CN110399925B

CN110399925B - Account risk identification method, device and storage medium

Info

Publication number: CN110399925B
Application number: CN201910683779.4A
Authority: CN
Inventors: 范小龙
Original assignee: Tencent Technology Wuhan Co Ltd
Current assignee: Tencent Technology Wuhan Co Ltd
Priority date: 2019-07-26
Filing date: 2019-07-26
Publication date: 2023-09-19
Anticipated expiration: 2039-07-26
Also published as: CN110399925A

Abstract

The application discloses a risk identification method, a risk identification device and a storage medium of an account, wherein in the method, account information of a target account to be detected is obtained, and the account information at least comprises characteristic information of behavior dimension and content dimension; sequentially inputting the feature information of at least one dimension into a risk identification model to obtain a corresponding identification result, wherein the risk identification model is used for predicting whether the feature information of each dimension in the account information is abnormal information; and determining a risk identification result of the target account according to the identification result of each dimension. Therefore, whether the target account has risks or not is judged timely and rapidly, risks that users are cheated or misled are reduced, the recognition process is not easy to crack based on the risk recognition model and the information with different dimensions, and recognition accuracy and coverage rate are improved.

Description

Account risk identification method, device and storage medium

Technical Field

The present application relates to the technical field of account risk identification, and in particular, to a method and apparatus for identifying risk of an account and a storage medium.

Background

With the rapid development of the internet, social, shopping, game and other internet services have been advanced into various aspects of life and work. The user needs to log in to the corresponding business platform through the registered account to experience the corresponding internet service. If the account number of the user is stolen, the user can not use the corresponding business function, and property loss can be caused or risks that the thief uses the stolen account number to engage in non-issuing actions can be born.

The current risk identification method for the account is low in safety coefficient, easy to be broken by lawbreakers, incapable of covering all account identification ranges, and low in identification precision and coverage rate.

Disclosure of Invention

In view of the above, the application provides a risk identification method, a risk identification device and electronic equipment for an account, so that the identification process is not easy to crack, and the identification precision and coverage rate are improved.

In order to achieve the above object, in one aspect, the present application provides a risk identification method for an account, including:

acquiring account information of a target account to be detected, wherein the account information at least comprises characteristic information of a behavior dimension and characteristic information of a content dimension;

sequentially inputting the feature information of at least one dimension into a risk identification model to obtain a corresponding identification result, wherein the risk identification model is used for predicting whether the feature information of each dimension in the account information is abnormal information;

and determining a risk identification result of the target account according to the identification result of each dimension.

In a possible implementation manner, the identification result includes an identification result of a first dimension and an identification result of a second dimension, where the determining, according to the identification result of each dimension, the risk identification result of the target account includes:

And carrying out fusion processing on the identification result of the first dimension and the identification result of the second dimension to obtain a risk identification result of the target account.

In still another possible implementation manner, the determining the risk identification result of the target account according to the identification result of each dimension further includes:

and if the identification result of the first dimension meets the preset risk result condition, verifying the identification result of the first dimension according to the identification result of the second dimension to obtain the risk identification result of the target account.

In yet another possible implementation, the method further includes:

acquiring account information of a sample account;

extracting the characteristics of account information of the sample account to obtain characteristic information of at least one dimension, wherein the dimension at least comprises a behavior dimension and a content dimension;

determining portrait information of each dimension according to the feature information of each dimension, wherein the portrait information can be updated in real time according to the change of the feature information of the corresponding dimension;

and learning the portrait information of each dimension to obtain a risk identification model.

In yet another possible implementation, the method further includes:

Determining the risk attribute of the target account according to the risk identification result of the target account;

and executing an account protection strategy corresponding to the risk attribute on the target account.

In still another aspect, the present application further provides a risk identification device for an account, including:

the information acquisition unit is used for acquiring account information of a target account to be detected, wherein the account information at least comprises characteristic information of a behavior dimension and characteristic information of a content dimension;

the identification unit is used for sequentially inputting the characteristic information of at least one dimension into the risk identification model to obtain a corresponding identification result, wherein the risk identification model is used for predicting whether the characteristic information of each dimension in the account information is abnormal information or not;

and the result determining unit is used for determining the risk identification result of the target account according to the identification result of each dimension.

In yet another aspect, the present application further provides a storage medium, where computer executable instructions are stored, where the computer executable instructions, when loaded and executed by a processor, implement a risk identification method for an account number according to any one of the above.

When risk identification is performed on the target account, feature information of at least one dimension of the target account is acquired, a risk identification model is sequentially input, a corresponding identification result is obtained, and finally, a risk identification result of the target account is determined based on the identification result of each dimension. The characteristic information at least comprising the behavior dimension and the content dimension is adopted for identification, account information can be divided more accurately, accounts of more types can be covered, and compared with the prior art that identification is carried out only according to the information of the fixed dimension, the identification accuracy is higher, the identification is carried out based on the multidimensional quick identification of the risk identification model, multiple malicious account types can be identified, and the coverage rate is higher.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only embodiments of the present application, and other drawings may be obtained according to the provided drawings without inventive effort for a person skilled in the art.

Fig. 1 shows a schematic diagram of a component architecture of a risk identification system of an account according to the present application;

FIG. 2 is a schematic flow chart of an embodiment of a risk identification method for an account of the present application;

FIG. 3 is a schematic diagram of a risk identification method for multi-dimensional feature information;

FIG. 4 is a schematic diagram of an embodiment of a method for processing dimension identification results according to an embodiment of the present application;

FIG. 5 illustrates an exemplary diagram of establishing a risk identification model in accordance with embodiments of the present application;

FIG. 6 illustrates an exemplary diagram of an attribute tag for a behavior dimension in an embodiment of the present application;

FIG. 7 shows a schematic diagram of a system for processing a risk account in accordance with an embodiment of the present application;

fig. 8 is a schematic diagram of a risk identification method for an account of an instant messaging application according to an embodiment of the present application;

FIG. 9 is a schematic diagram showing the constitution of an embodiment of a risk identification apparatus for an account of the present application;

fig. 10 is a schematic diagram showing the constitution of a terminal according to an embodiment of the present application.

Detailed Description

According to the scheme, risk identification can be performed on the account of the user more timely and accurately in the process of information interaction with other users or in the process of internet payment of the user, so that the identification accuracy of the account and the coverage rate of risk identification are ensured.

In the embodiment of the application, the account number refers to unique identification information for logging in the application when the user performs applications such as information access, information interaction and information payment, for example, the account number of a social application platform of the user, the account number of a video browsing client, and the like, and the expression form of the account number can be a character string which is set by the user and comprises numbers and/or letters, or can be a character string which is distributed to the user by the corresponding application platform. For example, the account number of the user a on the video platform is: TA123467, however, in the embodiment of the application, the risk identification is not performed according to the representation form information of the account, but rather the risk identification is performed on the target account according to the account information represented by the account, and finally, the target account can be correspondingly processed according to the risk identification result. In the embodiment of the present application, the account information may include: and the data information related to the user corresponding to the account or the use environment corresponding to the account. In order to facilitate understanding of the risk identification method of the account of the present application, a system to which the risk identification method of the account of the present application is applied will be described below. Referring to fig. 1, a schematic diagram of a component architecture of a risk identification system of an account according to the present application is shown.

As shown in fig. 1, a risk identification system for an account provided by an embodiment of the present application includes: a terminal 10 and a server 20. The terminal 10 and the server 20 are connected to each other by a network 30.

The terminal 10 may be a mobile terminal such as a mobile phone or a tablet computer, or may be a fixed terminal such as a personal computer having an information input function.

In the embodiment of the present application, when the terminal 10 obtains the user input target account through the set or connected information input module, the account information of the target account is collected, and the collected account information is transmitted to the server 20 through the network 30.

The account information collected by the terminal 10 at least includes feature information of a behavior dimension and feature information of a content dimension, where the feature information of the behavior dimension mainly refers to information for dividing operation behaviors of a user, for example, may include operation information for logging in an account by the user, accessed operation information, and the like. The characteristic information of the content dimension refers to information of content generated by data interaction of the user through the account. In addition, the method can also comprise network environment dimension, account association dimension and other information.

When the terminal collects account information, all operation information of a user operating through the account is recorded in real time, and basic information of the account, such as information of login equipment, login time, login IP and the like, is extracted. And collecting the acquired information according to a time period, generating account information of the account, and sending the account information to a server, or adding a time tag into the information collected in real time to serve as the account information and sending the account information to the server, wherein the server collects all the acquired information under the account.

Correspondingly, the server 20 can identify the feature information of each dimension in the account information sent by the terminal 10, and can identify the feature information of each dimension in the account information by calling a risk identification model stored by the server, so that the identification result of each dimension can be quickly and accurately obtained, then the risk identification result of the target account is determined according to the identification result of each dimension, and then the risk identification result is returned to the terminal through the network 30, so that the terminal can output the risk identification result, and the effect information for prompting the terminal user that the current account has risks or is processed according to the risk identification result is achieved.

In the risk identification system of the account shown in fig. 1, the terminal 10 sends the collected account information of the target account to the server 20. Another possible implementation manner in the embodiment of the present application may be that the terminal sends the target account to the server, and the server obtains the account information of the target account. In the process of acquiring the account information of the target account by the server, the server may acquire all information generated by the user terminal corresponding to the target account based on the current target account, and then extract the account information meeting the identification requirement, or the server may generate an information acquisition instruction of corresponding dimension, and the terminal acquires the account information of each dimension and transmits the information to the server.

Alternatively, an application may be running in the terminal, where the application is used to establish a communication connection with a server, and the terminal performs information interaction with the server through the application.

In another possible case, in order to ensure the accuracy degree and the identification requirement of the acquired account information, when the terminal transmits the account information to the server, the server may classify and filter the account information, that is, extract part of the account information therein to perform risk identification, where it is to be noted that part of the account information at least includes feature information of a behavior dimension and feature information of a content dimension, and can meet the information input requirement of a risk identification model. Correspondingly, if the account information acquired by the terminal does not meet the information input requirement of the risk identification model, or the acquired dimension is less and does not have the statistical analysis requirement, the server can generate an information acquisition instruction and transmit the information acquisition instruction to the terminal, so that the terminal acquires the account information again until the acquired account information meets the information input requirement of the risk identification model, and then risk identification processing can be performed. It can be understood that if the terminal only can collect account information in a single dimension, or only can collect part of account information, the server will also output a risk identification result of the target account, but will output evaluation information of the risk identification result at the same time, for example, the risk identification of the current target account is identified based on the dimension of login information, and the target account does not belong to the risk account, but cannot exclude the counterfeiting risk of the login information.

The risk identification model stored on the server can identify the characteristic information of each dimension, and the output identification result is the result corresponding to each dimension, so that statistics staff can conveniently carry out statistical analysis based on the identification result of each dimension, and the loopholes of account login of the dimension are repaired. The risk identification model is generated based on account information of a sample account, information of each dimension and corresponding risk labels are marked when the account information of the sample account is marked, then portrait information of each dimension can be generated, the portrait information is learned to generate the risk identification model, the portrait information comprises all features of a user corresponding to the account, features with normal mutation also have features with risks and attribute features of the user, and therefore the generated risk identification model is more accurate in the identification process, and whether the generated risk identification model is a normal mutation or an abnormal mutation can be judged in the risk identification process.

The risk identification result of the target account finally output by the server is obtained by processing the identification result of each dimension, and is a comprehensive identification result of the target account, and of course, the server can also store or output the risk identification result or the risk index value of each dimension, so that the risk identification result or the risk index value is convenient for maintenance or use of testers.

The method provided by the application can be used for carrying out risk identification on the information of a single dimension to obtain the test result of the dimension, so that the dimension is convenient to maintain and repair. The following describes the interaction procedure between the terminal and the server in detail. Referring to fig. 2, a schematic flow interaction diagram of an embodiment of a risk identification method for an account according to the present application is shown, where the method of the embodiment may include:

s201, the terminal acquires account information of a target account to be detected.

The account information at least comprises characteristic information of a behavior dimension and characteristic information of a content dimension. The dimensions are set according to classification of account information determined by analyzing the historical account information, so that all accounts can be better covered, accuracy of account risk identification can be improved, and in the embodiment of the application, at least two dimensions of a behavior dimension and a content dimension are included. The method is characterized in that the behavior dimension can better embody the characteristic information of the operation of the user through the target account, and the dimension of the personalized operation belonging to the account can be defined. For example, an account accessing sensitive information is generally determined as a risk account, but an account of an auditor may access a large number of websites, webpages, etc. with sensitive information to audit the content of each website, if the account of the auditor is recognized as a risk account according to the knowledge of risk account recognition in the prior art, the normal browsing process of the auditor is controlled, so that the experience effect of the user is poor. In the embodiment of the application, the characteristic information of the behavior dimension can be acquired, and the characteristic information can meet the operation requirement of the behavior dimension, so that the subsequent risk identification process is more accurate.

The characteristic information of the content dimension can reflect the information of the user of the target account when the user performs data interaction, and the risk identification can be performed on the black-produced account when the IP address or login equipment disguises by collecting the information of the dimension. In addition, account environment dimensions, associated account dimensions, and the like may be included.

The target account to be detected is an account needing risk identification, and can be a user account logged in real time for a certain application (such as a video APP), an account appointed in a test process, or an account randomly selected in a security maintenance process.

In a possible case, after the terminal runs the application, if the terminal detects that the user performs account login and the application is provided with a function item for identifying account risk which is automatically run, the terminal acquires account information corresponding to the current login account, so as to identify the risk of the current account.

In another possible case, when the risk identification function of the account is set in the application of the terminal and started within a certain time range, if the user logs in the account of the application within the time range, the terminal acquires account information corresponding to the account of the time period. The situation can be applied to risk identification scenes of the account set by the user independently, for example, aiming at enterprise internal communication Internet application, the user can normally log in the account at working time of working days and is in an online application state, in order to ensure the safety of the account, the user can set to monitor and identify the risk of the account at non-working time in real time, and when the terminal detects that the user logs in the account at non-working time, corresponding account information is acquired to be sent to a server for risk identification.

S202, the terminal sends account information to the server.

For example, the terminal sends the account information to the server based on the communication connection applied between the servers in the terminal.

Optionally, the terminal may also generate a risk identification request including the account number, so that the server responds to the risk identification request and performs risk identification on the character included in the target image.

Because the account information is the characteristic information comprising at least one dimension, the terminal can package the characteristic information of each dimension to generate the account information, and then the account information is sent to the server, at this time, the account information comprises a dimension identifier, so that the server can analyze the account information according to the dimension. The terminal may also send each dimension information to the server according to the dimension. The optimal mode is to send all acquired dimension information to the server, so that risk identification of the subsequent server is more accurate. The server can also generate a dimension information acquisition instruction according to the characteristics of the current application, and the terminal sends the characteristic information of the target dimension corresponding to the instruction to the server according to the acquisition instruction. By the method, overlong information acquisition time or waste of redundant information can be avoided.

In another possible implementation manner, the terminal may collect all account information of the target account, but it cannot determine the dimension of the account information, send the collected account information directly to the server, and divide the received account information into dimensions according to the set dimension identifier by the server, so as to obtain feature information of a plurality of dimensions.

S203, the server calls a risk identification model.

The risk identification model may be a neural network model stored in a server in advance and capable of performing account risk identification. The risk identification model is used for predicting whether feature information of each dimension in account information is abnormal information or not.

For example, a model library may be provided, and the model library may include a plurality of models, where the plurality of models may be models in different application fields, such as a risk identification model, a user identification model, an account classification model, and the like, and may also be risk identification models applicable to different application scenarios, so that the server may call the corresponding risk identification model in the model library based on account risk identification requirements of different applications.

For example, assuming that the application is an internet payment application, when performing risk identification on a target account of the application, a risk identification model capable of performing risk identification on payment related information needs to be invoked, that is, the risk identification model can at least identify information of a payment dimension.

S204, for the feature information of each dimension in the account information, the server inputs the feature information of the dimension into the risk identification model, and outputs the identification result of the dimension.

In one possible implementation manner, the account information sent by the terminal is feature information classified according to dimensions, and the server may input the feature information of each dimension into the risk recognition model, where the input may be multi-threaded information input, that is, feature information of one thread corresponding to one dimension, or input in the form of an information queue, that is, feature information of each dimension forms the information queue. Correspondingly, the risk recognition model is a multi-dimensional risk recognition model, and can recognize abnormal information of the characteristic information of each dimension.

The risk identification model may be an analytical modeling for multiple dimensions, that is, the risk identification model belongs to a fusion model, which fuses risk identification of each dimension. For example, account information may be divided into an environment dimension, a behavior dimension, and a content dimension, where the environment dimension may characterize network environment related information that an end user logs in, e.g., login address, login IP, login device, etc.; the behavior dimension can represent information of a terminal login user, such as account social data, message operation data, login running water data and the like of the user; the content dimension may characterize interaction data between a target account login user of the terminal and other users or other functions of the current login application, such as message content, comment content, payment content, and the like between the users. The risk identification model can perform risk identification on account information of the environment dimension, the behavior dimension and the content dimension of the target account, and an identification result of each dimension is obtained. The recognition result of the dimension can represent information whether risk exists in account analysis under the dimension, and can also comprise a risk coefficient value representing the risk.

S205, the server determines a risk identification result of the target account according to the identification result of each dimension.

S206, the server sends the risk identification result to the terminal.

After the identification results of each dimension are obtained, the server can analyze and process the identification results of each dimension according to the risk judging conditions, so that risk identification results of risk assessment on the target account are obtained. Specifically, the identification results of all dimensions can be weighted and calculated to obtain the overall risk identification result of the target account. And comparing and analyzing, namely judging that the target account belongs to the risk account if the identification results of the two dimensions indicate that the target account has risk in the dimension, wherein the identification results of the three dimensions are identification results of the three dimensions. And then the server returns the risk identification result to the terminal, so that the terminal knows that the current account is a risk account, and can execute a control instruction for protecting the account sent by the subsequent server.

Referring to fig. 3, a schematic diagram of a risk identification method for multi-dimensional feature information according to the present application is shown. Account information 301, a risk identification model 302, a dimension identification result 303, and a risk identification result 304 are included in fig. 3.

The account information 301 includes feature information of a first dimension, feature information … … of a second dimension and feature information of an nth dimension, account information is input into the risk identification model 302, the corresponding dimension identification result 303 includes a first dimension identification result, a second dimension identification result … … and an nth dimension identification result, the risk identification result 304 is a comprehensive identification result obtained by analyzing the identification results of each dimension in the dimension identification result 303, and the risk identification result is output to a terminal and/or recorded in a risk identification database of a server.

For example, the target account is an account of the instant messaging application, the obtained account information is information of the instant messaging application of the target user A, the account information comprises characteristic information of three dimensions, and the characteristic information of the login environment dimension is: login location-city A, login IP-IP character B, characteristic information of behavior dimension is characteristic information of content dimension, wherein the login time is 23:00: and sending a message to the classmate B, wherein the message content is that a classmate party photo is uploaded to a network disk, the network disk address is …, the dimension information is input into a risk identification model, the risk equipment model obtains the following identification result based on the judgment of the information, the identification result of each dimension is that the login environment dimension is non-abnormal information, the behavior dimension is abnormal information, and the content dimension is abnormal information, so that the finally output target account has risks.

The following describes the steps of determining the risk identification result of the target account by the server according to the identification result of each dimension in the embodiment of the present application in detail. Referring to fig. 4, a schematic diagram of an embodiment of a method for processing a dimension recognition result in an embodiment of the present application is shown. The dimension recognition results in fig. 4 include a first dimension recognition result and a second dimension recognition result, which represent three possible ways of processing the dimension recognition results in real time to obtain the risk recognition result of the target account.

The first mode is a fusion processing mode, namely, a first dimension identification result and a second dimension identification result are subjected to fusion processing, and a risk identification result of the target account is obtained. For example, setting dimension weight values corresponding to the first dimension and the second dimension, and carrying out weighting processing on the identification result of the first dimension and the identification result of the second dimension to obtain a risk identification result of the target account.

The weight values of the first dimension and the second dimension are estimated to exist according to the possible risk coefficient of the account information represented by the first dimension and the second dimension, for example, the first dimension represents a time dimension, when the account login time of the first dimension is identified, an identification result of the dimension, namely the account login time is obtained as abnormal information, if the weight value is 5, a risk coefficient corresponding to the identification result of the first dimension is output as 5; if the second dimension represents the equipment dimension, when the account login equipment in the second dimension is identified, obtaining the identification result of the dimension, namely that the account login equipment is normal information, and if the weight value is 4, outputting a risk coefficient corresponding to the identification result in the second dimension to be 0; the risk coefficient corresponding to the risk identification result of the target account number may be 5+0 =5, if the risk coefficient of the normal account number is set to 3, the risk coefficient calculated in this case is greater than the risk coefficient of the normal account number, and the target account number is at risk.

The second mode is verification processing, if the identification result of the first dimension meets the preset risk result condition, the identification result of the first dimension is verified according to the identification result of the second dimension, and the risk identification result of the target account is obtained. For example, the identification result of the first dimension indicates that the account information of the dimension has abnormal information, if the account information of the dimension meets the condition of the preset risk result, verification is performed according to the identification result of the second dimension, and if the identification result of the second dimension also meets the condition of the preset risk result, the target account is output as a risk account. The condition of the preset risk result may be that abnormal information exists in the feature information of each dimension, or that an identification coefficient corresponding to the risk identification result of the dimension is higher than a preset first threshold.

The third mode is a step-by-step judgment mode, namely judging whether to recognize the feature information of the next dimension according to the recognition result of the first dimension. For example, if the identification result of the first dimension indicates that the feature information of the dimension has abnormal information, outputting an identification result that the target account belongs to the risk account; if the identification result of the first dimension indicates that the feature information of the dimension does not have abnormal information, verifying the feature information of the second dimension, and if the feature information of the second dimension has abnormal information, outputting the identification result of the target account belonging to the risk account.

Since in the embodiment of the present application, the feature information of each dimension is identified by the risk identification model, fig. 5 is a diagram showing an example of establishing the risk identification model according to the embodiment of the present application, which includes:

s501, acquiring account information of a sample account;

s502, carrying out feature extraction on account information of a sample account to obtain feature information of at least one dimension;

s503, determining portrait information of each dimension according to the feature information of the dimension;

s504, learning the portrait information of each dimension to obtain a risk identification model.

The account information of the sample account is sample data based on accounts of various applications, and the account information of the sample account comprises login flow data, account social behavior data, message operation content data, click and other operation data of a user of the application. Because the acquired data volume is large and the data types are large, the account information needs to be subjected to feature extraction, namely classification of the account information is realized, the feature information of at least one dimension is obtained, the dimension can be corresponding data type information, and at least the feature information of the behavior dimension and the feature information of the content dimension need to be extracted when the account information is subjected to feature extraction. Then, according to the characteristic information of each dimension, the portrait information of the user in the dimension is obtained through analysis, and the portrait information can be updated in real time according to the change of the characteristic information of the corresponding dimension. Typically, the portrait information is a set of user tags or tag groups conforming to a risk range generated from feature information, that is, attributes of users in that dimension can be reflected. The image information in the embodiment of the present application is not fixed but can be updated in real time. Describing with the action dimension, when a user accesses data through a certain account, the user can acquire operations of data access, such as classification of browsing websites, classification of browsing time and the like, if the matched time label is a when the user browses at a site A, the generated portrait information comprises a browsing time label a of the user, and if the risk identification is performed on the user account, when the browsing time of the user does not accord with the time defined by the time label, the account is considered to have risk. However, in the embodiment of the application, the time tag corresponding to the user account is not always unchanged, but when the characteristic information of the dimension changes, and the change meets a specific rule, namely only the characteristic information of the part changes, the information of the other dimensions does not change or only changes in a correlated way, and the corresponding tag and portrait information are updated when the change lasts for a period of time, the identification is performed according to the changed information when the corresponding risk model is identified, so that the user account is not identified as the risk account when the user goes on business or the time zone where the user is located changes.

Finally, the portrait information of each dimension is learned, for example, the portrait information of each dimension can be learned through a preset machine learning algorithm, and a risk identification model is obtained. The preset machine learning algorithm may include at least one of an xgboost algorithm, a linear regression algorithm, a Lasso regression algorithm, a Ridge regression algorithm, a random forest algorithm, a support vector machine and an iterative decision tree, and the built model may be trained by the machine learning method, so that the model result is reasonably evaluated, and important indexes are evaluated as comprehensively as possible, so that the model performs optimally.

If the dimensions include a behavior dimension and a content dimension, the embodiment of the application further includes a process of determining portrait information of the behavior dimension according to feature information of the behavior dimension, which specifically includes:

generating an attribute tag of the behavior dimension of the account according to the characteristic information of the behavior dimension of the account;

and determining portrait information of the behavior dimension of the account based on the attribute tag of the behavior dimension.

The characteristic information of the behavior dimension at least comprises any one of the following items: logging equipment information of the account, common logging time information of the account, access information of the account or network attribute information of the account.

It should be noted that, the feature information of the behavior dimension is behavior data of the user corresponding to the account in a long-term and a near-term time period, wherein the login device information of the account represents commonly used login devices of the account user, such as device identification information of a computer, a terminal and the like; the common login time information of the account refers to the common login time of the user of the account, such as a working day, or a specific time period; the access information of the account number can represent the website frequently accessed by the account number user, related applications or other account number information frequently interacted with; the network attribute information of the account may represent a network environment, such as an IP address, a network connection mode, etc., in which the account is registered.

And determining an attribute tag of the behavior dimension of the user corresponding to the account according to the analysis of the characteristic information of the behavior dimension, wherein the attribute tag can represent attribute clustering of the user corresponding to the account under the characteristic information of the current dimension. Referring to FIG. 6, an exemplary diagram of an attribute tag for a behavior dimension in an embodiment of the present application is shown. In fig. 6, the corresponding application is an instant chat application, and the attribute tags of the behavior dimension of the user corresponding to the account number include 4, where the tag 601 represents a tag of login device information, which is a mobile device; tag 602 represents a tag for login time, which is 21:00-23:00; tag 603 represents a tag of access information of an account, which is a family group; the label 604 is a label identifying the login IP of the account, which is: 192:101: * **. The portrait information of the account user in the behavior dimension is obtained according to the label, and the user uses the IP address to be 192:101 through the mobile device: * Chat is often conducted with a family group or with a related member of a family group at 21:00-23:00.

When the labels are set, for example, a certain user frequently goes on business trip, the labels corresponding to the login IP of the user can be set as the IP of the place where the user frequently goes on business trip and the IP of the work unit, so that the characteristics of the user can be more met when the portrait information of the dimension is generated, and in the subsequent identification process, if the mutation information exists in the feature information, the user can acquire whether the mutation is normal or abnormal.

The portrait information in a certain dimension can also be obtained by processing according to the attribute tags in the dimension, wherein the simplest way is that the portrait information matches the information of all tags in the dimension; the related label can be generated according to the existing label, then the existing label and the related label are determined to be portrait information, for example, the label of a certain dimension comprises a time label, and the use property label of the account can be determined to belong to a working account or a private account through the common login time in the time label, so that the finally generated portrait information comprises information related to the use property label besides the label; the portrait information may be information obtained by deleting some tags, and this method is generally suitable for analyzing account characteristics under certain conditions.

The embodiment of the application also comprises a process for determining portrait information of the content dimension according to the characteristic information of the content dimension, which specifically comprises the following steps:

generating an attribute tag of the content dimension of the account according to the characteristic information of the content dimension of the account;

determining portrait information of the content dimension of the account according to the attribute tag of the content dimension;

the content dimension represents the dimension of content information generated when the account numbers perform data interaction, for example, communication content between a target account number user and other account number users, account number content information input when the target account numbers perform payment or transfer, and the like. The attribute tag of the content dimension reflects the clustering result of the content information and the portrait information of the corresponding content dimension reflects the content of the content information normally transmitted by the user of the account. For example, when a user logs in a chat application through the account, data interaction of related work content is often performed with other accounts, if the account is positioned as a work account, invitation information with a network link address appears, and abnormal content labels of the account are determined.

When the portrait information of each dimension is generated, in addition to all relevant information of the dimension, finer clustering can be performed on the information of the dimension according to time, for example, 24 hours a day is divided into 48 time intervals, the login times of each interval are counted, and the statistical information of the login times can be divided into two dimensions of all histories and 10 recent times to calculate the user common time period labels. Thus, the actual habit and operation of the user can be reflected more accurately. For example, the user's historical login time statistics result in 16:00-20:00, if the user might concentrate on 23:00-24:00 for some special reason, such as going out, for its nearly 10 log-in times, then consideration should be made based on these two dimensions in determining the time tags that are commonly used by the user.

The embodiment of the application also provides a method for identifying feature information of different dimensions, specifically, if the dimensions comprise behavior dimensions, the feature information of the dimensions is input into a risk identification model, and an identification result of the dimensions is output, including:

inputting characteristic information of behavior dimension of a target account into the risk identification model, and detecting mutation information of the characteristic information of the behavior dimension in the risk identification model;

if the mutation information meets the behavior risk identification condition, outputting a risk identification result of the behavior dimension;

and if the mutation information does not meet the behavior risk identification condition, outputting an identification result of the normal mutation of the behavior dimension.

When the dimension includes a content dimension, the inputting the feature information of the dimension into a risk identification model, and outputting the identification result of the dimension includes:

inputting the characteristic information of the content dimension of the target account number into the risk identification model, detecting whether the characteristic information of the content dimension contains risk content in the risk identification model, and if so, outputting a risk identification result of the content dimension;

Or detecting whether the feature information of the content dimension contains risk interaction account information, and if so, outputting a risk identification result of the content dimension.

The risk identification model identifies according to the input characteristic information of the behavior dimension, namely judging whether the input characteristic information accords with the behavior portrait information of the account user, and if so, proving that the characteristic information of the behavior dimension does not have abnormal information; if not, corresponding mutation information indicating information not matching the image information needs to be extracted. In order to improve the accuracy of the judgment, it is not necessary to detect the mutation information, that is, to determine that the feature information of the dimension has abnormal information. The mutation information may be derived from information of normal operation of the user or may be derived from information of abnormal operation of the user, and further judgment needs to be performed according to risk identification conditions, where the risk identification conditions may be conditions determined according to formation conditions and influence content of the mutation information, for example, judging whether the mutation information causes mutation of associated information, and outputting a risk identification result of the dimension only when the mutation information meets the risk identification conditions.

When the dimension comprises a content dimension, inputting characteristic information of the content dimension of the target account number into the risk identification model, detecting whether the characteristic information of the content dimension contains risk content in the risk identification model, and if so, outputting a risk identification result of the content dimension;

Because the actual content interaction data between the accounts does not necessarily exist in each account, for example, the account application is an electronic payment application, and users rarely carry out chat and other communication with users of other accounts through the account, but the user can input information such as a transfer account number, the transfer account number information can be used as characteristic information of a content dimension, namely, the characteristic information of the content dimension is different according to different application scenes. When the risk identification model identifies the characteristic information of the content dimension, the correlation information of the risk content is mainly detected.

Referring to fig. 7, a schematic diagram of a processing system for risk account according to an embodiment of the present application is shown. In fig. 7, it includes: the system comprises an identification server 701, an operation and maintenance server 702 and a terminal 703, wherein the identification server 701 sends a risk identification result of risk of a target account to the operation and maintenance server 702 of the corresponding application of the account, the operation and maintenance server determines the risk attribute of the target account and outputs a corresponding account protection policy, and the account protection policy is a policy for protecting risk accounts with different risk types. The operation and maintenance server 702 sends an execution instruction corresponding to the account protection policy to the terminal 703, so that the terminal can execute the corresponding instruction to achieve protection of the current account.

For example, the risk attribute indicates different types of theft numbers or modes in which the account is located, for example, the risk attribute indicates a mode in which the account is located, and the account registration is abnormal, so that the registration can be directly limited and the account registration is not successful. Under the condition that the login is successful and the theft message is generated, the theft number is directly subjected to number sealing processing, and the account number is notified to be abnormal through a short line or a social platform tool, namely the account number is prompted to be stolen. The protection of the account number can also be realized through control processing of social shielding and message filtering.

The risk identification method of the account of the present application is described below by taking an account of an instant messaging application as an example. Referring to fig. 8, a schematic diagram of a risk identification method for an account of an instant messaging application in an embodiment of the present application is shown, which specifically includes:

the user A logs in the instant messaging application through the terminal equipment, the terminal sends acquired account information of the user A to the server, wherein the account information comprises three dimensions of information:

801. environmental dimension information;

802. behavior dimension information;

803. content dimension information.

Wherein the environment dimension information includes: terminal serial number, login IP/IPC serial number, network connection mode-wireless network connection; the behavior dimension information includes: logging in time and an interactive target account; the content dimension information includes interactive content with the target account, such as "please access the following links, get preferential content".

And then, the server performs risk identification on the information of each dimension by using a risk identification model, and the identification on the environment dimension is mainly performed on the login equipment serial number and the login IP serial number, and the network connection mode is analyzed and detected. The behavior dimension is mainly used for analyzing and detecting the logging frequently-used places and frequently-used time, frequently-used protocols, frequently-used interaction accounts and other user habits, and the abnormal probability output under the dimension can be realized by utilizing the abnormal classification function of the risk model. The content dimension mainly detects the operation behavior abnormality related to the message, the interaction account habit abnormality related to the message, the clustering degree of the message, the content abnormality and the like, finally realizes the abnormality analysis of the risk identification model on each dimension, and outputs a risk identification result, namely the content abnormality and the aggregation score.

If the account is identified as a risk account, the user A of the account may not be the real user of the account, the current account is subjected to the number sealing processing, and the related information of the number sealing processing is sent to the terminal of the real user B of the account, namely the server outputs two parts of contents, including:

804. sending a control instruction to a terminal of the user A so that the current account logged in by the user A is offline;

805. And sending the sign indicating information to a terminal of the user B, so that the user B knows that the account number is in a sign-on state.

It should be noted that, the risk identification method of the account provided by the application can also be used for carrying out risk identification on the login behavior data of the black product simulation or the fake user, and the purpose of carrying out account forging on the black product can be obtained, namely, the normal account, the abnormal account with the number keeping function and the stolen account can be effectively distinguished.

For example, risk identification is performed on account information of an account, that is, three dimensions of behavior abnormality, content abnormality and account abnormality are mainly identified, wherein the behavior abnormality may include login region abnormality, login time period abnormality, login scene and protocol abnormality, operation time and protocol abnormality; the content anomaly may include IP of the message, regional anomaly, terminal source anomaly of the message, interactor anomaly in the message and transmission time period anomaly of the message; account anomalies may include: abnormal login liveness, abnormal message liveness, abnormal social attribute and the like.

For example, a message content that is typically low in content anomaly or low in content aggregation may be information that is not associated and that represents the status of the user, such as "Beijing, I have come" in the published mood; content with high content anomaly and high aggregation generally includes guidance content for network links, such as "party photos uploaded to" and clicks to get bonus red packages "; content anomaly, content with low aggregation level generally includes guiding information for the same account, such as "latest movie, please add number 124; chat with beautiful beauty, please add the number 124'

The abnormal behavior score of the normal account is low, and the content abnormality/aggregation degree is low; the number keeping account has low abnormal score, high content abnormality/aggregation degree and low aggregation abnormality score, and the number keeping account has no obvious mutation in behavior habit, is mainly always a malicious account, and can be frequently used for brushing and logging actively. The theft number has higher abnormality in login and operation behaviors and content level.

The method can creatively combine the behavior and the content data from the final malicious expression form of the stolen account, namely the final income point, extract the multidimensional effective characteristics and comprehensively judge the stolen account. The stolen identification coverage rate can be effectively improved, multidimensional stolen abnormal evidence extraction is carried out on behaviors and contents, and interpretability is realized when a user feeds back complaints; and the stolen malicious phishing links, text images and the like can be analyzed, and sample data can be provided for phishing and junk texts and contents.

It should be noted that, when abnormal information in the content is monitored, the information can be stored in a sample library of the abnormal content, and when the risk identification model is updated in real time, correspondingly, when the behavior information of the user is changed normally, the portrait information of the corresponding dimension is also required to be updated, so as to ensure the real-time accuracy of the risk identification result.

In still another aspect, the present application further provides a risk identification device for an account, referring to fig. 9, which shows a schematic diagram of an embodiment of a risk identification device for an account according to the present application, where the device of the present embodiment may be applied to a server, and the device may include:

an information obtaining unit 901, configured to obtain account information of a target account to be detected, where the account information includes at least feature information of a behavior dimension and feature information of a content dimension;

the identifying unit 902 is configured to sequentially input feature information of at least one dimension into a risk identification model to obtain a corresponding identification result, where the risk identification model is used to predict whether feature information of each dimension in the account information is abnormal information;

and a result determining unit 903, configured to determine a risk identification result of the target account according to the identification result of each dimension.

In one possible case, the recognition result in the recognition unit 902 includes a recognition result of a first dimension and a recognition result of a second dimension, and the result determination unit includes:

and the fusion processing subunit is used for carrying out fusion processing on the identification result of the first dimension and the identification result of the second dimension to obtain a risk identification result of the target account.

Alternatively, the fusion processing subunit may be specifically configured to:

and weighting the identification result of the first dimension and the identification result of the second dimension according to the dimension weight values corresponding to the first dimension and the second dimension to obtain a risk identification result of the target account.

Optionally, the result determining unit further includes:

and the verification subunit is used for verifying the identification result of the first dimension according to the identification result of the second dimension to obtain the risk identification result of the target account if the identification result of the first dimension meets the preset risk result condition. Optionally, the apparatus may further include: a model creation unit including:

the sample information acquisition subunit is used for acquiring account information of a sample account;

the characteristic extraction subunit is used for carrying out characteristic extraction on the account information of the sample account to obtain characteristic information of at least one dimension, wherein the dimension at least comprises a behavior dimension and a content dimension;

the portrait determining subunit is used for determining portrait information of each dimension according to the feature information of the dimension, and the portrait information can be updated in real time according to the change of the feature information of the corresponding dimension;

And the information learning subunit is used for learning the portrait information of each dimension to obtain a risk identification model. In yet another possible implementation, the portrait determination subunit may be configured to:

generating an attribute tag of the behavior dimension of the account according to the characteristic information of the behavior dimension of the account, wherein the characteristic information of the behavior dimension at least comprises any one of the following: logging equipment information of an account, common logging time information of the account, access information of the account or network attribute information of the account;

determining portrait information of the behavior dimension of the account based on the attribute tag of the behavior dimension;

or alternatively

Generating an attribute tag of the content dimension of the account according to the characteristic information of the content dimension of the account, wherein the content dimension represents the dimension of content information generated when the account performs data interaction;

optionally, the identification unit is specifically configured to: inputting characteristic information of behavior dimension of a target account into the risk identification model, and detecting mutation information of the characteristic information of the behavior dimension in the risk identification model;

if the mutation information does not meet the behavior risk identification condition, outputting an identification result of the normal mutation of the behavior dimension;

or alternatively

Optionally, the apparatus further comprises:

the risk attribute determining unit is used for determining the risk attribute of the target account according to the risk identification result of the target account;

and the policy execution unit is used for executing an account protection policy corresponding to the risk attribute on the target account.

On the other hand, the present application also provides a terminal, for example, referring to fig. 10, which shows a schematic structural diagram of the terminal of the present application, the terminal 1000 of this embodiment may include: a processor 1001 and a memory 1002.

Optionally, the terminal may further comprise a communication interface 1003, an input unit 1004 and a display 1005 and a communication bus 1006.

The processor 1001, the memory 1002, the communication interface 1003, the input unit 1004, the display 1005, and the like all perform communication with each other via the communication bus 1006.

In an embodiment of the present application, the processor 1001 may be a central processing unit (Central Processing Unit, CPU), an asic, a dsp, an off-the-shelf programmable gate array, or other programmable logic device.

The processor may call programs stored in memory 1002. Specifically, the processor may execute the operations executed by the application server in the following embodiments of the risk identification method of the account.

The memory 1002 is used to store one or more programs, and the programs may include program code that includes computer operation instructions, and in an embodiment of the present application, at least the programs for implementing the following functions are stored in the memory:

In one possible implementation, the memory 1002 may include a storage program area and a storage data area, where the storage program area may store an operating system, and at least one application program required for functions (such as an information output function, etc.), and so on; the storage data area may store data created during use of the computer, such as risk identification models and account data, and the like.

In addition, the memory 1002 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device or other volatile solid-state storage device.

The communication interface 1003 may be an interface of a communication module, such as an interface of a GSM module.

The application may also comprise a display 1004 and an input unit 1005 etc.

Of course, the structure of the terminal shown in fig. 10 is not limited to the terminal in the embodiment of the present application, and the terminal may include more or less components than those shown in fig. 10 or may combine some components in practical applications.

On the other hand, the embodiment of the application also provides a storage medium, wherein the storage medium stores computer executable instructions, and when the computer executable instructions are loaded and executed by a processor, the risk identification method of the account executed by the server side in any embodiment is realized.

It should be noted that, in the present specification, each embodiment is described in a progressive manner, and each embodiment is mainly described as different from other embodiments, and identical and similar parts between the embodiments are all enough to be referred to each other. For the apparatus class embodiments, the description is relatively simple as it is substantially similar to the method embodiments, and reference is made to the description of the method embodiments for relevant points.

Finally, it is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises an element.

The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

The foregoing is merely a preferred embodiment of the present invention and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present invention, which are intended to be comprehended within the scope of the present invention.

Claims

1. The risk identification method for the account is characterized by comprising the following steps of:

sequentially inputting the feature information of at least one dimension into a risk identification model to obtain a corresponding identification result, wherein the risk identification model is used for predicting whether the feature information of each dimension in the account information is abnormal information; the identification result comprises an identification result of a first dimension and an identification result of a second dimension;

According to the identification result of each dimension, determining the risk identification result of the target account number specifically comprises the following steps:

if the identification result of the first dimension indicates that the characteristic information of the first dimension has abnormal information, determining that the identification result of the first dimension meets a preset risk result condition; verifying the identification result of the first dimension according to the identification result of the second dimension, and if the identification result of the second dimension also meets the preset risk result condition, obtaining a risk identification result of the target account belonging to a risk account;

or alternatively, the process may be performed,

if the identification result of the first dimension indicates that the characteristic information of the first dimension has abnormal information, acquiring a risk identification result of the target account belonging to a risk account; if the identification result of the first dimension indicates that the characteristic information of the first dimension does not have abnormal information, the characteristic information of the second dimension is identified, and if the identification result of the second dimension indicates that the characteristic information of the second dimension has abnormal information, a risk identification result that the target account belongs to a risk account is obtained.

2. The method according to claim 1, characterized in that the method further comprises:

Acquiring account information of a sample account;

3. The method of claim 2, wherein the dimensions include behavior dimensions, and wherein the determining representation information for the dimensions based on the feature information for each dimension includes:

when the dimension includes a content dimension, determining portrait information of the dimension according to the feature information of each dimension includes:

and determining portrait information of the content dimension of the account according to the attribute label of the content dimension.

4. The method of claim 1, wherein the dimensions include behavioral dimensions, the inputting feature information of the dimensions into a risk recognition model, outputting recognition results of the dimensions, comprising:

5. The method according to claim 1, characterized in that the method further comprises:

6. A risk identification device for an account, comprising:

the identification unit is used for sequentially inputting the characteristic information of at least one dimension into the risk identification model to obtain a corresponding identification result, wherein the risk identification model is used for predicting whether the characteristic information of each dimension in the account information is abnormal information or not; the identification result comprises an identification result of a first dimension and an identification result of a second dimension;

A result determining unit, configured to determine that the recognition result of the first dimension meets a preset risk result condition if the recognition result of the first dimension indicates that the feature information of the first dimension has abnormal information; verifying the identification result of the first dimension according to the identification result of the second dimension, and if the identification result of the second dimension also meets the preset risk result condition, obtaining a risk identification result of the target account belonging to a risk account;

or the result determining unit is configured to obtain a risk identification result that the target account belongs to a risk account if the identification result of the first dimension indicates that the feature information of the first dimension has abnormal information; if the identification result of the first dimension indicates that the characteristic information of the first dimension does not have abnormal information, the characteristic information of the second dimension is identified, and if the identification result of the second dimension indicates that the characteristic information of the second dimension has abnormal information, a risk identification result that the target account belongs to a risk account is obtained.

7. The apparatus of claim 6, wherein the apparatus further comprises:

and the information learning subunit is used for learning the portrait information of each dimension to obtain a risk identification model.

8. The apparatus of claim 7, wherein the dimensions comprise a behavior dimension, the representation determination subunit being operable to:

When the dimension includes a content dimension, the image determination subunit is specifically configured to:

9. The apparatus according to claim 6, wherein the dimensions comprise a behavior dimension, the identifying unit being specifically configured to:

when the dimension includes a content dimension, the identifying unit is specifically configured to:

10. The apparatus of claim 6, wherein the apparatus further comprises:

11. A storage medium having stored therein computer executable instructions which, when loaded and executed by a processor, implement the method of risk identification of an account number according to any one of claims 1 to 5.

12. The risk identification terminal of the account is characterized by comprising a memory and a processor;

the memory is used for storing programs;

the processor is configured to invoke the program to perform the risk identification method of an account number as claimed in any of the claims 1 to 5.