CN110795807B - Construction method of element abnormal structure detection model based on complex network - Google Patents
Construction method of element abnormal structure detection model based on complex network Download PDFInfo
- Publication number
- CN110795807B CN110795807B CN201911033009.1A CN201911033009A CN110795807B CN 110795807 B CN110795807 B CN 110795807B CN 201911033009 A CN201911033009 A CN 201911033009A CN 110795807 B CN110795807 B CN 110795807B
- Authority
- CN
- China
- Prior art keywords
- transaction
- point
- burst
- client
- suspicious
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
- G06Q10/063—Operations research, analysis or management
- G06Q10/0635—Risk analysis of enterprise or organisation activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q40/00—Finance; Insurance; Tax strategies; Processing of corporate or income taxes
- G06Q40/02—Banking, e.g. interest calculation or account maintenance
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q40/00—Finance; Insurance; Tax strategies; Processing of corporate or income taxes
- G06Q40/04—Trading; Exchange, e.g. stocks, commodities, derivatives or currency exchange
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02A—TECHNOLOGIES FOR ADAPTATION TO CLIMATE CHANGE
- Y02A90/00—Technologies having an indirect contribution to adaptation to climate change
- Y02A90/10—Information and communication technologies [ICT] supporting adaptation to climate change, e.g. for weather forecasting or climate simulation
Abstract
The invention discloses a method for constructing an element abnormal structure detection model based on a complex network, which mainly comprises the following steps: firstly, constructing a transaction relation network according to the dependent bank transaction running water by utilizing the extracted transaction relation, finding out the burst time interval of the transaction and calculating the abnormal value of each customer; then, a suspicious client is found out in the transaction burst interval and a suspicious maximum connected subgraph is detected. The method provided by the invention describes the suspicious degree of each client in a more formal way and is used for detecting the real-world transaction network fraud with large-scale edge attributes. The invention digs the inherent characteristics of the nodes from the behavior information of the client nodes, researches the behavior of the nodes on time sequence, describes the characteristics of the nodes more accurately, and digs the essence of the client.
Description
Technical Field
The invention belongs to the field of data mining, and discloses a method for constructing an element abnormal structure detection model based on a complex network, wherein a transaction relation network is constructed according to an extracted transaction relation, and illegal fund collection triggering events in transaction information are mined according to the network.
Background
Banks and insurers lose billions of dollars annually for fraud. Traditional methods of fraud detection play an important role in reducing these losses. Fraudsters escape discovery through a variety of sophisticated methods and build false identities in a variety of other ways. Although the specific details of fraud vary from operation to operation, the following modes illustrate the general manner in which a rogue group operates: (1) two or more people form a fraud group; (2) Groups share a subset of legal contact information, such as telephone numbers and addresses, which are combined together to create some composite identity; (3) Using these composite identities, group members open accounts for fraud.
The inherent power of the complex network to mine the transaction is utilized, the novel method for revealing the fraud ring and other complex fraud offices has high accuracy, and advanced fraud scenes can be prevented in real time. Although perfect without any fraud prevention measures, it is possible to implement a connection from a single data point to a complex transaction network and to find out abnormal sub-patterns, providing a priori knowledge for the analysis of the abnormal behaviour patterns at a later time. Typically, these connections will be ignored. Understanding the links between data and deriving meaning from these links does not mean that new data is collected, and we can gain important insight from existing data.
With complex networks, only the problem needs to be reconstructed and viewed in a new way: as a network. Unlike most other ways of viewing data, networks are intended to express relevance. Complex networks may find patterns that are difficult to detect using conventional representations. More and more companies are using complex networks to address various connection data issues, including fraud detection. The present invention discusses illegal funding in fraud detection.
The final purpose of the invention is to complete the illegal funding behavior mining of commercial banking by researching the topological structure and the node attribute value on the basis of the banking transaction network which is constructed by utilizing the mass data of the banking and is integrated with the multi-element attribute, thereby providing practical and valuable opinion for the scientific establishment of the operation strategy of the banking and having certain theoretical significance and application value.
Disclosure of Invention
The invention mainly digs out illegal funded partners in the transaction network, digs out the internal relation between funded behavior clients and finds out the operation rule of the clients. The method has wide application value in fraud detection, and can help banks and clients to timely control unnecessary losses.
The technical scheme of the invention is that the construction method of the element abnormal structure detection model based on the complex network mainly comprises the following two processes of firstly constructing a transaction relation network according to the dependent bank transaction running water by utilizing the extracted transaction relation, finding out the burst time interval of the transaction and calculating the abnormal value of each customer. Then, the suspicious client is found out in the transaction burst interval and the suspicious maximum connected subgraph (namely the illegally funded subgraph) is detected
(1) According to the transaction relationship, the method comprises the following steps (see fig. 1):
a. firstly, cleaning and selecting data in a row, extracting a transaction relation, butting transaction running water with customer account information, and finally, screening and decrypting private data related to personal privacy.
b. And modeling and analyzing a real transaction relation network to give formal definition G= (V, E, M and T) of illegal funding behavior of a model, wherein V represents node sets in a diagram, S represents clients in a node row, E represents an edge set in the diagram, represents transaction relation among clients, M represents the amount of money of a transaction, and T represents the occurrence time of the transaction.
c. Next we introduce a scanning statistic to calculate the suspicious of the transacting client nodes, which is mainly a mathematical variable in the network environment and can be applied to detect a sudden increase in the observed data on a sub-graph, where the observed data represents the observed value of each node on the sub-graph S. Since the regularity of the data is difficult to observe, we often cannot find a suitable probability model. For such challenges we generally use empirical P values to model the distribution of data.
The empirical P value P of the client v at time T T (v) Such as the formula:
an empirical P value is assigned to each vertex. To detect anomalies in the data, a confidence level α is given (in practice, α=0.15 is often taken).
d. Further we have to find short bursts and extinction intervals in the transaction network. General illegitimateThe funding can be performed in a short time, and suddenly disappears after the funding is completed. To consider the burst and extinction modes described above, we need to determine the start of an outbreak and the end of a drop in the time series T. The burst point is (t) m ,c m ) Maximum value of c m . We do an auxiliary line from the start point to the burst point to determine the wake point. Transaction time sequence T (red line), auxiliary line iota (black dashed line), auxiliary line from lower left point (T 0 ,c 0 ) To the upper right point (t m ,c m ) Then the maximum point (t m ,c m ) Is the point on the graph at which the distance to the auxiliary line is greatest. I.e. wake point (t) a ,c a ) Satisfy (as in fig. 2):
e. we find the awakening point, of course, we can find the vanishing point by the same method, then find deltac (the height difference between the explosion point and the awakening point), the slope between the two points, the explosion interval (the period from the awakening point to the explosion point), and so on, we consider the remarkable multiple bursts of the node, and let the height difference of the awakening explosion point pairs occupy at least the first 50% of the time series, that is, the height difference is too small, and we find the transaction explosion interval so far.
(2) By using the calculated burst interval and the suspicious degree of the client, we excavate an illegal funding behavior subgraph (see figure three):
a. first, for an outlier sub-graph, there are two very intuitive properties, namely: (1) The outlier should contain as many outlier vertices as possible; (2) The outlier should contain as few normal nodes as possible.
b. And calculating the P value of the client in each burst interval by using the calculated burst interval, and then constructing a small transaction network.
c. To satisfy the two properties described above and to have to construct a connected subgraph, we consider the use of a greedy algorithm: firstly, in a time window, selecting k (k=5) client points with minimum P values in a model, namely the most suspicious points, and then gradually iterating, similar to a minimum spanning tree algorithm, to construct the most suspicious illegal fund group.
d. Evaluating the result of causal relation network prediction, wherein the calculation accuracy P value, recall R value and F value are adopted for evaluation, and the calculation accuracy is as follows:
the formula for calculating recall is as follows:
the formula for calculating the F value is as follows
Advantageous effects
The method provided by the invention describes the suspicious degree of each client in a more formal way and is used for detecting the real-world transaction network fraud with large-scale edge attributes. The invention digs the inherent characteristics of the nodes from the behavior information of the client nodes, researches the behavior of the nodes on time sequence, describes the characteristics of the nodes more accurately, and digs the essence of the client.
The method has good expansibility, is a linear model, and can be applied to the field of illegal funding of banks and any network mining field with time attribute.
Drawings
FIG. 1 is a flow chart of illegal funding behavior detection based on a transaction network;
FIG. 2 is a calculation of burst interval;
fig. 3 is an illustration of a digger sub-graph.
Detailed Description
The invention is further described below with reference to the accompanying drawings.
The illegal funding behavior detection method based on the complex network is mainly applied to finding out illegal funding behaviors and finding out the operation rule of the illegal funding behaviors. In mining illegal group parties, this may be done as described below.
The first step: firstly, we obtain the transaction data of the bank, and mainly wash the data of the transaction flow of the bank.
And a second step of: and preprocessing the data, removing redundant data, and performing decryption processing, such as id (in-line card number) of the client, in order to protect privacy of the client in the line.
And thirdly, constructing a transaction network according to a ternary relation model, wherein the transaction network is G= (V, E, M and T), the nodes in the meaning are transaction nodes among clients, and the attributes on the edges comprise transaction time and transaction amount.
And finally, calculating the burst point in the network by using a formula (2), wherein the time interval from the burst point to the next highest point (at the peak) is a recursive process, and a plurality of burst intervals are calculated, so that the burst interval with a relatively large burst degree is considered, and the product of the height difference and the slope (the slope of the burst point and the highest point) of the burst interval is used as the judging standard of the burst interval according to the specification. Such a time span of burst intervals for a plurality of transactions is obtained.
Fifth step: counting the number of times of turning out, the number of times of turning in, the amount of turning out and the amount of turning in of each customer respectively in the time intervals obtained above, then calculating the abnormal value of the number of times of transactions of the customers of the four indexes in each burst interval respectively according to a formula (1), solving the minimum value in the four values as the abnormal value p value of the customer, and screening the customers with the threshold value smaller than 0.15 as suspicious customer candidate sets in the interval.
Sixth step: at this time, in each burst interval, we use a greedy algorithm according to the outlier of each client: firstly, in a time window, selecting k (k=5) client points with the smallest P value, namely the most suspicious points, then iterating step by step, similar to a minimum spanning tree algorithm, adding the points with the smallest P value each time until a maximum connected subgraph is formed, finally judging whether the constructed maximum connected subgraph is of a star-shaped structure or a ring-shaped structure structurally, and if so, obtaining a detection result of the user. Therefore, the method is constrained according to the time sequence analysis and the network structure, and the effectiveness of the method is guaranteed. The subgraph thus mined in the burst interval is the most suspicious illegal fund group.
Claims (2)
1. The method for constructing the illegal funding behavior detection model based on the complex network is characterized by comprising the following steps:
firstly, constructing a transaction relation network according to the dependent bank transaction running water by utilizing the extracted transaction relation, finding out the burst time interval of the transaction and calculating the suspicious degree P of each client;
then, a suspicious client is found out in a transaction burst interval, and a suspicious maximum connected subgraph is detected;
the transaction relationship comprises the following steps:
a. firstly, cleaning and selecting data in a row, extracting a transaction relation, butting transaction running water with customer account information, and finally, screening and decrypting private data related to personal privacy;
b. modeling and analyzing a real transaction relation network to give formal definition of illegal funding behavior of the model:
G=(V,E,M,T)
v represents node set in the diagram, node represents clients in the row, S represents a transaction sub-diagram, E represents edge set in the diagram, represents transaction relation among clients, M represents money of transaction, and T represents time of transaction;
c. next, introducing scanning statistics to calculate the suspicious of the transaction client node, wherein the scanning statistics refer to a mathematical variable in the network environment and are applied to detect a sudden increase in observed data on a sub-graph, wherein the observed data represents the observed value of each node on the sub-graph S;
modeling distribution of data using empirical P-values, the empirical P-values P of the client v at time T T (v) Such as the formula:
assigning an empirical P value to each vertex, giving a confidence level α for detecting anomalies in the data;
d. finding short burst and extinction intervals in the transaction network:
generally, illegal funding can conduct funding in a short time, and suddenly disappears after the funding is completed;
to consider the burst and extinction modes described above, it is necessary to determine the start point of an outbreak and the end point of a drop in the transaction time series T: the burst point is (t) m ,c m ) Maximum value of c m ;
Transaction time sequence T, auxiliary line iota, auxiliary line from lower left point (T 0 ,c 0 ) To the upper right point (t m ,c m ) Then the maximum point (t m ,c m ) Is the point of maximum distance from the transaction time series to the auxiliary line, and (t) a ,c a ) The method meets the following conditions:
e. the same method finds the extinction point, then finds Δc, Δc is the height difference between the burst point and the wake point, and the slope between the two points, and also the burst interval, namely the time period from the wake point to the burst point, the height difference of the wake burst point pair at least accounts for the first 50% of the time sequence, namely the height difference is too small, and the transaction burst interval is found out without consideration.
2. The method for constructing an illegal funding behavior detection model based on a complex network according to claim 1, wherein the method for mining an illegal funding behavior subgraph by using the calculated burst interval and the customer's suspicious degree comprises the following steps:
a. for outlier subgraphs, there are two very intuitive properties, namely: (1) The outlier should contain as many outlier vertices as possible; (2) The outlier should contain as few normal nodes as possible;
b. calculating the P value of the client in each burst interval by using the calculated burst interval, and then forming a small transaction network;
c. in order to satisfy the two properties described above and must constitute a connected subgraph, consider the use of a greedy algorithm: firstly, selecting k client points with the minimum P value and the most suspicious points in a time window, and then gradually iterating, similar to a minimum spanning tree algorithm, to construct the most suspicious illegal fund group;
d. and evaluating the result of causal relation network prediction, wherein the calculation accuracy Pre value, the recall rate R value and the F value are adopted for evaluation, and the calculation accuracy is as follows:
the formula for calculating recall is as follows:
the formula for calculating the F value is as follows
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911033009.1A CN110795807B (en) | 2019-10-28 | 2019-10-28 | Construction method of element abnormal structure detection model based on complex network |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911033009.1A CN110795807B (en) | 2019-10-28 | 2019-10-28 | Construction method of element abnormal structure detection model based on complex network |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110795807A CN110795807A (en) | 2020-02-14 |
CN110795807B true CN110795807B (en) | 2023-07-18 |
Family
ID=69441646
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201911033009.1A Active CN110795807B (en) | 2019-10-28 | 2019-10-28 | Construction method of element abnormal structure detection model based on complex network |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110795807B (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112069964A (en) * | 2020-08-31 | 2020-12-11 | 天津大学 | Abnormal person relation network mining method based on image recognition technology |
CN114401136B (en) * | 2022-01-14 | 2023-05-05 | 天津大学 | Rapid anomaly detection method for multiple attribute networks |
CN114884688B (en) * | 2022-03-28 | 2023-07-04 | 天津大学 | Federal anomaly detection method across multi-attribute networks |
CN116029734B (en) * | 2023-03-23 | 2023-06-13 | 华侨大学 | Bank transaction fraud detection method, system and electronic equipment |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107169864A (en) * | 2017-05-31 | 2017-09-15 | 天云融创数据科技(北京)有限公司 | A kind of card holder's risk of fraud feature extracting method based on complex network |
CN109461078A (en) * | 2018-10-22 | 2019-03-12 | 中信网络科技股份有限公司 | A kind of abnormal transaction identification method and system based on funds transaction network |
CN109754258A (en) * | 2018-12-24 | 2019-05-14 | 同济大学 | It is a kind of based on individual behavior modeling towards online trading fraud detection method |
CN109919608A (en) * | 2018-11-28 | 2019-06-21 | 阿里巴巴集团控股有限公司 | A kind of recognition methods, device and the server of high-risk transaction agent |
CN110263827A (en) * | 2019-05-31 | 2019-09-20 | 中国工商银行股份有限公司 | Abnormal transaction detection method and device based on transaction rule identification |
-
2019
- 2019-10-28 CN CN201911033009.1A patent/CN110795807B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107169864A (en) * | 2017-05-31 | 2017-09-15 | 天云融创数据科技(北京)有限公司 | A kind of card holder's risk of fraud feature extracting method based on complex network |
CN109461078A (en) * | 2018-10-22 | 2019-03-12 | 中信网络科技股份有限公司 | A kind of abnormal transaction identification method and system based on funds transaction network |
CN109919608A (en) * | 2018-11-28 | 2019-06-21 | 阿里巴巴集团控股有限公司 | A kind of recognition methods, device and the server of high-risk transaction agent |
CN109754258A (en) * | 2018-12-24 | 2019-05-14 | 同济大学 | It is a kind of based on individual behavior modeling towards online trading fraud detection method |
CN110263827A (en) * | 2019-05-31 | 2019-09-20 | 中国工商银行股份有限公司 | Abnormal transaction detection method and device based on transaction rule identification |
Also Published As
Publication number | Publication date |
---|---|
CN110795807A (en) | 2020-02-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110795807B (en) | Construction method of element abnormal structure detection model based on complex network | |
Zhang et al. | Inference attacks against graph neural networks | |
JP4677569B2 (en) | Network abnormality detection method and network abnormality detection system | |
CN108681936A (en) | A kind of fraud clique recognition methods propagated based on modularity and balance label | |
CN109800573B (en) | Social network protection method based on degree anonymity and link disturbance | |
CN113064932B (en) | Network situation assessment method based on data mining | |
CN111738817B (en) | Method and system for identifying risk community | |
CN109218321A (en) | A kind of network inbreak detection method and system | |
CN108765179A (en) | A kind of credible social networks analysis method calculated based on figure | |
Li et al. | Intelligent anti-money laundering solution based upon novel community detection in massive transaction networks on spark | |
CN113378160A (en) | Graph neural network model defense method and device based on generative confrontation network | |
CN113821793A (en) | Multi-stage attack scene construction method and system based on graph convolution neural network | |
Juvonen et al. | An efficient network log anomaly detection system using random projection dimensionality reduction | |
CN113422763A (en) | Alarm correlation analysis method constructed based on attack scene | |
CN113420802A (en) | Alarm data fusion method based on improved spectral clustering | |
CN109753797A (en) | For the intensive subgraph detection method and system of streaming figure | |
CN113225337A (en) | Multi-step attack alarm correlation method, system and storage medium | |
Li et al. | An intrusion detection system based on polynomial feature correlation analysis | |
Lata et al. | A comprehensive survey of fraud detection techniques | |
Liu et al. | Improving fraud detection via hierarchical attention-based graph neural network | |
Nathiya et al. | An effective way of cloud intrusion detection system using decision tree, support vector machine and Naïve bayes algorithm | |
Bhargavi et al. | Transactional data analytics for inferring behavioural traits in ethereum blockchain network | |
Li et al. | Enhancing federated learning robustness through clustering non-IID features | |
CN111901137A (en) | Method for mining multi-step attack scene by using honeypot alarm log | |
Gulyás et al. | Using Identity Separation Against De-anonymization of Social Networks. |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |