CN111861240A - Suspicious user identification method, device, equipment and readable storage medium - Google Patents
Suspicious user identification method, device, equipment and readable storage medium Download PDFInfo
- Publication number
- CN111861240A CN111861240A CN202010733889.XA CN202010733889A CN111861240A CN 111861240 A CN111861240 A CN 111861240A CN 202010733889 A CN202010733889 A CN 202010733889A CN 111861240 A CN111861240 A CN 111861240A
- Authority
- CN
- China
- Prior art keywords
- user
- suspicious
- background
- identified
- risk
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
- G06Q10/063—Operations research, analysis or management
- G06Q10/0635—Risk analysis of enterprise or organisation activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/23—Clustering techniques
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
- G06Q10/063—Operations research, analysis or management
- G06Q10/0639—Performance analysis of employees; Performance analysis of enterprise or organisation operations
- G06Q10/06393—Score-carding, benchmarking or key performance indicator [KPI] analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q40/00—Finance; Insurance; Tax strategies; Processing of corporate or income taxes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06V—IMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
- G06V40/00—Recognition of biometric, human-related or animal-related patterns in image or video data
- G06V40/10—Human or animal bodies, e.g. vehicle occupants or pedestrians; Body parts, e.g. hands
- G06V40/16—Human faces, e.g. facial parts, sketches or expressions
- G06V40/161—Detection; Localisation; Normalisation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06V—IMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
- G06V40/00—Recognition of biometric, human-related or animal-related patterns in image or video data
- G06V40/10—Human or animal bodies, e.g. vehicle occupants or pedestrians; Body parts, e.g. hands
- G06V40/16—Human faces, e.g. facial parts, sketches or expressions
- G06V40/168—Feature extraction; Face representation
Abstract
The invention discloses a method, a device, equipment and a readable storage medium for identifying suspicious users, wherein the method comprises the following steps: acquiring historical behavior data of each service operation record based on a user to be identified; calculating risk factors under risk indexes based on the historical behavior data, wherein the risk indexes at least comprise one or more of one-person multi-equipment indexes, one-person multi-identity indexes, suspicious background indexes and suspicious micro-expression indexes; and obtaining a suspicious identification result of the user to be identified according to the risk factor. The invention improves the accuracy of the suspicious identification result obtained by carrying out the suspicious identification on the user.
Description
Technical Field
The invention relates to the technical field of artificial intelligence, in particular to a suspicious user identification method, a suspicious user identification device, suspicious user identification equipment and a readable storage medium.
Background
At present, identity verification is required to be carried out on users in many scenes so as to avoid illegal persons from carrying out illegal criminal activities through identity counterfeiting. For example, when some key businesses are transacted in a financial system, the business transaction and the verification of transaction will be completed by interacting with a business transactor in a remote video mode, and in the process, due to lack of face-to-face interaction, lawless persons can perform internet financial behaviors by various fraud means so as to obtain various improper rights and interests, and therefore, the business transactor needs to be authenticated to ensure the stability and the security of financial services.
Face recognition and living body detection are common identity authentication means, and whether a user is a person is checked by acquiring a face image of the user. Then, in some scenarios, the user may perform face verification by means of counterfeiting an identity card or identity information, and the like, thereby deceiving face recognition and living body detection. The existing identity verification means of face recognition and living body detection has certain limitation, and the recognition effect is not accurate enough.
Disclosure of Invention
The invention mainly aims to provide a method, a device and equipment for identifying a suspicious user and a readable storage medium, and aims to solve the problems that the existing identity verification means for face identification and living body detection has certain limitation and the identification effect is not accurate enough.
In order to achieve the above object, the present invention provides a method for identifying a suspicious user, comprising the following steps:
acquiring historical behavior data of each service operation record based on a user to be identified;
calculating risk factors under risk indexes based on the historical behavior data, wherein the risk indexes at least comprise one or more of one-person multi-equipment indexes, one-person multi-identity indexes, suspicious background indexes and suspicious micro-expression indexes;
and obtaining a suspicious identification result of the user to be identified according to the risk factor.
Optionally, when the risk indicator includes a one-person multi-device indicator, the historical behavior data includes device identifiers corresponding to respective business operations of the user to be identified,
the step of calculating a risk factor under a risk indicator based on the historical behavior data comprises:
and counting the number of the devices according to the device identifications to obtain a risk factor of one person with multiple devices based on the number of the devices, wherein the same device identification is marked as the same device.
Optionally, when the risk indicator includes a one-person multi-identity indicator, the historical behavior data includes an identity card photo sequence composed of user identity card photos corresponding to each business operation of the user to be identified, and an identification photo sequence composed of user identification photos,
the step of calculating a risk factor under a risk indicator based on the historical behavior data comprises:
combining the photos in the identity card photo sequence and the photos in the identification photo sequence in pairs to obtain each photo combination;
and respectively carrying out face recognition on each photo combination to obtain a face matching result corresponding to each photo combination, and obtaining a one-person multi-identity risk factor according to each face matching result.
Optionally, when the risk indicator includes a suspicious background indicator, the historical behavior data includes a user identification photo corresponding to at least one business operation of the user to be identified and a user identification photo based on a business operation record of a historical user except the user to be identified,
the step of calculating a risk factor under a risk indicator based on the historical behavior data comprises:
respectively carrying out background separation operation on each user identification photo to obtain each background picture data;
inputting the background picture data into a preset background feature extraction model respectively for feature extraction to obtain background features;
and clustering each background feature to obtain a cluster, counting the number of users associated with each background feature in a target cluster, and obtaining a suspicious background risk factor based on the number of the users, wherein the target cluster is the cluster in which the background feature corresponding to the user to be identified is located.
Optionally, before the step of inputting each piece of background picture data into a preset background feature extraction model for feature extraction to obtain each background feature, the method further includes:
acquiring a training data set, wherein each piece of training data in the training data set respectively comprises three pieces of background image data, and two pieces of background image data belong to the same type of background;
and training the feature extraction model to be trained by adopting the training data set to obtain the background feature extraction model, wherein a loss function in the training process is a loss function which minimizes the absolute value of the difference between a first distance and a second distance, the first distance is the distance between the background features of two background image data of the same type in the training data, and the second distance is the distance between the background features of two background data of different types in the training data.
Optionally, when the risk indicator includes a suspicious micro-expression indicator, the historical behavior data includes a user video corresponding to at least one business operation of the user to be identified,
the step of calculating a risk factor under a risk indicator based on the historical behavior data comprises:
inputting each video frame in the user video into a preset sequence micro expression recognition model to obtain an expression category corresponding to each video frame;
and counting the occurrence frequency of the target expression category based on the expression categories corresponding to the video frames, and obtaining the suspicious micro-expression risk factor according to the occurrence frequency.
Optionally, after the step of obtaining the suspicious identification result of the user to be identified according to the risk factor, the method further includes:
when the user to be identified is determined to be a suspicious user based on the suspicious identification result, extracting face features from a face image of the user to be identified;
and adding the extracted face features to a preset suspicious user blacklist library.
Optionally, before the step of obtaining historical behavior data based on each business operation record of the user to be identified, the method further includes:
when an identity authentication instruction of a user to be identified is detected, acquiring a face image of the user to be identified;
extracting face features from the face image, and matching the extracted face features with each face feature in a preset suspicious user blacklist library;
if the matching is successful, executing a preset suspicious processing flow on the user to be identified;
if the matching is not successful, the steps are executed: and acquiring historical behavior data based on each business operation record of the user to be identified.
In order to achieve the above object, the present invention provides a suspicious user identifying apparatus, including:
the acquisition module is used for acquiring historical behavior data of each business operation record based on the user to be identified;
the calculation module is used for calculating risk factors under risk indexes based on the historical behavior data, wherein the risk indexes at least comprise one or more of one-person multi-equipment indexes, one-person multi-identity indexes, suspicious background indexes and suspicious micro-expression indexes;
and the determining module is used for obtaining the suspicious identification result of the user to be identified according to the risk factor.
In order to achieve the above object, the present invention further provides a suspicious user identifying device, where the suspicious user identifying device includes: a memory, a processor and a suspicious user identification program stored on the memory and executable on the processor, the suspicious user identification program when executed by the processor implementing the steps of the suspicious user identification method as described above.
In addition, to achieve the above object, the present invention further provides a computer readable storage medium, on which a suspicious user identifying program is stored, and the suspicious user identifying program, when executed by a processor, implements the steps of the suspicious user identifying method as described above.
According to the method and the device, historical behavior data based on each business operation record of a user to be identified are obtained, risk factors under risk indexes are calculated according to the historical behavior data, wherein the risk factors at least comprise one or more of a one-person multi-equipment index, a one-person multi-identity index, a suspicious background index and a suspicious micro-expression index, and a suspicious identification result of the user to be identified is obtained according to the risk factors. Compared with the face recognition and living body detection of the face image based on the single business operation of the user at present, the method and the device perform user risk calculation through historical behavior data of the user during multiple business operations, judge the doubtful property of the user through the relevance among the multiple historical behavior data of the user, and further improve the accuracy of a doubtful recognition result. Compared with the existing face detection and living body detection, the method and the device have the advantages that the doubtful property of the user is identified from at least one or more dimensions of one-person multi-device indexes, one-person multi-identity indexes, suspicious background indexes and suspicious micro-expression indexes, and because each index dimension is not face identification and living body detection based on the face image of the user in single business operation, illegal users cannot cheat identity authentication by means of forging identity cards or identity information, so that the accuracy of the identity authentication is improved, and the application range of the identity authentication is expanded.
Drawings
FIG. 1 is a schematic diagram of a hardware operating environment according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating a suspicious user identification method according to a first embodiment of the present invention;
fig. 3 is a schematic diagram illustrating a suspicious user identification process according to an embodiment of the present invention;
FIG. 4 is a schematic diagram illustrating a blacklist construction process according to an embodiment of the present invention;
FIG. 5 is a block diagram of a suspicious user identification device according to a preferred embodiment of the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
As shown in fig. 1, fig. 1 is a schematic device structure diagram of a hardware operating environment according to an embodiment of the present invention.
It should be noted that, the suspicious user identification device in the embodiment of the present invention may be a device such as a smart phone, a personal computer, and a server, and is not limited herein.
As shown in fig. 1, the suspicious user identification device may include: a processor 1001, such as a CPU, a network interface 1004, a user interface 1003, a memory 1005, a communication bus 1002. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface). The memory 1005 may be a high-speed RAM memory or a non-volatile memory (e.g., a magnetic disk memory). The memory 1005 may alternatively be a storage device separate from the processor 1001.
Those skilled in the art will appreciate that the device configuration shown in fig. 1 does not constitute a limitation of the suspect user identification device and may include more or fewer components than shown, or some components in combination, or a different arrangement of components.
As shown in fig. 1, a memory 1005, which is one type of computer storage medium, may include an operating system, a network communication module, a user interface module, and a suspicious user identification program. Among these, the operating system is a program that manages and controls the hardware and software resources of the device, supporting the operation of the suspicious user identification program, as well as other software or programs. In the device shown in fig. 1, the user interface 1003 is mainly used for data communication with a client; the network interface 1004 is mainly used for establishing communication connection with a server; the processor 1001 may be configured to invoke the suspicious user identification program stored in the memory 1005 and perform the following operations:
acquiring historical behavior data of each service operation record based on a user to be identified;
calculating risk factors under risk indexes based on the historical behavior data, wherein the risk indexes at least comprise one or more of one-person multi-equipment indexes, one-person multi-identity indexes, suspicious background indexes and suspicious micro-expression indexes;
and obtaining a suspicious identification result of the user to be identified according to the risk factor.
Further, when the risk indicator comprises a one-person multi-device indicator, the historical behavior data comprises device identifications corresponding to each business operation of the user to be identified,
the step of calculating a risk factor under a risk indicator based on the historical behavior data comprises:
and counting the number of the devices according to the device identifications to obtain a risk factor of one person with multiple devices based on the number of the devices, wherein the same device identification is marked as the same device.
Further, when the risk indicator comprises a one-person multi-identity indicator, the historical behavior data comprises an identity card photo sequence formed by user identity card photos corresponding to each business operation of the user to be identified and an identification photo sequence formed by user identification photos,
the step of calculating a risk factor under a risk indicator based on the historical behavior data comprises:
combining the photos in the identity card photo sequence and the photos in the identification photo sequence in pairs to obtain each photo combination;
and respectively carrying out face recognition on each photo combination to obtain a face matching result corresponding to each photo combination, and obtaining a one-person multi-identity risk factor according to each face matching result.
Further, when the risk index comprises a suspicious background index, the historical behavior data comprises a user identification photo corresponding to at least one business operation of the user to be identified and a user identification photo based on business operation records of historical users except the user to be identified,
the step of calculating a risk factor under a risk indicator based on the historical behavior data comprises:
respectively carrying out background separation operation on each user identification photo to obtain each background picture data;
inputting the background picture data into a preset background feature extraction model respectively for feature extraction to obtain background features;
and clustering each background feature to obtain a cluster, counting the number of users associated with each background feature in a target cluster, and obtaining a suspicious background risk factor based on the number of the users, wherein the target cluster is the cluster in which the background feature corresponding to the user to be identified is located.
Further, before the step of inputting each background picture data into a preset background feature extraction model for feature extraction to obtain each background feature, the processor 1001 may be configured to invoke a suspicious user identification program stored in the memory 1005, and execute the following operations:
acquiring a training data set, wherein each piece of training data in the training data set respectively comprises three pieces of background image data, and two pieces of background image data belong to the same type of background;
and training the feature extraction model to be trained by adopting the training data set to obtain the background feature extraction model, wherein a loss function in the training process is a loss function which minimizes the absolute value of the difference between a first distance and a second distance, the first distance is the distance between the background features of two background image data of the same type in the training data, and the second distance is the distance between the background features of two background data of different types in the training data.
Further, when the risk indicator comprises a suspicious micro-expression indicator, the historical behavior data comprises a user video corresponding to at least one business operation of the user to be identified,
the step of calculating a risk factor under a risk indicator based on the historical behavior data comprises:
inputting each video frame in the user video into a preset sequence micro expression recognition model to obtain an expression category corresponding to each video frame;
and counting the occurrence frequency of the target expression category based on the expression categories corresponding to the video frames, and obtaining the suspicious micro-expression risk factor according to the occurrence frequency.
Further, after the step of obtaining the suspicious identification result of the user to be identified according to the risk factor, the processor 1001 may be configured to call a suspicious user identification program stored in the memory 1005, and perform the following operations:
when the user to be identified is determined to be a suspicious user based on the suspicious identification result, extracting face features from a face image of the user to be identified;
and adding the extracted face features to a preset suspicious user blacklist library.
Further, before the step of obtaining the historical behavior data based on each business operation record of the user to be identified, the method further includes:
when an identity authentication instruction of a user to be identified is detected, acquiring a face image of the user to be identified;
extracting face features from the face image, and matching the extracted face features with each face feature in a preset suspicious user blacklist library;
if the matching is successful, executing a preset suspicious processing flow on the user to be identified;
if the matching is not successful, the steps are executed: and acquiring historical behavior data based on each business operation record of the user to be identified.
Based on the structure, various embodiments of the suspicious user identification method are provided.
Referring to fig. 2, fig. 2 is a flowchart illustrating a suspicious user identification method according to a first embodiment of the present invention. It should be noted that, although a logical order is shown in the flow chart, in some cases, the steps shown or described may be performed in an order different than that shown or described herein. The execution subject of each embodiment of the suspicious user identification method of the present invention may be a device such as a smart phone, a personal computer, and a server, and for convenience of description, the execution subject is omitted in the following embodiments for explanation. In this embodiment, the suspicious user identification method includes:
step S10, acquiring historical behavior data based on each business operation record of the user to be identified;
the scheme of the embodiment can be applied to various scenes needing user identity verification, such as online bank self-service business handling and the like. When a user logs in a business handling program through equipment each time, some user behavior data can be generated in the business operation process, the user behavior data can be recorded, and the behavior data recorded in each business operation of the same user is stored together to obtain the historical behavior data of each historical user.
The user behavior data recorded based on one service operation may include a device identifier of a device used by the user to log in the service handling program, and may also include behavior data such as uploaded identification card information, a user identification photo, and a user video taken when the user performs the service operation, where the device identifier may be obtained from the device operating system through the service handling program, and the device identifier may be a unique device identifier such as a serial number of the device, which is not limited herein.
Further, historical behavior data for each user may be stored in the form of a database. In order to enrich the behavior data in the database and improve the accuracy of suspicious user identification, in one embodiment, historical behavior data of the user recorded based on different business handling programs can be collected.
When a certain user needs to be authenticated, that is, whether the user is a suspicious user with a high suspicion needs to be identified, the user can be used as a user to be identified, and historical behavior data recorded based on each service operation of the user to be identified is acquired. The acquired historical behavior data comprises behavior data corresponding to at least one business operation of the user to be identified.
Step S20, calculating risk factors under risk indexes based on the historical behavior data, wherein the risk indexes at least comprise one or more of one-person multi-equipment indexes, one-person multi-identity indexes, suspicious background indexes and suspicious micro-expression indexes;
the risk indexes for risk judgment can be preset, and the risk indexes at least comprise one or more of one-person multi-equipment indexes, one-person multi-identity indexes, suspicious background indexes and suspicious micro-expression indexes. The one-person multi-equipment index is an index for judging whether a user uses different equipment in each business operation, and if the same user uses different equipment in multiple business operations and the number of different equipment is more, the risk degree of the user is considered to be higher; therefore, the risk factor under the index of one person with multiple devices can be calculated according to the number of devices of different devices. The one-person multi-identity index is an index for judging whether the same user uses different identities in each business operation, and if the same user uses different identities in multiple business operations, and the more the different identities are, the higher the risk degree of the user is considered; therefore, the risk factors under the index of one person with multiple identities can be calculated according to the times of using different identities by the same user. The suspicious background index is an index for judging whether the user is in a suspicious background during business operation, and if the background of the user is more suspicious during business operation, the risk degree of the user is considered to be higher; therefore, the suspicious degree of the background of the user during business operation can be analyzed, and the risk factor under the suspicious background index can be calculated. The suspicious micro expression index is an index used for judging whether the user has suspicious micro expression during business operation, the suspicious micro expression can be expression such as anger, tension, high blinking frequency or unsteady eye, and if the frequency of the suspicious micro expression is higher during the business operation, the risk degree of the user is considered to be higher; therefore, the risk factor under the suspicious micro-expression index can be calculated by analyzing the frequency of the suspicious micro-expression in the user video during the user service operation.
The user behavior data required by analyzing different risk indexes are different, and the user behavior data collected in different specific service scenes are different, so that one or more risk indexes can be selected according to the specific service scenes to serve as the judgment basis of the suspicious users. For example, in a certain business scenario, behavior data such as device identifiers, user identification card information, user identification photos, user videos, and the like may be collected, and the risk indicators may include at least four indicators, i.e., one-person-multiple-device indicators, one-person-multiple-identity indicators, suspicious background indicators, and suspicious micro-expression indicators. It should be noted that when there are a plurality of risk indicators, the risk discrimination of the user from different dimensions is realized, that is, the risk discrimination of the user is realized according to the multi-modal data, and the accuracy of the suspicious identification result is improved, so that the stability and the safety of the financial service are further ensured.
It should be noted that, in the current authentication scheme, a face image during user service operation is identified, whether the face image is matched with a face photo on an identity card is detected, or further, on the basis of face identification, a living body detection mode of combined actions such as blinking, mouth opening, head shaking, head nodding and the like of a user is detected, so that the user is prevented from detecting by using photo, mask, screen copying and other means. This detection method cannot identify the situation that the user uses a counterfeit identification card or identification information. In the embodiment, the index of one person and multiple devices is used for analyzing the suspicious risk degree of the user from the perspective of the devices used by the user for multiple business operations, so that the suspicious degree can be identified even if illegal users use fake identity information in each business operation. The one-person multi-identity index is used for analyzing the suspicious analysis degree of the user from the identity used by the user in multiple business operations, and illegal users generally use different identity information in each business operation to avoid finding out the fraudulent behavior of the illegal users, so that the suspicious degree of the illegal users can be identified even if the illegal users use fake identity information in each business operation. The suspicious background index is used for analyzing the suspicious risk degree of the user from the background of the user in business operation, so that the suspicious degree can be identified even if the legal user uses fake identity information in each business operation. The suspicious micro-expression index analyzes the suspicious risk degree of the user from the expression of the user in the business operation, so that the suspicious degree can be identified even if illegal users use fake identity information in each business operation. Therefore, compared with the existing scheme of performing face recognition or living body detection based on a face image of a user during single business operation, the suspicious user analysis mode based on each risk index dimension in the embodiment can avoid the situation that the user cheats identity verification by using a forged identity card or identity information.
And step S30, obtaining a suspicious identification result of the user to be identified according to the risk factor.
After the risk factors under the risk indexes are obtained through calculation, the final suspicious identification result of the user to be identified can be obtained according to the risk factors. The suspicious identification result may be a suspicious degree, or may be a result indicating whether the user to be identified is a suspicious user, or a result in other forms, and the form of the suspicious identification result may be different according to different specific needs. The form of the risk factor may also be different according to specific needs, and thus, there may be a variety of ways to obtain the suspicious identification result of the user to be identified according to the risk factor. For example, when the risk factor is a value representing the magnitude of risk, the risk factors may be weighted and averaged to obtain a final risk value, and the risk value may be used as the result of suspicious identification, or compared with a preset value to obtain the result of whether the user is a suspicious user. When the risk factors are the results indicating whether the user to be identified is the suspicious user or not and the risk factors are multiple, the number of the risk factors indicating that the user is the suspicious user can be compared with a preset number to obtain the result indicating whether the user is the suspicious user or not.
In this embodiment, historical behavior data based on each business operation record of the user to be identified is acquired, risk factors under risk indexes are calculated according to the historical behavior data, wherein the risk factors at least include one or more of a one-person-multiple-device index, a one-person-multiple-identity index, a suspicious background index and a suspicious micro-expression index, and a suspicious identification result of the user to be identified is obtained according to the risk factors. Compared with the face recognition and living body detection of the face image based on the single business operation of the user at present, the scheme of the embodiment carries out the user risk calculation through the historical behavior data of the user during multiple business operations, thereby realizing the judgment of the doubtful property of the user through the relevance among the multiple historical behavior data of the user, and further improving the accuracy of the doubtful recognition result. Compared with the current face detection and living body detection, the doubtful property of the user is identified from at least one or more dimensions of one-person multi-equipment indexes, one-person multi-identity indexes, suspicious background indexes and suspicious micro-expression indexes in the embodiment, and because each index dimension is not face identification and living body detection based on the face image of the user during single business operation, illegal users cannot cheat identity authentication by means of forging identity cards or identity information, so that the accuracy of the identity authentication is improved, and the application range of the identity authentication is expanded.
Further, as shown in fig. 3, after the step S30, the method further includes:
step S40, when the user to be identified is determined to be a suspicious user based on the suspicious identification result, extracting face features from the face image of the user to be identified;
after the suspicious identification result is obtained, whether the user to be identified is the suspicious user or not can be determined according to the suspicious identification result. Specifically, when the suspicious identification result is a suspicious degree value, the suspicious degree value may be compared with a preset value, and if the suspicious degree value is greater than the preset value, the user to be identified may be considered as a suspicious user, otherwise, the user is a normal user. When the user to be recognized is determined to be a suspicious user based on the suspicious recognition result, the face features can be extracted from the face image of the user to be recognized. The face image of the user to be identified may be a face image of the user acquired during the current business operation, or may be at least one face image acquired from historical behavior data. The method for extracting the face features from the face image may be to adopt an existing face feature extraction method, for example, to adopt a face recognition model to perform feature extraction. The extracted facial features may be data in the form of vectors, and it should be understood that facial features of the same user are the same, and facial features of different users are different.
And step S50, adding the extracted face features to a preset suspicious user blacklist library.
And adding the extracted face features into a preset suspicious user blacklist library. The preset suspicious user blacklist library may be a preset database or a preset data table for storing relevant information of blacklist users. Further, when the face features are added to the suspicious user blacklist library, other information of the user to be identified and the face features can be added together after being associated, and the other information can include historical behavior data of the user, identity information such as an identity card number, a user account and a mobile phone number.
In this embodiment, the face features of the suspicious user are added to the blacklist library, so that whether the user performing the business operation is the suspicious user can be quickly identified in the subsequent business operation, and the suspicious user can be timely processed. And the face features can uniquely identify the appearance of a person, and compared with a mode of recording the suspicious user through information such as an identity card, a mobile phone number, a name and the like, the face features are added to a blacklist, so that the suspicious user can be identified based on the acquired face image when the suspicious user is operated by adopting different information such as the identity card, the mobile phone number, the name and the like in the next business operation.
Further, before the step S10, the method further includes:
step S60, when an identity verification instruction of a user to be recognized is detected, acquiring a face image of the user to be recognized;
after the user to be identified is determined and before suspicious identification is carried out, whether the user to be identified is in a preset blacklist library or not can be checked, if yes, the user to be identified can be directly determined to be the suspicious user, and if not, the user to be identified can be subjected to suspicious identification.
Specifically, in a specific service handling program, an option for triggering authentication may be set, and after authentication, the next service operation may be performed. When an identity authentication instruction of a user to be identified is detected, a face image of the user to be identified is acquired. The face image may be a face image collected in real time by a camera controlling the user equipment.
Step S70, extracting face features from the face image, and matching the extracted face features with each face feature in a preset suspicious user blacklist library;
and extracting the face features from the face image. The manner of extracting the face features has already been described in the above embodiments, and will not be described herein. And matching the extracted face features with each face feature in a preset suspicious user blacklist library. Specifically, the face features of the suspicious users which are identified historically are stored in the blacklist library, the face features of the users to be identified are compared with the face features in the blacklist library one by one to determine whether the face features are consistent, if the face features consistent with the face features of the users to be identified exist, the matching is determined to be successful, and if the face features are not consistent with the face features of the users to be identified, the non-matching is determined to be successful. It should be noted that when comparing two face features, the consistency degree of the two face features can be calculated, when the face features are vector data, whether elements in the two vector data are the same or not can be compared, and the consistency degree is the proportion of the same elements; when the consistency degree is greater than the preset degree, the consistency of the two human face features can be determined, wherein the preset degree can be set according to specific needs, and when the suspicious user is strictly checked in an actual service scene, the preset degree can be set to be slightly lower.
Step S80, if the matching is successful, executing a preset suspicious processing flow on the user to be identified;
if the matching is successful, a preset suspicious processing flow can be executed on the user to be identified. The preset suspicious processing flow may be a preset flow for further confirming the suspicious user, or other flows for the suspicious user, and may be specifically set according to actual business needs. If the suspicious processing flow is a further confirmation flow, the user can be prompted to upload information for further identity certification, and information content needing to be uploaded can be set according to business requirements.
Step S90, if the matching is not successful, executing the steps of: and acquiring historical behavior data based on each business operation record of the user to be identified.
If the matching is not successful, it indicates that the user to be identified is not in the blacklist library, and in this case, the suspicious identification process may not be performed on the user to be identified yet, so that the suspicious identification process can be performed on the user to be identified, that is, the historical behavior data of the user to be identified is obtained, and subsequent suspicious identification processes such as risk factor calculation of each risk index and the like are performed based on the historical behavior data.
When the user to be identified is determined to be a normal user according to the suspicious identification result, a normal processing flow can be performed on the user to be identified, and the specific normal processing flow is different according to different service scenes, which is not described in detail herein.
In this embodiment, first, whether the user is in the blacklist library is queried, and if the user is in the blacklist library, a suspicious processing flow can be directly executed on the user, so that the efficiency of identity authentication is improved.
Further, based on the first embodiment, a second embodiment of the suspicious user identification method according to the present invention is provided, in this embodiment, when the risk indicator includes a one-person-multiple-device indicator, the historical behavior data includes a device identifier corresponding to each business operation of the user to be identified, and the step S20 includes:
step S201, counting according to each equipment identifier to obtain the number of equipment, and obtaining a risk factor of one person with multiple equipment based on the number of the equipment, wherein the same equipment identifier is marked as the same equipment.
When the risk index comprises one-person multi-equipment index, the equipment identification of the equipment adopted by the user can be recorded when the user performs business operation. The device identifier may be a unique identifier such as a device serial number. The device identification recorded based on each business operation of the same user can be stored in an associated manner and used as historical behavior data of the user, specifically, the user identification can be used for distinguishing different users during recording, and the user identification can be unique identification such as an identity card number, a mobile phone number or a login account number.
When a user to be identified needs to analyze one-man multi-device indexes, the device identifier corresponding to each service operation of the user can be extracted from a pre-stored database based on the user identifier of the user to be identified, that is, historical behavior data of the user to be identified is obtained.
And counting to obtain the number of the devices according to the obtained device identifications, wherein the same device identification is marked as the same device, and then the number of the devices with the same device identifications is only marked as 1. After the number of the devices is obtained, the risk factor of one person with multiple devices can be obtained according to the number of the devices. Specifically, risk factors corresponding to different equipment numbers can be set according to specific needs. For example, when the risk factor is a result indicating whether the user is a suspicious user, a risk threshold may be set, and when the number of devices is greater than the risk threshold, it indicates that the user has used too many devices in history and frequently replaced devices, so that the user may be determined as a suspicious user from the one-person-multiple-device indicator dimension. Alternatively, when the risk factor is a numerical value representing the degree of suspicion of the user, the number of devices may be converted into a suspicion value, and the conversion criterion may be: the larger the number of devices, the larger the suspect value, and the smaller the number of devices, the smaller the suspect value. The specific conversion method can be established according to a conversion standard, and is not particularly limited herein.
In this embodiment, the number of devices of different devices used by the user is calculated according to the device identifier used when the user performs the business operation according to the history of the user, and when the number of devices is too large, it is determined that the user is a suspicious user.
Further, based on the first and/or second embodiments, a third embodiment of the suspicious user identification method of the present invention is provided. In this embodiment, when the risk indicator includes a one-person multi-identity indicator, the historical behavior data includes an identity card photo sequence formed by user identity card photos corresponding to each business operation of the user to be identified, and an identification photo sequence formed by user identification photos, and the step S20 includes:
step S202, combining the photos in the identity card photo sequence and the photos in the identification photo sequence in pairs to obtain each photo combination;
when the risk index comprises one-person multi-identity index, the identity card photos and the identification photos uploaded by the user can be recorded when the user performs business operation. The identification photo refers to a taken facial photo of the user, and the identification card photo is a photo containing an image of the user, for example, a shot photo of the front side of the identification card. The identity card photos and the identification photos of the same user during each business operation can be stored in a correlated mode to obtain an identity card photo sequence and an identification photo sequence, and the identity card photo sequence and the identification photo sequence are used as historical behavior data of the user. During recording, different users can be distinguished by adopting user identification, and the user identification can be unique identification such as an identity card number, a mobile phone number or a login account number.
When a user to be recognized needs to analyze one-man multi-identity indexes, the user identity card photo sequence and the recognition photo sequence can be extracted from a pre-stored database based on the user identification of the user to be recognized, namely, the historical behavior data of the user to be recognized is obtained.
And combining the photos in the identity card photo sequence and the photos in the identification photo sequence in pairs to obtain each group of photo combination. That is, one identification card photo and one identification photo are combined as one photo.
Step S203, respectively carrying out face recognition on each photo combination to obtain a face matching result corresponding to each photo combination, and obtaining a one-person multi-identity risk factor according to each face matching result.
And respectively carrying out face recognition on each photo combination to obtain a face matching result corresponding to each photo combination. Specifically, for each photo combination, face recognition is performed on two photos in the photo combination, and matching is performed to obtain a face matching result. Then, each photo combination corresponds to one face matching result. The face matching result may be a result indicating that the two photographs match or do not match. The specific face recognition and matching method may be to input the face parts in the two photos into a preset face recognition model for recognition, obtain the face features of the two photos, and compare the similarity of the two face features, which is specifically similar to the face feature matching process in the above embodiments, and is not described in detail here. The face recognition model may be a commonly used face recognition model, and is not limited herein.
And obtaining one-person multi-identity risk factors of the user to be identified according to the face matching result of each photo combination. Specifically, if the face matching result of one photo combination is not matched, it indicates that the user to be identified has a one-person multi-identity condition, and the number of mismatches of the photo combinations in which the face matching result is not matched can be counted, that is, the number of one-person multi-identity conditions, and a one-person multi-identity risk factor is obtained according to the number of mismatches. For example, when the risk factor is a result indicating whether the user is a suspicious user, a risk threshold may be set, and when the number of mismatches is greater than the risk threshold, the number of times that one-person multi-identity appears is greater for the user, and the identity is frequently changed, so that the user may be determined to be a suspicious user from the one-person multi-identity index dimension. Alternatively, when the risk factor is a numerical value representing the degree of user suspicion, the number of mismatches may be converted to a suspicion value, and the conversion criterion may be: the larger the number of mismatches, the larger the suspect value, and the smaller the number of mismatches, the smaller the suspect value. The specific conversion method can be established according to a conversion standard, and is not particularly limited herein.
In this embodiment, the number of times that a user has a single person and multiple identities is calculated according to an identity card photo sequence and an identification photo sequence when the user performs business operation historically, and when the number of times is excessive, it is determined that the user is a suspicious user, compared with the method for verifying whether the user is a suspicious user based on behavior data of a single business operation of the user, the method of this embodiment determines whether the user is a suspicious user by using the correlation between the historical behavior data of the user, and even if the user forges identity information in the business operation, the user can be identified.
Further, based on the first, second and/or third embodiments, a fourth embodiment of the suspicious user identification method of the present invention is provided. In this embodiment, when the risk indicator includes a suspicious background indicator, the historical behavior data includes a user identification photo corresponding to at least one business operation of the user to be identified, and a user identification photo recorded based on a business operation of a historical user other than the user to be identified, and the step S20 includes:
step S204, respectively carrying out background separation operation on each user identification photo to obtain each background picture data;
in the user's body check process, the background information is an important information in addition to the face itself. In the case of a group attack, a group will generally plan in an approximate video background, and if a plurality of users perform business operations in an approximate background, the background is a suspicious background. Of course, with the exception of a solid background. Secondly, even if the committing group knows that the background will reveal information, the cost of frequent background changes is also large. Therefore, it is an effective means for fraud defense if the background information can be effectively identified.
Based on this, in the present embodiment, the risk indicator may include a suspicious background indicator. When the user performs business operation, the identification photo uploaded by the user can be recorded as the historical behavior data of the user. When suspicious background index analysis needs to be carried out on a user to be identified, a user identification photo corresponding to at least one business operation of the user to be identified can be obtained, user identification photos of other historical users except the user to be identified and recorded in a database are obtained, and a plurality of user identification photos are obtained, wherein each identification photo has a user associated with the identification photo.
And respectively carrying out background separation operation on each user identification photo to obtain background picture data corresponding to each user identification photo. The background picture data is the picture data left after the face part in the picture recognized by the user is removed. Specifically, a background separation model may be used for background separation, the background separation model may be an image semantic segmentation model, a large number of images are used in advance to train the image semantic segmentation model, and the training process of the existing image semantic segmentation model may be specifically referred to, which is not described herein in detail.
Step S205, inputting each background picture data into a preset background feature extraction model for feature extraction to obtain each background feature;
after the background picture data are obtained, the background picture data can be respectively input into a preset background feature extraction model for feature extraction, so as to obtain the background features corresponding to the background picture data. The background feature may be in the form of a fixed-dimension vector. The background feature extraction model may adopt a commonly-used image feature extraction model, and the training process may refer to the training process of the commonly-used image feature extraction model, which is not described in detail herein.
Step S206, clustering operation is carried out on each background feature to obtain a cluster, the number of users associated with each background feature in a target cluster is counted, and a suspicious background risk factor is obtained based on the number of the users, wherein the target cluster is the cluster where the background feature corresponding to the user to be identified is located.
And after the background features corresponding to the user identification images are obtained, clustering operation is carried out on the background features to obtain clustering clusters. The clustering operation may use common clustering methods such as k-means, GMM (gaussian mixture clustering), or spectral clustering, which is not limited herein.
And determining a cluster where the background features of the identification photos of the user to be identified are located, and taking the cluster as a target cluster. When there are a plurality of recognition photographs of the user to be recognized, a plurality of target clusters may be obtained. And counting the number of users associated with each background feature in the target cluster, wherein the users associated with a plurality of background features can be recorded once if the users are the same. And according to the number of the users in the target cluster, suspicious background risk factors of the users to be identified can be obtained. Specifically, when the number of users associated with the background feature in the cluster is small, the background feature in the cluster can be considered to belong to a low-risk background. When the number of users associated with the background features in the cluster is particularly large, it indicates that the background features may be features of a solid background, and the background features in the cluster can be considered to belong to a low-risk background. When the number of users associated with the background features in the cluster is in a preset interval, the background features in the cluster can be considered to belong to a high-risk background, wherein the preset interval can be set according to specific conditions.
Then, when the risk factor is a result indicating whether the user is a suspicious user, the number of users corresponding to the target cluster may be compared with the preset interval, and if the number of users is within the preset interval, the user may be determined to be a suspicious user from the suspicious background index dimension. When the risk factor is a numerical value representing the suspicious degree of the user, the number of users in the target cluster may be converted into a suspicious value, and specifically, the conversion criterion may be: when the number of the users is in the preset interval, the suspicious value is larger than the suspicious value which is not in the preset interval, and when the number of the users is in the preset interval, the larger the suspicious value is, if the number of the users is smaller than the preset interval, the smaller the suspicious value is, and if the number of the users is larger than the preset interval, the larger the suspicious value is. The specific conversion method can be established according to a conversion standard, and is not particularly limited herein. It should be noted that, when there are a plurality of target clusters, the suspicious background risk factor may be obtained according to the target cluster with the largest number of corresponding users.
In this embodiment, clustering of the background features is performed on the identification photo when the user performs the business operation and the identification photo when other historical users perform the business operation, and suspicious fraudulent groups that may use the same background features are analyzed, so as to identify the suspicious user.
Further, the method further comprises:
a10, acquiring a training data set, wherein each piece of training data in the training data set respectively comprises three pieces of background image data, and two pieces of background image data belong to the same type of background;
and A20, training the feature extraction model to be trained by using the training data set to obtain the background feature extraction model, wherein a loss function in the training process is a loss function which minimizes the absolute value of the difference between a first distance and a second distance, the first distance is the distance between the background features of two background image data of the same type in the training data, and the second distance is the distance between the background features of two background data of different types in the training data.
Further, in an embodiment, the training mode of the background feature extraction model may specifically be:
a feature extraction model to be trained is preset, and the model structure of the feature extraction model to be trained can adopt the model structure of a common picture feature extraction model, such as a neural network model like a convolutional neural network. The method comprises the steps of collecting a training data set used for training a feature extraction model to be trained in advance, wherein the training data set comprises a plurality of pieces of training data, each piece of training data comprises three pieces of background image data, two pieces of background image data belong to the same type of background, the same type of background is similar, and the background can be marked as aiAnd piThe other background image data is image data which is different from the two background image data and can be recorded as niWhere i represents the sequence number of the training data.
And training the feature extraction model to be trained by adopting the acquired training data set to obtain a background feature extraction model. Specifically, the model parameters of the feature extraction model to be trained may be updated iteratively in multiple rounds, and when the convergence of the loss function is detected, the updating is stopped, and the feature extraction model to be trained with the parameters determined is used as the background feature extraction model. The process of one round of updating can be as follows: respectively inputting each piece of training data in the training data set into a feature extraction model to be trained, obtaining a background feature corresponding to each piece of background image data through feature extraction of the feature extraction model to be trained, calculating a loss function according to the background feature, calculating a gradient value corresponding to each model parameter in the feature extraction model to be trained on the basis of the loss function, and updating each model parameter according to the gradient value so as to update the feature extraction model to be trained. The loss function may be a loss function that minimizes an absolute value of a difference between a first distance and a second distance, where the first distance is a distance between background features of two background image data of the same type in the training data, and the second distance is a distance between background features of two background data of different types in the training data. The loss function may be expressed as L ═ max (d (a, p) -d (a, n) + margin,0), where d (a, p) represents the distance between a and p, d (a, n) represents the distance between a and n, margin is a pre-set hyper-parameter, and the distance may be calculated in any manner, such as euclidean distance, for example, by calculating the distance between vectors. It should be noted that each piece of training data corresponds to a loss value, and the loss function is an average of the loss values of the training data.
Further, based on the first, second, third and/or fourth embodiments, a fifth embodiment of the suspicious user identification method of the present invention is provided. In this embodiment, when the risk indicator includes a suspicious micro-expression indicator, the historical behavior data includes a user video corresponding to at least one business operation of the user to be identified, and the step S20 includes:
step S207, inputting each video frame in the user video into a preset sequence micro expression recognition model to obtain an expression category corresponding to each video frame;
in this embodiment, the risk indicator may include a suspicious micro-expression indicator, and when the user performs a service operation, the risk indicator may obtain a user video collected by the user equipment, specifically, the user video may be a user video that is swiped on the face of the user or a user video that is collected when the user transacts a service in a remote video mode. The user videos of the same user during each service operation can be stored in a correlated mode to serve as historical behavior data of the user. During recording, different users can be distinguished by adopting user identification, and the user identification can be unique identification such as an identity card number, a mobile phone number or a login account number.
When the suspicious micro-expression indexes of the user to be identified need to be analyzed, the user video corresponding to at least one service operation of the user can be extracted from a pre-stored database based on the user identification of the user to be identified, namely, the historical behavior data of the user to be identified is obtained.
And inputting each video frame in the acquired user video into a preset sequence micro expression recognition model to obtain the expression category corresponding to each video frame. The preset sequence micro-expression recognition model may be a preset and trained model, and the model may adopt a model structure capable of processing sequence data, such as LSTM (long short term memory network), RNN (recurrent neural network), and the like, and is not limited herein. The expression classes recognizable by the model can be preset and can comprise micro-expressions such as anger, tension, joy, sadness and the like.
And S208, counting the occurrence frequency of the target expression category based on the expression categories corresponding to the video frames, and obtaining the suspicious micro-expression risk factor according to the occurrence frequency.
After the expression categories corresponding to the video frames are obtained, the frequency of the target expression categories appearing in the video of the user can be counted. The target expression category may be a preset suspicious expression, such as an angry, a tension, a high blinking frequency, and a flickering of eyes. The calculating of the occurrence frequency of the target expression category may specifically be counting the number of times that the target expression category appears in consecutive multiple frames of video frames, for example, counting the number of times that an angry expression appears in 100 frames of video frames, and when the number of video frames is greater than 100 frames, calculating an average value after counting the number of times that each 100 frames appears, and obtaining the occurrence frequency.
After the occurrence frequency of the target expression category is obtained through calculation, suspicious micro-expression risk factors can be obtained according to the occurrence frequency, and specifically, risk factors corresponding to different occurrence frequencies can be set according to specific needs. For example, when the risk factor is a result indicating whether the user is a suspicious user, a risk threshold may be set, and when the occurrence frequency is greater than the risk threshold, the frequency indicating that the user has suspicious expressions is too high, so that the user may be determined as a suspicious user from the suspicious micro-expression index dimension. Alternatively, when the risk factor is a numerical value representing the degree of suspicion of the user, the frequency of occurrence may be converted into a suspicion value, and the conversion criterion may be: the higher the frequency of occurrence, the higher the suspect value, and the lower the frequency of occurrence, the lower the suspect value. The specific conversion method can be established according to a conversion standard, and is not particularly limited herein.
In this embodiment, the frequency of the suspicious micro-expression of the user is analyzed according to the video of the user during the business operation, and when the frequency is too high, the user is determined to be a suspicious user.
In an embodiment, the risk indicators may include a one-person multi-device indicator, a one-person multi-identity indicator, a suspicious background indicator, and a suspicious micro-expression indicator, as shown in fig. 4, four-dimensional analysis may be performed on each user according to historical behavior data of each user stored in the database, so as to obtain a suspicious identification result of each user, and the suspicious user is added to the blacklist database according to the suspicious identification result.
In addition, an embodiment of the present invention further provides a suspicious user identification apparatus, and with reference to fig. 5, the apparatus includes:
the acquiring module 10 is used for acquiring historical behavior data of each service operation record based on the user to be identified;
a calculating module 20, configured to calculate a risk factor under a risk indicator based on the historical behavior data, where the risk indicator at least includes one or more of a one-person-multiple-device indicator, a one-person-multiple-identity indicator, a suspicious background indicator, and a suspicious micro-expression indicator;
and the determining module 30 is configured to obtain a suspicious identification result of the user to be identified according to the risk factor.
Further, when the risk indicator comprises a one-person multi-device indicator, the historical behavior data comprises device identifications corresponding to each business operation of the user to be identified,
the calculation module 20 includes:
and the calculating unit is used for counting the number of the equipment according to each equipment identifier and obtaining a risk factor of one person with multiple equipment based on the number of the equipment, wherein the same equipment identifier is marked as the same equipment.
Further, when the risk indicator comprises a one-person multi-identity indicator, the historical behavior data comprises an identity card photo sequence formed by user identity card photos corresponding to each business operation of the user to be identified and an identification photo sequence formed by user identification photos,
the calculation module 20 includes:
the combination unit is used for combining the photos in the identity card photo sequence and the photos in the identification photo sequence in pairs to obtain each photo combination;
and the matching unit is used for respectively carrying out face recognition on each photo combination to obtain a face matching result corresponding to each photo combination, and obtaining a one-person multi-identity risk factor according to each face matching result.
Further, when the risk index comprises a suspicious background index, the historical behavior data comprises a user identification photo corresponding to at least one business operation of the user to be identified and a user identification photo based on business operation records of historical users except the user to be identified,
the calculation module 20 includes:
the separation unit is used for respectively carrying out background separation operation on each user identification photo to obtain each background picture data;
the extraction unit is used for inputting the background picture data into a preset background feature extraction model respectively to carry out feature extraction to obtain background features;
and the clustering unit is used for clustering each background feature to obtain a cluster, counting the number of users associated with each background feature in a target cluster, and obtaining a suspicious background risk factor based on the number of the users, wherein the target cluster is the cluster in which the background feature corresponding to the user to be identified is located.
Further, the obtaining module 10 is further configured to obtain a training data set, where each piece of training data in the training data set includes three pieces of background image data, and two pieces of background image data belong to the same type of background;
the device further comprises:
and the training module is used for training the feature extraction model to be trained by adopting the training data set to obtain the background feature extraction model, wherein a loss function in the training process is a loss function which minimizes the absolute value of the difference between a first distance and a second distance, the first distance is the distance between the background features of two background image data of the same type in the training data, and the second distance is the distance between the background features of two background data of different types in the training data.
Further, when the risk indicator comprises a suspicious micro-expression indicator, the historical behavior data comprises a user video corresponding to at least one business operation of the user to be identified,
the calculation module 20 includes:
the input unit is used for inputting each video frame in the user video into a preset sequence micro expression recognition model to obtain an expression category corresponding to each video frame;
and the counting unit is used for counting the occurrence frequency of a target expression category based on the expression categories corresponding to the video frames and obtaining a suspicious micro-expression risk factor according to the occurrence frequency, wherein the target expression category at least comprises one or more of anger and tension.
Further, the apparatus further comprises:
the extraction module is used for extracting face features from the face image of the user to be identified when the user to be identified is determined to be a suspicious user based on the suspicious identification result;
and the adding module is used for adding the extracted face features to a preset suspicious user blacklist library.
Further, the obtaining module 10 is further configured to obtain a face image of the user to be identified when an identity verification instruction of the user to be identified is detected;
the device further comprises:
the matching module is used for extracting face features from the face image and matching the extracted face features with the face features in a preset suspicious user blacklist library;
the execution module is used for executing a preset suspicious processing flow on the user to be identified if the matching is successful; if the matching is not successful, the steps are executed: and acquiring historical behavior data based on each business operation record of the user to be identified.
The specific implementation of the suspicious user identification apparatus of the present invention is basically the same as the above embodiments of the suspicious user identification method, and is not described herein again.
In addition, an embodiment of the present invention further provides a computer-readable storage medium, where a suspicious user identification program is stored on the storage medium, and the suspicious user identification program, when executed by a processor, implements the steps of the suspicious user identification method as described below.
The embodiments of the suspicious user identification device and the computer-readable storage medium of the present invention can refer to the embodiments of the suspicious user identification method of the present invention, and are not described herein again.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Claims (11)
1. A method for identifying a suspicious user, said method comprising the steps of:
acquiring historical behavior data of each service operation record based on a user to be identified;
calculating risk factors under risk indexes based on the historical behavior data, wherein the risk indexes at least comprise one or more of one-person multi-equipment indexes, one-person multi-identity indexes, suspicious background indexes and suspicious micro-expression indexes;
and obtaining a suspicious identification result of the user to be identified according to the risk factor.
2. The suspicious user identification method according to claim 1, wherein when the risk indicator includes one-person-multiple-device indicator, the historical behavior data includes device identifiers corresponding to respective business operations of the user to be identified,
the step of calculating a risk factor under a risk indicator based on the historical behavior data comprises:
and counting the number of the devices according to the device identifications to obtain a risk factor of one person with multiple devices based on the number of the devices, wherein the same device identification is marked as the same device.
3. The suspicious user identification method according to claim 1, wherein when the risk indicator includes a one-person-multiple-identity indicator, the historical behavior data includes an ID photo sequence composed of user ID photos corresponding to each business operation of the user to be identified and an identification photo sequence composed of user identification photos,
the step of calculating a risk factor under a risk indicator based on the historical behavior data comprises:
combining the photos in the identity card photo sequence and the photos in the identification photo sequence in pairs to obtain each photo combination;
and respectively carrying out face recognition on each photo combination to obtain a face matching result corresponding to each photo combination, and obtaining a one-person multi-identity risk factor according to each face matching result.
4. The suspicious user identification method according to claim 1, wherein when the risk indicator includes a suspicious background indicator, the historical behavior data includes a user identification picture corresponding to at least one business operation of the user to be identified and a user identification picture based on a business operation record of a historical user other than the user to be identified,
the step of calculating a risk factor under a risk indicator based on the historical behavior data comprises:
respectively carrying out background separation operation on each user identification photo to obtain each background picture data;
inputting the background picture data into a preset background feature extraction model respectively for feature extraction to obtain background features;
and clustering each background feature to obtain a cluster, counting the number of users associated with each background feature in a target cluster, and obtaining a suspicious background risk factor based on the number of the users, wherein the target cluster is the cluster in which the background feature corresponding to the user to be identified is located.
5. The method according to claim 4, wherein the step of inputting each background picture data into a preset background feature extraction model for feature extraction to obtain each background feature further comprises:
acquiring a training data set, wherein each piece of training data in the training data set respectively comprises three pieces of background image data, and two pieces of background image data belong to the same type of background;
and training the feature extraction model to be trained by adopting the training data set to obtain the background feature extraction model, wherein a loss function in the training process is a loss function which minimizes the absolute value of the difference between a first distance and a second distance, the first distance is the distance between the background features of two background image data of the same type in the training data, and the second distance is the distance between the background features of two background data of different types in the training data.
6. The suspicious user identification method according to claim 1, wherein when said risk indicator includes a suspicious micro-expression indicator, said historical behavior data includes a user video corresponding to at least one business operation of said user to be identified,
the step of calculating a risk factor under a risk indicator based on the historical behavior data comprises:
inputting each video frame in the user video into a preset sequence micro expression recognition model to obtain an expression category corresponding to each video frame;
and counting the occurrence frequency of the target expression category based on the expression categories corresponding to the video frames, and obtaining the suspicious micro-expression risk factor according to the occurrence frequency.
7. The method for identifying a suspicious user according to claim 1, wherein after the step of obtaining the suspicious identification result of the user to be identified according to the risk factor, the method further comprises:
when the user to be identified is determined to be a suspicious user based on the suspicious identification result, extracting face features from a face image of the user to be identified;
and adding the extracted face features to a preset suspicious user blacklist library.
8. The method according to any one of claims 1 to 7, wherein the step of obtaining historical behavior data based on each business operation record of the user to be identified is preceded by the step of:
when an identity authentication instruction of a user to be identified is detected, acquiring a face image of the user to be identified;
extracting face features from the face image, and matching the extracted face features with each face feature in a preset suspicious user blacklist library;
if the matching is successful, executing a preset suspicious processing flow on the user to be identified;
if the matching is not successful, the steps are executed: and acquiring historical behavior data based on each business operation record of the user to be identified.
9. A suspect user identification apparatus, said apparatus comprising:
the acquisition module is used for acquiring historical behavior data of each business operation record based on the user to be identified;
the calculation module is used for calculating risk factors under risk indexes based on the historical behavior data, wherein the risk indexes at least comprise one or more of one-person multi-equipment indexes, one-person multi-identity indexes, suspicious background indexes and suspicious micro-expression indexes;
and the determining module is used for obtaining the suspicious identification result of the user to be identified according to the risk factor.
10. A suspect user identification device, the suspect user identification device comprising: memory, a processor and a suspicious user identification program stored on the memory and executable on the processor, the suspicious user identification program when executed by the processor implementing the steps of the suspicious user identification method according to one of the claims 1 to 8.
11. A computer-readable storage medium, characterized in that the computer-readable storage medium has stored thereon a suspicious user identification program, which when executed by a processor implements the steps of the suspicious user identification method according to one of the claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010733889.XA CN111861240A (en) | 2020-07-27 | 2020-07-27 | Suspicious user identification method, device, equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010733889.XA CN111861240A (en) | 2020-07-27 | 2020-07-27 | Suspicious user identification method, device, equipment and readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111861240A true CN111861240A (en) | 2020-10-30 |
Family
ID=72947422
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010733889.XA Pending CN111861240A (en) | 2020-07-27 | 2020-07-27 | Suspicious user identification method, device, equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111861240A (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112785114A (en) * | 2020-11-18 | 2021-05-11 | 杭州安恒信息安全技术有限公司 | Fake-related behavior detection method and device, readable storage medium and computer equipment |
| CN112989135A (en) * | 2021-04-15 | 2021-06-18 | 杭州网易再顾科技有限公司 | Real-time risk group identification method, medium, device and computing equipment |
| CN113033404A (en) * | 2021-03-26 | 2021-06-25 | 平安银行股份有限公司 | Face attack event detection method, device, equipment and storage medium |
| CN113298118A (en) * | 2021-04-28 | 2021-08-24 | 上海淇玥信息技术有限公司 | Intelligent anti-fraud method and device based on neural network and electronic equipment |
| CN113344586A (en) * | 2021-07-05 | 2021-09-03 | 塔里木大学 | Face recognition payment system facing mobile terminal |
| CN113538011A (en) * | 2021-07-24 | 2021-10-22 | 深圳供电局有限公司 | Method for associating non-registered contact information with registered user in power system |
| CN113591464A (en) * | 2021-07-28 | 2021-11-02 | 百度在线网络技术(北京)有限公司 | Variant text detection method, model training method, device and electronic equipment |
| CN113689292A (en) * | 2021-09-18 | 2021-11-23 | 杭银消费金融股份有限公司 | User aggregation identification method and system based on image background identification |
| CN113743335A (en) * | 2021-09-08 | 2021-12-03 | 平安科技(深圳)有限公司 | Method, device, computer and medium for risk identification of gaze data |
| CN114792451A (en) * | 2022-06-22 | 2022-07-26 | 深圳市海清视讯科技有限公司 | Information processing method, device, and storage medium |
Citations (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106295349A (en) * | 2015-05-29 | 2017-01-04 | 阿里巴巴集团控股有限公司 | Risk Identification Method, identification device and the anti-Ore-controlling Role that account is stolen |
| CN106549902A (en) * | 2015-09-16 | 2017-03-29 | 阿里巴巴集团控股有限公司 | A kind of recognition methods of suspicious user and equipment |
| CN107729727A (en) * | 2016-08-11 | 2018-02-23 | 腾讯科技(深圳)有限公司 | The real name identification method and device of a kind of account number |
| CN107818308A (en) * | 2017-10-31 | 2018-03-20 | 平安科技(深圳)有限公司 | A kind of recognition of face intelligence comparison method, electronic installation and computer-readable recording medium |
| CN109272323A (en) * | 2018-09-14 | 2019-01-25 | 阿里巴巴集团控股有限公司 | A kind of risk trade recognition methods, device, equipment and medium |
| CN109347787A (en) * | 2018-08-15 | 2019-02-15 | 阿里巴巴集团控股有限公司 | A kind of recognition methods of identity information and device |
| CN109598110A (en) * | 2018-12-10 | 2019-04-09 | 北京羽扇智信息科技有限公司 | A kind of recognition methods of user identity and device |
| CN109670931A (en) * | 2018-09-25 | 2019-04-23 | 平安科技(深圳)有限公司 | Behavioral value method, apparatus, equipment and the storage medium of loan user |
| CN109766772A (en) * | 2018-12-18 | 2019-05-17 | 深圳壹账通智能科技有限公司 | Risk control method, device, computer equipment and storage medium |
| CN109784170A (en) * | 2018-12-13 | 2019-05-21 | 平安科技(深圳)有限公司 | Vehicle insurance damage identification method, device, equipment and storage medium based on image recognition |
| CN109816518A (en) * | 2019-01-04 | 2019-05-28 | 深圳壹账通智能科技有限公司 | Face core result acquisition methods, device, computer equipment and readable storage medium storing program for executing |
| CN110298246A (en) * | 2019-05-22 | 2019-10-01 | 深圳壹账通智能科技有限公司 | Unlocking verification method, device, computer equipment and storage medium |
| CN110311788A (en) * | 2019-06-28 | 2019-10-08 | 京东数字科技控股有限公司 | Auth method, device, electronic equipment and readable medium |
| CN110489951A (en) * | 2019-07-08 | 2019-11-22 | 招联消费金融有限公司 | Method, apparatus, computer equipment and the storage medium of risk identification |
| WO2019228004A1 (en) * | 2018-05-28 | 2019-12-05 | 阿里巴巴集团控股有限公司 | Identity verification method and apparatus |
| CN110569878A (en) * | 2019-08-08 | 2019-12-13 | 上海汇付数据服务有限公司 | Photograph background similarity clustering method based on convolutional neural network and computer |
| CN110827032A (en) * | 2019-09-26 | 2020-02-21 | 支付宝(杭州)信息技术有限公司 | Intelligent wind control decision method and system and service processing method and system |
-
2020
- 2020-07-27 CN CN202010733889.XA patent/CN111861240A/en active Pending
Patent Citations (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106295349A (en) * | 2015-05-29 | 2017-01-04 | 阿里巴巴集团控股有限公司 | Risk Identification Method, identification device and the anti-Ore-controlling Role that account is stolen |
| CN106549902A (en) * | 2015-09-16 | 2017-03-29 | 阿里巴巴集团控股有限公司 | A kind of recognition methods of suspicious user and equipment |
| CN107729727A (en) * | 2016-08-11 | 2018-02-23 | 腾讯科技(深圳)有限公司 | The real name identification method and device of a kind of account number |
| CN107818308A (en) * | 2017-10-31 | 2018-03-20 | 平安科技(深圳)有限公司 | A kind of recognition of face intelligence comparison method, electronic installation and computer-readable recording medium |
| WO2019228004A1 (en) * | 2018-05-28 | 2019-12-05 | 阿里巴巴集团控股有限公司 | Identity verification method and apparatus |
| CN109347787A (en) * | 2018-08-15 | 2019-02-15 | 阿里巴巴集团控股有限公司 | A kind of recognition methods of identity information and device |
| CN109272323A (en) * | 2018-09-14 | 2019-01-25 | 阿里巴巴集团控股有限公司 | A kind of risk trade recognition methods, device, equipment and medium |
| CN109670931A (en) * | 2018-09-25 | 2019-04-23 | 平安科技(深圳)有限公司 | Behavioral value method, apparatus, equipment and the storage medium of loan user |
| CN109598110A (en) * | 2018-12-10 | 2019-04-09 | 北京羽扇智信息科技有限公司 | A kind of recognition methods of user identity and device |
| CN109784170A (en) * | 2018-12-13 | 2019-05-21 | 平安科技(深圳)有限公司 | Vehicle insurance damage identification method, device, equipment and storage medium based on image recognition |
| CN109766772A (en) * | 2018-12-18 | 2019-05-17 | 深圳壹账通智能科技有限公司 | Risk control method, device, computer equipment and storage medium |
| CN109816518A (en) * | 2019-01-04 | 2019-05-28 | 深圳壹账通智能科技有限公司 | Face core result acquisition methods, device, computer equipment and readable storage medium storing program for executing |
| CN110298246A (en) * | 2019-05-22 | 2019-10-01 | 深圳壹账通智能科技有限公司 | Unlocking verification method, device, computer equipment and storage medium |
| CN110311788A (en) * | 2019-06-28 | 2019-10-08 | 京东数字科技控股有限公司 | Auth method, device, electronic equipment and readable medium |
| CN110489951A (en) * | 2019-07-08 | 2019-11-22 | 招联消费金融有限公司 | Method, apparatus, computer equipment and the storage medium of risk identification |
| CN110569878A (en) * | 2019-08-08 | 2019-12-13 | 上海汇付数据服务有限公司 | Photograph background similarity clustering method based on convolutional neural network and computer |
| CN110827032A (en) * | 2019-09-26 | 2020-02-21 | 支付宝(杭州)信息技术有限公司 | Intelligent wind control decision method and system and service processing method and system |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112785114A (en) * | 2020-11-18 | 2021-05-11 | 杭州安恒信息安全技术有限公司 | Fake-related behavior detection method and device, readable storage medium and computer equipment |
| CN113033404A (en) * | 2021-03-26 | 2021-06-25 | 平安银行股份有限公司 | Face attack event detection method, device, equipment and storage medium |
| CN112989135A (en) * | 2021-04-15 | 2021-06-18 | 杭州网易再顾科技有限公司 | Real-time risk group identification method, medium, device and computing equipment |
| CN113298118A (en) * | 2021-04-28 | 2021-08-24 | 上海淇玥信息技术有限公司 | Intelligent anti-fraud method and device based on neural network and electronic equipment |
| CN113344586A (en) * | 2021-07-05 | 2021-09-03 | 塔里木大学 | Face recognition payment system facing mobile terminal |
| CN113538011B (en) * | 2021-07-24 | 2024-02-09 | 深圳供电局有限公司 | Method for associating non-booked contact information with booked user in electric power system |
| CN113538011A (en) * | 2021-07-24 | 2021-10-22 | 深圳供电局有限公司 | Method for associating non-registered contact information with registered user in power system |
| CN113591464A (en) * | 2021-07-28 | 2021-11-02 | 百度在线网络技术(北京)有限公司 | Variant text detection method, model training method, device and electronic equipment |
| CN113591464B (en) * | 2021-07-28 | 2022-06-10 | 百度在线网络技术(北京)有限公司 | Variant text detection method, model training method, device and electronic equipment |
| CN113743335A (en) * | 2021-09-08 | 2021-12-03 | 平安科技(深圳)有限公司 | Method, device, computer and medium for risk identification of gaze data |
| CN113743335B (en) * | 2021-09-08 | 2024-03-22 | 平安科技(深圳)有限公司 | Method, device, computer and medium for risk identification of gaze data |
| CN113689292A (en) * | 2021-09-18 | 2021-11-23 | 杭银消费金融股份有限公司 | User aggregation identification method and system based on image background identification |
| CN114792451A (en) * | 2022-06-22 | 2022-07-26 | 深圳市海清视讯科技有限公司 | Information processing method, device, and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111861240A (en) | Suspicious user identification method, device, equipment and readable storage medium | |
| CN109409204B (en) | Anti-counterfeiting detection method and device, electronic equipment and storage medium | |
| US7158657B2 (en) | Face image recording system | |
| CN113366487A (en) | Operation determination method and device based on expression group and electronic equipment | |
| CN109345375B (en) | Suspicious money laundering behavior identification method and device | |
| WO2018082011A1 (en) | Living fingerprint recognition method and device | |
| CN110955874A (en) | Identity authentication method, identity authentication device, computer equipment and storage medium | |
| CN101556717A (en) | ATM intelligent security system and monitoring method | |
| CN110866466A (en) | Face recognition method, face recognition device, storage medium and server | |
| CN111049659B (en) | Service verification method, device and system based on handwriting signature recognition | |
| CN109005104B (en) | Instant messaging method, device, server and storage medium | |
| CN112418167A (en) | Image clustering method, device, equipment and storage medium | |
| CN109635625B (en) | Intelligent identity verification method, equipment, storage medium and device | |
| CN115186303B (en) | Financial signature safety management method and system based on big data cloud platform | |
| CN110599187A (en) | Payment method and device based on face recognition, computer equipment and storage medium | |
| CN110675252A (en) | Risk assessment method and device, electronic equipment and storage medium | |
| CN111862413A (en) | Method and system for realizing epidemic situation resistant non-contact multidimensional identity rapid identification | |
| CN110991231B (en) | Living body detection method and device, server and face recognition equipment | |
| RU2381553C1 (en) | Method and system for recognising faces based on list of people not subject to verification | |
| CN112330322A (en) | Device, method and system for user identity verification | |
| US20230206372A1 (en) | Fraud Detection Using Aggregate Fraud Score for Confidence of Liveness/Similarity Decisions | |
| CN111291912A (en) | Number taking method, number taking machine and number taking system using witness verification | |
| CN111242769A (en) | Identity verification method, device, equipment and computer readable storage medium | |
| CN115906028A (en) | User identity verification method and device and self-service terminal | |
| US11354910B2 (en) | Frictionless authentication and monitoring |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |