finds to open an account
When, off-line training subsystem can extract relevant account usage behavior record, and according to feedback result, re -training adjustment is heterogeneous
Figure neural network model.Off-line training subsystem can mainly divide three parts, specifically:
(21) historical account usage behavior record is extracted, the mechanism that especially opens an account disposal system feedback is that the account of mistake makes
Use behavior record.
(22) analysis feedback is the account usage behavior record of mistake, when adding the statistical nature being more suitable, and constructing
The heterogeneous figure of sequence.
(23) by the feature of above-mentioned acquisition and the heterogeneous figure of timing, the heterogeneous figure neural network of re -training, and will be trained
Model modification is to online recognition subsystem.
In this way, online recognition subsystem and off-line training subsystem, are formed a complete closed loop, system can basis
The error rate of the mechanism that opens an account disposal system feedback decides whether re -training model.
In the embodiment of the present application, heterogeneous figure neural network is the core of malice account identification module, it not only may be used
To extract node related information from diagram data, structural information abundant can also be obtained from diagram data, therefore is had very strong
Malice account recognition capability.
In the application, by the usage behavior information architecture of finance account at the heterogeneous figure of timing, and carried out using network model
Analysis, not only it can be found that malice account during use, can also find not yet circulation to malicious user hand in time
In candidate malice account.And result can be pushed to associated financial institution progress account and freezed, it is provided for strike telecommunication fraud
Technical support.
For convenient for better implementation malice account recognition methods provided by the embodiments of the present application, the embodiment of the present application is also provided
A kind of device based on above-mentioned malice account recognition methods.The wherein meaning of noun and phase in above-mentioned malice account recognition methods
Together, specific implementation details can be with reference to the explanation in embodiment of the method.
Referring to Fig. 8, Fig. 8 is a kind of structural schematic diagram of malice account identification device provided by the embodiments of the present application.Its
In, which can integrate in the server.The malice account identification device 400 may include instruction
Acquiring unit 401, extraction unit 402, construction unit 403, sampling unit 404404 and recognition unit 405, specifically can be such that
Acquiring unit 401, for obtaining the account use information and device using information of target account under different time points,
The account use information includes at least: the use information of described target account itself, the device using information include at least:
The use information of the equipment of the logged target account;
Extraction unit 402 obtains multiple for carrying out feature extraction to the account use information and device using information
Account node diagnostic and multiple equipment node diagnostic;
Construction unit 403, for constructing the multiple account node diagnostic and the multiple equipment section sequentially in time
Node incidence relation between point feature;
Sampling unit 404 is sampled for the account node diagnostic to the target account, and is closed based on the node
Join Relation acquisition associated nodes feature, the associated nodes feature includes: to be associated with the obtained account node diagnostic that samples
Device node feature and/or account node diagnostic;
Recognition unit 405, for sampling obtained account node diagnostic and the associated nodes feature, identification according to described
Whether the target account is malice account.
In some embodiments, the use information of target account itself includes at least: target account is stepped under different time points
The facility information of record;The use information of the equipment of the logged target account includes at least: the equipment is stepped under different time points
Other account informations recorded.Extraction unit 402 can be used for:
Feature extraction is carried out to the facility information that target account under different time points logs in, obtains multiple accounts of target account
Family node diagnostic and multiple equipment node diagnostic;
To under the different time points, other logged account informations of the equipment carry out feature extraction, obtain other accounts
Multiple account node diagnostics at family.
In some embodiments, construction unit 403 can be used for:
Construct sequentially in time the target account multiple account node diagnostics and the multiple device node feature
Between the first incidence relation;
Multiple account node diagnostics of the multiple device node feature Yu other accounts are constructed sequentially in time
The second incidence relation;
The node incidence relation is obtained according at least to first incidence relation and second incidence relation.
In some embodiments, associated nodes feature includes: the associated association account of account node diagnostic obtained with sampling
Family node diagnostic and associate device node diagnostic;Recognition unit 405 can be used for:
Interlock account node diagnostic is merged with associate device node diagnostic, obtains the first fusion feature;
First fusion feature is merged with the account node diagnostic that sampling obtains, obtains the second fusion feature;
Determine whether target account is malice account according to the second fusion feature.
In some embodiments, when merging interlock account node diagnostic with associate device node diagnostic, recognition unit
405 specifically can be used for:
Obtain interlock account node diagnostic first eigenvector and obtain associate device node diagnostic second feature to
Amount;
First eigenvector and second feature vector are converted into the feature vector of identical dimensional;
According to default weight information, to the first eigenvector after conversion dimension and the second feature vector after conversion dimension
It sums after being weighted processing, obtains fused feature vector;
The first fusion feature is obtained according to fused feature vector.
In some embodiments, when obtaining the first eigenvector of interlock account node diagnostic, recognition unit 405 into one
Step can be used for:
The characteristic parameter of interlock account node diagnostic is obtained, the characteristic parameter of interlock account node diagnostic includes at least: making
With number, use duration and usage behavior parameter;
It is normalized to access times, using duration and usage behavior parameter;
Based on after normalized access times, using duration and usage behavior parameter, construct the interlock account section
The first eigenvector of point feature.
In some embodiments, when obtaining the second feature vector of associate device node diagnostic, recognition unit 405 into one
Step can be used for:
The characteristic parameter of associate device node diagnostic is obtained, the characteristic parameter of associate device node diagnostic includes at least: making
With number, use duration and the quantity of logged account;
It is normalized to access times, using the quantity of duration and logged account;
Based on after normalized access times, use duration and the quantity of logged account, construct associate device section
The second feature vector of point feature.
In some embodiments, the first fusion feature is being merged with the account node diagnostic that sampling obtains, is obtaining second
When fusion feature, recognition unit 405 may further be used for:
Obtain the feature vector for the account node diagnostic that sampling obtains;
The feature vector for the account node diagnostic that sampling obtains is converted into identical dimensional from current dimension;
The feature vector of account node diagnostic that dimension post-sampling obtains will be converted, with the fused feature vector into
Row merging treatment, the feature vector after obtaining merging treatment;
The second fusion feature is obtained according to the feature vector after merging treatment.
In some embodiments, when determining whether target account is malice account according to the second fusion feature, identification is single
Member 405 specifically can be used for:
Probabilistic forecasting is carried out to the second fusion feature using predetermined probabilities model, obtains probabilistic forecasting result;
Determine whether target account is malice account based on probabilistic forecasting result.
In some embodiments, sampling unit 404 can be used for:
The account node diagnostic of specified quantity, the account obtained as sampling are chosen from the account node diagnostic of target account
Family node diagnostic;
Based on node incidence relation, according to default sampling depth and default number of samples from multiple account node diagnostics and more
In a device node feature, the associated associated nodes feature of account node diagnostic obtained with sampling is filtered out.
Malice account identification device provided by the embodiments of the present application, by extracting the account use information of target account and setting
Account node diagnostic and device node feature in standby use information, and chronologically-based building account node diagnostic and equipment
Node incidence relation between node diagnostic, the surrounding neighbours section obtained using time circulation bring timing information and sampling
Point feature identifies malice account, can identify malice account in time, and effectively promotes the recognition accuracy of malice account.
The embodiment of the present application also provides a kind of server.As shown in figure 9, the server may include radio frequency (RF, Radio
Frequency) circuit 601, include one or more memory 602, the input unit of computer readable storage medium
603, display unit 604, sensor 605, voicefrequency circuit 606, Wireless Fidelity (WiFi, Wireless Fidelity) module
607, the components such as processor 608 and the power supply 609 of processing core are included one or more than one.Those skilled in the art
Member it is appreciated that terminal structure not structure paired terminal shown in Fig. 9 restriction, may include more more or fewer than illustrating
Component perhaps combines certain components or different component layouts.Wherein:
During RF circuit 601 can be used for receiving and sending messages, signal is sended and received, and particularly, the downlink of base station is believed
After breath receives, one or the processing of more than one processor 608 are transferred to;In addition, the data for being related to uplink are sent to base station.It is logical
Often, RF circuit 601 includes but is not limited to antenna, at least one amplifier, tuner, one or more oscillators, user identity
Module (SIM, Subscriber Identity Module) card, transceiver, coupler, low-noise amplifier (LNA, Low
Noise Amplifier), duplexer etc..In addition, RF circuit 601 can also be logical with network and other equipment by wireless communication
Letter.
Memory 602 can be used for storing software program and module, and processor 608 is stored in memory 602 by operation
Software program and module, thereby executing various function application and data processing.Memory 602 can mainly include storage journey
Sequence area and storage data area, wherein storing program area can the (ratio of application program needed for storage program area, at least one function
Such as sound-playing function, image player function) etc..In addition, memory 602 may include high-speed random access memory, also
It may include nonvolatile memory, a for example, at least disk memory, flush memory device or the storage of other volatile solid-states
Device.Correspondingly, memory 602 can also include Memory Controller, to provide processor 608 and input unit 603 to depositing
The access of reservoir 602.
Input unit 603 can be used for receiving the number or character information of input, and generate and user setting and function
Control related keyboard, mouse, operating stick, optics or trackball signal input.Specifically, in a specific embodiment
In, input unit 603 may include touch sensitive surface and other input equipments.Touch sensitive surface, also referred to as touch display screen or touching
Control plate, collect user on it or nearby touch operation (such as user using any suitable object such as finger, stylus or
Operation of the attachment on touch sensitive surface or near touch sensitive surface), and corresponding connection dress is driven according to preset formula
It sets.In addition to touch sensitive surface, input unit 603 can also include other input equipments.Specifically, other input equipments may include
But in being not limited to physical keyboard, function key (such as volume control button, switch key etc.), trace ball, mouse, operating stick etc.
It is one or more.
Display unit 604 can be used for showing information input by user or be supplied to user information and server it is each
Kind graphical user interface, these graphical user interface can be made of figure, text, icon, video and any combination thereof.It is aobvious
Show that unit 604 may include display panel, optionally, liquid crystal display (LCD, Liquid Crystal can be used
Display), the forms such as Organic Light Emitting Diode (OLED, Organic Light-Emitting Diode) configure display surface
Plate.Further, touch sensitive surface can cover display panel, after touch sensitive surface detects touch operation on it or nearby,
Processor 608 is sent to determine the type of touch event, is followed by subsequent processing device 608 according to the type of touch event in display panel
It is upper that corresponding visual output is provided.Although touch sensitive surface and display panel are realized as two independent components in Fig. 9
Input and input function, but in some embodiments it is possible to it is touch sensitive surface and display panel is integrated and realize and input and defeated
Function out.
Server may also include at least one sensor 605, such as optical sensor, motion sensor and other sensings
Device.Specifically, optical sensor may include ambient light sensor and proximity sensor, wherein ambient light sensor can be according to environment
The light and shade of light adjusts the brightness of display panel, and proximity sensor can close display panel when server is moved in one's ear
And/or or backlight.
Voicefrequency circuit 606, loudspeaker, microphone can provide the audio interface between user and server.Voicefrequency circuit 606
Electric signal after the audio data received being converted, is transferred to loudspeaker, is converted to voice signal output by loudspeaker;Separately
On the one hand, the voice signal of collection is converted to electric signal by microphone, is converted to audio data after being received by voicefrequency circuit 606,
After audio data output processor 608 is handled again, through RF circuit 601 to be sent to such as terminal, or audio data is defeated
Out to memory 602 to be further processed.Voicefrequency circuit 606 is also possible that earphone jack, to provide peripheral hardware earphone and clothes
The communication of business device.
WiFi belongs to short range wireless transmission technology, and terminal can help user's transceiver electronics postal by WiFi module 607
Part, browsing webpage and access streaming video etc., it provides wireless broadband internet access for user.Although Fig. 9 is shown
WiFi module 607, but it is understood that, and it is not belonging to must be configured into for terminal, it can according to need do not changing completely
Become in the range of the essence of invention and omits.
Processor 608 is the control centre of terminal, using the various pieces of various interfaces and connection whole mobile phone, is led to
Cross operation or execute the software program that is stored in memory 602 and/or or module, and call and be stored in memory 602
Data, the various functions and processing data of execute server, to carry out integral monitoring to mobile phone.Optionally, processor 608 can
Including one or more processing cores;Preferably, processor 608 can integrate application processor and modem processor, wherein
The main processing operation system of application processor, user interface and application program etc., modem processor mainly handles channel radio
Letter.It is understood that above-mentioned modem processor can not also be integrated into processor 608.
Server further includes the power supply 609 (such as battery) powered to all parts, it is preferred that power supply can pass through power supply
Management system and processor 608 are logically contiguous, to realize management charging, electric discharge and power consumption pipe by power-supply management system
The functions such as reason.Power supply 609 can also include one or more direct current or AC power source, recharging system, power failure
The random components such as detection circuit, power adapter or inverter, power supply status indicator.
Specifically in the present embodiment, the processor 608 in server can be according to following instruction, by one or more
The corresponding executable file of process of application program be loaded into memory 602, and run and be stored in by processor 608
Application program in reservoir 602, to realize various functions:
The account use information and device using information of target account under different time points are obtained, account use information is at least
It include: the use information of target account itself, device using information includes at least: the use letter of the equipment of logged target account
Breath;
Feature extraction is carried out to account use information and device using information, obtain multiple account node diagnostics and multiple is set
Slave node feature;
The node incidence relation between multiple account node diagnostics and multiple equipment node diagnostic is constructed sequentially in time;
The account node diagnostic of target account is sampled, and associated nodes feature is obtained based on node incidence relation,
Associated nodes feature includes: the associated device node feature of account node diagnostic obtained with sampling and/or account node diagnostic;
The account node diagnostic and associated nodes feature obtained according to sampling, whether identification target account is malice account.
Account node in account use information and device using information of the application scheme by extracting target account is special
It seeks peace device node feature, and the node between chronologically-based building account node diagnostic and device node feature is associated with
System identifies malice account using the surrounding neighbours node diagnostic that time circulation bring timing information and sampling obtain, can be timely
It identifies malice account, and effectively promotes the recognition accuracy of malice account.
It will appreciated by the skilled person that all or part of the steps in the various methods of above-described embodiment can be with
It is completed by instructing, or relevant hardware is controlled by instruction to complete, which can store computer-readable deposits in one
In storage media, and is loaded and executed by processor.
For this purpose, the embodiment of the present application provides a kind of storage medium, wherein being stored with a plurality of instruction, which can be processed
Device is loaded, to execute the step in any malice account recognition methods provided by the embodiment of the present application.For example, this refers to
Order can execute following steps:
The account use information and device using information of target account under different time points are obtained, account use information is at least
It include: the use information of target account itself, device using information includes at least: the use letter of the equipment of logged target account
Breath;Feature extraction is carried out to account use information and device using information, obtains multiple account node diagnostics and multiple equipment section
Point feature;The node incidence relation between multiple account node diagnostics and multiple equipment node diagnostic is constructed sequentially in time;
The account node diagnostic of target account is sampled, and associated nodes feature, associated nodes are obtained based on node incidence relation
Feature includes: the associated device node feature of account node diagnostic obtained with sampling and/or account node diagnostic;According to sampling
Obtained account node diagnostic and associated nodes feature, whether identification target account is malice account.
The specific implementation of above each operation can be found in the embodiment of front, and details are not described herein.
Wherein, which may include: read-only memory (ROM, Read Only Memory), random access memory
Body (RAM, Random Access Memory), disk or CD etc..
By the instruction stored in the storage medium, any malice account provided by the embodiment of the present application can be executed
Step in the recognition methods of family, it is thereby achieved that any malice account recognition methods institute provided by the embodiment of the present application
The beneficial effect being able to achieve is detailed in the embodiment of front, and details are not described herein.
Detailed Jie has been carried out to the recognition methods of malice account, device and storage medium provided by the embodiment of the present application above
It continues, specific examples are used herein to illustrate the principle and implementation manner of the present application, and the explanation of above embodiments is only
It is to be used to help understand the method for this application and its core ideas;Meanwhile for those skilled in the art, according to the application's
Thought, there will be changes in the specific implementation manner and application range, in conclusion the content of the present specification should not be construed as
Limitation to the application.
Claims (15)
1. a kind of malice account recognition methods characterized by comprising
The account use information and device using information of target account under different time points are obtained, the account use information is at least
It include: the use information of described target account itself, the device using information includes at least: the logged target account
The use information of equipment;
Feature extraction is carried out to the account use information and device using information, obtain multiple account node diagnostics and multiple is set
Slave node feature;
The node association between the multiple account node diagnostic and the multiple device node feature is constructed sequentially in time
Relationship;
The account node diagnostic of the target account is sampled, and associated nodes spy is obtained based on the node incidence relation
Sign, the associated nodes feature include: and the associated device node feature of account node diagnostic and/or account for sampling and obtaining
Family node diagnostic;
Obtained account node diagnostic and the associated nodes feature are sampled according to described, identifies whether the target account is evil
Meaning account.
2. malice account recognition methods according to claim 1, which is characterized in that the use of described target account itself is believed
Breath includes at least: the facility information that the target account logs under different time points, the logged target account are set
Standby use information includes at least: other logged account informations of the equipment under the different time points;
It is described that feature extraction is carried out to the account use information and device using information, obtain multiple account node diagnostics and more
A device node feature, comprising:
Feature extraction is carried out to the facility information that target account described under different time points logs in, obtains the more of the target account
A account node diagnostic and multiple equipment node diagnostic;
To under the different time points, other logged account informations of the equipment carry out feature extraction, obtain it is described other
Multiple account node diagnostics of account.
3. malice account recognition methods according to claim 2, which is characterized in that described in the building sequentially in time
Node incidence relation between multiple account node diagnostics and the multiple device node feature, comprising:
It is constructed between multiple account node diagnostics of the target account and the multiple device node feature sequentially in time
The first incidence relation;
The of multiple account node diagnostics of the multiple device node feature and other accounts is constructed sequentially in time
Two incidence relations;
The node incidence relation is obtained according at least to first incidence relation and second incidence relation.
4. malice account recognition methods according to claim 1-3, which is characterized in that the associated nodes feature
Include: and the associated interlock account node diagnostic of account node diagnostic and associate device node diagnostic for sampling and obtaining;
It is described to sample obtained account node diagnostic and the associated nodes feature according to described, whether identify the target account
For malice account, comprising:
The interlock account node diagnostic is merged with the associate device node diagnostic, obtains the first fusion feature;
First fusion feature is merged with the corresponding obtained account node diagnostic that samples, obtains the second fusion feature;
Determine whether the target account is malice account according to second fusion feature.
5. malice account recognition methods according to claim 4, which is characterized in that described that the interlock account node is special
Sign is merged with the associate device node diagnostic, obtains the first fusion feature, comprising:
It obtains the first eigenvector of the interlock account node diagnostic and obtains the second spy of the associate device node diagnostic
Levy vector;
The first eigenvector and the second feature vector are converted into the feature vector of identical dimensional;
According to default weight information, the first eigenvector after conversion dimension and the second feature vector after conversion dimension are carried out
It sums after weighting processing, obtains fused feature vector;
The first fusion feature is obtained according to fused feature vector.
6. malice account recognition methods according to claim 5, which is characterized in that described to obtain the interlock account node
The first eigenvector of feature, comprising:
The characteristic parameter of the interlock account node diagnostic is obtained, the characteristic parameter of the interlock account node diagnostic at least wraps
It includes: access times, using duration and usage behavior parameter;
It is normalized to the access times, using duration and usage behavior parameter;
Based on after normalized the access times, using duration and usage behavior parameter, construct the interlock account section
The first eigenvector of point feature.
7. malice account recognition methods according to claim 5, which is characterized in that the acquisition associate device node diagnostic
Second feature vector, comprising:
The characteristic parameter of the associate device node diagnostic is obtained, the characteristic parameter of the associate device node diagnostic at least wraps
It includes: access times, using duration and the quantity of logged account;
It is normalized to the access times, using the quantity of duration and logged account;
Based on after normalized the access times, using duration and the quantity of logged account, construct the association and set
The second feature vector of slave node feature.
8. malice account recognition methods according to claim 5, which is characterized in that it is described by first fusion feature with
The account node diagnostic fusion that corresponding sampling obtains, obtains the second fusion feature, comprising:
Obtain the feature vector for the account node diagnostic that the corresponding sampling obtains;
The feature vector for the account node diagnostic that the corresponding sampling obtains is converted into the identical dimensional from current dimension;
The feature vector that the account node diagnostic that the corresponding sampling after dimension obtains will be converted, with the fused feature to
Amount merges processing, the feature vector after obtaining merging treatment;
The second fusion feature is obtained according to the feature vector after merging treatment.
9. malice account recognition methods according to claim 4, which is characterized in that described according to second fusion feature
Determine whether the target account is malice account, comprising:
Probabilistic forecasting is carried out to second fusion feature using predetermined probabilities model, obtains probabilistic forecasting result;
Determine whether the target account is malice account based on the probabilistic forecasting result.
10. malice account recognition methods according to claim 1, which is characterized in that the account to the target account
Family node diagnostic is sampled, and obtains associated nodes feature based on the node incidence relation, comprising:
The account node diagnostic of specified quantity, the account obtained as sampling are chosen from the account node diagnostic of the target account
Family node diagnostic;
Based on the node incidence relation, according to default sampling depth and default number of samples from multiple account node diagnostics and more
In a device node feature, filter out and the associated associated nodes feature of account node diagnostic for sampling and obtaining.
11. a kind of malice account identification device characterized by comprising
Acquiring unit, for obtaining the account use information and device using information of target account under different time points, the account
Family use information includes at least: the use information of described target account itself, and the device using information includes at least: logged
The use information of the equipment of the target account;
Extraction unit obtains multiple account sections for carrying out feature extraction to the account use information and device using information
Point feature and multiple equipment node diagnostic;
Construction unit, for construct sequentially in time the multiple account node diagnostic and the multiple device node feature it
Between node incidence relation;
Sampling unit is sampled for the account node diagnostic to the target account, and is based on the node incidence relation
Associated nodes feature is obtained, the associated nodes feature includes: and the associated equipment of account node diagnostic for sampling and obtaining
Node diagnostic and/or account node diagnostic;
Recognition unit identifies the mesh for sampling obtained account node diagnostic and the associated nodes feature according to described
Mark whether account is malice account.
12. malice account identification device according to claim 11, which is characterized in that the use of described target account itself
Information includes at least: the facility information that the target account logs under different time points, the logged target account
The use information of equipment includes at least: other logged account informations of the equipment under the different time points;
The extraction unit, is used for:
Feature extraction is carried out to the facility information that target account described under different time points logs in, obtains the more of the target account
A account node diagnostic and multiple equipment node diagnostic;
To under the different time points, other logged account informations of the equipment carry out feature extraction, obtain it is described other
Multiple account node diagnostics of account.
13. malice account identification device according to claim 12, which is characterized in that the construction unit is used for:
It is constructed between multiple account node diagnostics of the target account and the multiple device node feature sequentially in time
The first incidence relation;
The of multiple account node diagnostics of the multiple device node feature and other accounts is constructed sequentially in time
Two incidence relations;
The node incidence relation is obtained according at least to first incidence relation and second incidence relation.
14. the described in any item malice account identification devices of 1-13 according to claim 1, which is characterized in that the recognition unit,
For:
The sampling account node diagnostic is merged with the sample devices node diagnostic, obtains the first fusion feature;
First fusion feature is merged with the obtained account node diagnostic that samples, obtains the second fusion feature;
Determine whether the target account is malice account according to second fusion feature.
15. a kind of storage medium, which is characterized in that the storage medium is stored with a plurality of instruction, and described instruction is suitable for processor
The step of being loaded, the described in any item malice account recognition methods of 1-10 required with perform claim.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910455922.4A CN110232630A (en) | 2019-05-29 | 2019-05-29 | The recognition methods of malice account, device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910455922.4A CN110232630A (en) | 2019-05-29 | 2019-05-29 | The recognition methods of malice account, device and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110232630A true CN110232630A (en) | 2019-09-13 |
Family
ID=67858720
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910455922.4A Pending CN110232630A (en) | 2019-05-29 | 2019-05-29 | The recognition methods of malice account, device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110232630A (en) |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110995810A (en) * | 2019-11-25 | 2020-04-10 | 腾讯科技(深圳)有限公司 | Object identification method based on artificial intelligence and related device |
| CN111340112A (en) * | 2020-02-26 | 2020-06-26 | 腾讯科技(深圳)有限公司 | Classification method, classification device and server |
| CN111476668A (en) * | 2020-06-24 | 2020-07-31 | 支付宝(杭州)信息技术有限公司 | Identification method and device of credible relationship, storage medium and computer equipment |
| CN111506486A (en) * | 2020-04-17 | 2020-08-07 | 支付宝(杭州)信息技术有限公司 | Data processing method and system |
| CN111859160A (en) * | 2020-08-07 | 2020-10-30 | 成都理工大学 | Method and system for recommending session sequence based on graph neural network |
| CN112257066A (en) * | 2020-10-30 | 2021-01-22 | 广州大学 | Malicious behavior identification method and system for weighted heterogeneous graph and storage medium |
| CN112905987A (en) * | 2019-11-19 | 2021-06-04 | 北京达佳互联信息技术有限公司 | Account identification method, account identification device, server and storage medium |
| CN112995110A (en) * | 2019-12-17 | 2021-06-18 | 深信服科技股份有限公司 | Method and device for acquiring malicious event information and electronic equipment |
| CN113283822A (en) * | 2021-07-23 | 2021-08-20 | 支付宝(杭州)信息技术有限公司 | Feature processing method and device |
| CN114282924A (en) * | 2020-09-28 | 2022-04-05 | 腾讯科技(深圳)有限公司 | Account identification method, device, equipment and storage medium |
| CN116881916A (en) * | 2023-09-07 | 2023-10-13 | 中国信息通信研究院 | Malicious user detection method and device based on heterogeneous graph neural network |
| CN117352189A (en) * | 2023-12-06 | 2024-01-05 | 中南大学 | Abnormal behavior evaluation method, system and equipment based on high-order topological structure |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104660594A (en) * | 2015-02-09 | 2015-05-27 | 中国科学院信息工程研究所 | Method for identifying virtual malicious nodes and virtual malicious node network in social networks |
| CN105812195A (en) * | 2014-12-30 | 2016-07-27 | 阿里巴巴集团控股有限公司 | Method and device for computer to identify batch accounts |
| CN107316198A (en) * | 2016-04-26 | 2017-11-03 | 阿里巴巴集团控股有限公司 | Account risk identification method and device |
| CN108171519A (en) * | 2016-12-07 | 2018-06-15 | 阿里巴巴集团控股有限公司 | The processing of business datum, account recognition methods and device, terminal |
| CN108197795A (en) * | 2017-12-28 | 2018-06-22 | 杭州优行科技有限公司 | The account recognition methods of malice group, device, terminal and storage medium |
-
2019
- 2019-05-29 CN CN201910455922.4A patent/CN110232630A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105812195A (en) * | 2014-12-30 | 2016-07-27 | 阿里巴巴集团控股有限公司 | Method and device for computer to identify batch accounts |
| CN104660594A (en) * | 2015-02-09 | 2015-05-27 | 中国科学院信息工程研究所 | Method for identifying virtual malicious nodes and virtual malicious node network in social networks |
| CN107316198A (en) * | 2016-04-26 | 2017-11-03 | 阿里巴巴集团控股有限公司 | Account risk identification method and device |
| CN108171519A (en) * | 2016-12-07 | 2018-06-15 | 阿里巴巴集团控股有限公司 | The processing of business datum, account recognition methods and device, terminal |
| CN108197795A (en) * | 2017-12-28 | 2018-06-22 | 杭州优行科技有限公司 | The account recognition methods of malice group, device, terminal and storage medium |
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112905987B (en) * | 2019-11-19 | 2024-02-27 | 北京达佳互联信息技术有限公司 | Account identification method, device, server and storage medium |
| CN112905987A (en) * | 2019-11-19 | 2021-06-04 | 北京达佳互联信息技术有限公司 | Account identification method, account identification device, server and storage medium |
| CN110995810A (en) * | 2019-11-25 | 2020-04-10 | 腾讯科技(深圳)有限公司 | Object identification method based on artificial intelligence and related device |
| CN112995110A (en) * | 2019-12-17 | 2021-06-18 | 深信服科技股份有限公司 | Method and device for acquiring malicious event information and electronic equipment |
| CN111340112A (en) * | 2020-02-26 | 2020-06-26 | 腾讯科技(深圳)有限公司 | Classification method, classification device and server |
| CN111340112B (en) * | 2020-02-26 | 2023-09-26 | 腾讯科技(深圳)有限公司 | Classification method, classification device and classification server |
| CN111506486B (en) * | 2020-04-17 | 2022-04-19 | 支付宝(杭州)信息技术有限公司 | Data processing method and system |
| CN111506486A (en) * | 2020-04-17 | 2020-08-07 | 支付宝(杭州)信息技术有限公司 | Data processing method and system |
| CN111476668A (en) * | 2020-06-24 | 2020-07-31 | 支付宝(杭州)信息技术有限公司 | Identification method and device of credible relationship, storage medium and computer equipment |
| CN111859160A (en) * | 2020-08-07 | 2020-10-30 | 成都理工大学 | Method and system for recommending session sequence based on graph neural network |
| CN111859160B (en) * | 2020-08-07 | 2023-06-16 | 成都理工大学 | Session sequence recommendation method and system based on graph neural network |
| CN114282924A (en) * | 2020-09-28 | 2022-04-05 | 腾讯科技(深圳)有限公司 | Account identification method, device, equipment and storage medium |
| CN112257066A (en) * | 2020-10-30 | 2021-01-22 | 广州大学 | Malicious behavior identification method and system for weighted heterogeneous graph and storage medium |
| CN113283822A (en) * | 2021-07-23 | 2021-08-20 | 支付宝(杭州)信息技术有限公司 | Feature processing method and device |
| CN116881916A (en) * | 2023-09-07 | 2023-10-13 | 中国信息通信研究院 | Malicious user detection method and device based on heterogeneous graph neural network |
| CN116881916B (en) * | 2023-09-07 | 2023-12-12 | 中国信息通信研究院 | Malicious user detection method and device based on heterogeneous graph neural network |
| CN117352189A (en) * | 2023-12-06 | 2024-01-05 | 中南大学 | Abnormal behavior evaluation method, system and equipment based on high-order topological structure |
| CN117352189B (en) * | 2023-12-06 | 2024-03-15 | 中南大学 | Abnormal behavior evaluation method, system and equipment based on high-order topological structure |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110232630A (en) | The recognition methods of malice account, device and storage medium | |
| CN107102941B (en) | Test case generation method and device | |
| CN110598213A (en) | Keyword extraction method, device, equipment and storage medium | |
| CN107092588B (en) | Text information processing method, device and system | |
| CN109961296A (en) | Merchant type recognition methods and device | |
| CN111816159B (en) | Language identification method and related device | |
| CN107480123A (en) | A kind of recognition methods, device and the computer equipment of rubbish barrage | |
| CN110334347A (en) | Information processing method, relevant device and storage medium based on natural language recognition | |
| CN104541293A (en) | Architecture for client-cloud behavior analyzer | |
| CN108280458A (en) | Group relation kind identification method and device | |
| CN108664957A (en) | Number-plate number matching process and device, character information matching process and device | |
| CN104572889A (en) | Method, device and system for recommending search terms | |
| CN103530562A (en) | Method and device for identifying malicious websites | |
| CN105447583A (en) | User churn prediction method and device | |
| CN111405030B (en) | Message pushing method and device, electronic equipment and storage medium | |
| CN107545404A (en) | Bill based reminding method and device | |
| CN107632697A (en) | Processing method, device, storage medium and the electronic equipment of application program | |
| CN107678858A (en) | application processing method, device, storage medium and electronic equipment | |
| CN104966086A (en) | Living body identification method and apparatus | |
| CN106022071A (en) | Fingerprint unlocking method and terminal | |
| CN103501487A (en) | Method, device, terminal, server and system for updating classifier | |
| CN205302954U (en) | Electron message equipment and system | |
| CN110503409A (en) | The method and relevant apparatus of information processing | |
| CN110309339A (en) | Picture tag generation method and device, terminal and storage medium | |
| CN107133530A (en) | A kind of account management method, shared device and computer-readable recording medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |