CN112907257A - Risk threshold determining method, abnormality detecting device and electronic equipment - Google Patents
Risk threshold determining method, abnormality detecting device and electronic equipment Download PDFInfo
- Publication number
- CN112907257A CN112907257A CN202110452547.5A CN202110452547A CN112907257A CN 112907257 A CN112907257 A CN 112907257A CN 202110452547 A CN202110452547 A CN 202110452547A CN 112907257 A CN112907257 A CN 112907257A
- Authority
- CN
- China
- Prior art keywords
- transaction data
- time
- time position
- risk threshold
- data set
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 39
- 230000005856 abnormality Effects 0.000 title claims abstract description 14
- 238000001514 detection method Methods 0.000 claims abstract description 19
- 230000002547 anomalous effect Effects 0.000 claims abstract description 13
- 230000000694 effects Effects 0.000 claims abstract description 5
- 230000002159 abnormal effect Effects 0.000 claims description 20
- 238000011156 evaluation Methods 0.000 claims description 13
- 230000002123 temporal effect Effects 0.000 claims description 9
- 230000006872 improvement Effects 0.000 description 8
- 230000008569 process Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 238000012545 processing Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000011946 reduction process Methods 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000003064 k means clustering Methods 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- YHXISWVBGDMDLQ-UHFFFAOYSA-N moclobemide Chemical compound C1=CC(Cl)=CC=C1C(=O)NCCN1CCOCC1 YHXISWVBGDMDLQ-UHFFFAOYSA-N 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000007781 pre-processing Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
- G06Q20/401—Transaction verification
- G06Q20/4016—Transaction verification involving fraud or risk level assessment in transaction processing
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/30—Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
- G06F16/35—Clustering; Classification
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q40/00—Finance; Insurance; Tax strategies; Processing of corporate or income taxes
- G06Q40/04—Trading; Exchange, e.g. stocks, commodities, derivatives or currency exchange
Landscapes
- Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Theoretical Computer Science (AREA)
- Accounting & Taxation (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Finance (AREA)
- Strategic Management (AREA)
- General Business, Economics & Management (AREA)
- Economics (AREA)
- Development Economics (AREA)
- Computer Security & Cryptography (AREA)
- Marketing (AREA)
- Technology Law (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- General Engineering & Computer Science (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Debugging And Monitoring (AREA)
Abstract
The embodiment of the specification discloses a risk threshold value determining method, an abnormality detecting device and electronic equipment. The method comprises the following steps: acquiring transaction data in a plurality of time periods; each time period comprises a plurality of time slices, each time slice corresponds to a time position identification, and the time position identification is used for representing the time position of the time slice; dividing the acquired transaction data into transaction data sets; each transaction data set corresponds to a time position identification and comprises transaction data in the time slices corresponding to the time position identification in each time period; clustering the at least one transaction data set; when the clustering result meets a first preset condition, determining a risk threshold according to the transaction data set, and taking the determined risk threshold as a risk threshold of a time position identifier corresponding to the transaction data set; the risk threshold is used to detect anomalous transaction data. The embodiment of the specification can improve the abnormality detection effect.
Description
Technical Field
The embodiment of the specification relates to the technical field of computers, in particular to a risk threshold determining method, an abnormality detecting device and electronic equipment.
Background
To improve the security of the system, abnormal transaction data needs to be detected.
In the related art, abnormal transaction data is generally detected using a time series model such as an ARIMA model, an LSTM model, or the like. However, the nature of the time series model is a polynomial fit. This property results in the time series model failing to detect anomalous transaction data using more valid information, resulting in a lower accuracy of anomaly detection.
Disclosure of Invention
The embodiment of the specification provides a risk threshold value determining method, an abnormality detecting device and electronic equipment, so as to improve the accuracy of abnormality detection. The technical scheme of the embodiment of the specification is as follows.
In a first aspect of embodiments of the present specification, a method for determining a risk threshold is provided, including:
acquiring transaction data in a plurality of time periods; each time period comprises a plurality of time slices, each time slice corresponds to a time position identification, and the time position identification is used for representing the time position of the time slice;
dividing the acquired transaction data into at least one transaction data set; each transaction data set corresponds to a time position identification and comprises transaction data in the time slices corresponding to the time position identification in each time period;
clustering the at least one transaction data set;
when the clustering result meets a first preset condition, determining a risk threshold according to the transaction data set, and taking the determined risk threshold as a risk threshold of a time position identifier corresponding to the transaction data set; the risk threshold is used to detect anomalous transaction data.
In a second aspect of embodiments of the present specification, there is provided an abnormality detection method including:
selecting a target time position identifier from the time position identifier set according to the generation moment of the transaction data; the time position identification set comprises at least one time position identification, each time position identification corresponds to a time slice and is used for representing the time position of the time slice, and the time slice corresponding to the target time position identification is matched with the generation time of the transaction data;
selecting a target risk threshold from a risk threshold set according to the time position identification; the set of risk thresholds comprises at least one risk threshold, each risk threshold corresponding to a temporal location identity;
and detecting whether the transaction data is abnormal transaction data or not according to the target risk threshold.
In a third aspect of embodiments herein, there is provided a risk threshold determining apparatus, including:
the system comprises a first acquisition unit, a second acquisition unit and a control unit, wherein the first acquisition unit is used for acquiring transaction data in a plurality of time periods; each time period comprises a plurality of time slices, each time slice corresponds to a time position identification, and the time position identification is used for representing the time position of the time slice;
the dividing unit is used for dividing the acquired transaction data into at least one transaction data set; each transaction data set corresponds to a time position identification and comprises transaction data in the time slices corresponding to the time position identification in each time period;
the clustering unit is used for clustering the at least one transaction data set;
the second acquisition unit is used for determining a risk threshold according to the transaction data set when the clustering result meets a first preset condition, and taking the determined risk threshold as a risk threshold of a time position identifier corresponding to the transaction data set; the risk threshold is used to detect anomalous transaction data.
In a fourth aspect of embodiments of the present specification, there is provided an abnormality detection apparatus including:
the first selection unit is used for selecting a target time position identifier from the time position identifier set according to the generation moment of the transaction data; the time position identification set comprises at least one time position identification, each time position identification corresponds to a time slice and is used for representing the time position of the time slice, and the time slice corresponding to the target time position identification is matched with the generation time of the transaction data;
the second selection unit is used for selecting a target risk threshold from the risk threshold set according to the time position identification; the set of risk thresholds comprises at least one risk threshold, each risk threshold corresponding to a temporal location identity;
and the detection unit is used for detecting whether the transaction data is abnormal transaction data or not according to the target risk threshold.
In a fifth aspect of embodiments of the present specification, there is provided an electronic apparatus, including:
at least one processor;
a memory storing program instructions configured to be suitable for execution by the at least one processor, the program instructions comprising instructions for performing the method of the first or second aspect.
According to the technical scheme provided by the embodiment of the specification, each transaction data set comprises transaction data in a plurality of similar time slices, so that the transaction data in the transaction data set macroscopically has a relatively strong transaction expression rule. Through the transaction data set, in combination with clustering, a risk threshold may be obtained, which may more accurately detect anomalous transaction data. In addition, according to the technical scheme provided by the embodiment of the specification, whether the transaction data is abnormal transaction data or not can be detected according to the risk threshold.
Drawings
In order to more clearly illustrate the embodiments of the present specification or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, the drawings in the following description are only some embodiments described in the present specification, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a schematic flow chart of a risk threshold determination method in an embodiment of the present disclosure;
FIG. 2 is a diagram illustrating a clustering result of a transaction data set according to an embodiment of the present disclosure;
FIG. 3 is a schematic flow chart of an anomaly detection method in an embodiment of the present disclosure;
FIG. 4 is a diagram illustrating the effect of abnormal transaction detection in an embodiment of the present disclosure;
FIG. 5 is a schematic structural diagram of a risk threshold determining apparatus in an embodiment of the present disclosure;
FIG. 6 is a schematic structural diagram of an abnormality detection apparatus according to an embodiment of the present disclosure;
fig. 7 is a schematic structural diagram of an electronic device in an embodiment of the present specification.
Detailed Description
The technical solutions in the embodiments of the present disclosure will be clearly and completely described below with reference to the drawings in the embodiments of the present disclosure, and it is obvious that the described embodiments are only a part of the embodiments of the present disclosure, and not all of the embodiments. All other embodiments obtained by a person skilled in the art based on the embodiments in the present specification without any inventive step should fall within the scope of protection of the present specification.
In the above-described related art, the time series model is generally predicted by a small amount of transaction data in order. The number of preamble transaction data per transaction data is typically no more than 30. Therefore, the time series model cannot detect abnormal transaction data by using more effective information, and the detection accuracy of the abnormal transaction data is low.
Considering that the sequence one-dimensional time data is not very regular for the transaction data, the learned information is limited. Instead, similar time segments in different time periods have a relatively strong regularity. To this end, the embodiments of the present specification provide a risk threshold determination method. The risk threshold determination method can be applied to an electronic device.
Referring to fig. 1, the method for determining a risk threshold may specifically include the following steps.
Step S11: acquiring transaction data in a plurality of time periods; each time period comprises a plurality of time slices, each time slice corresponds to a time position identification which is used for representing the time position of the time slice.
In some embodiments, the time period may include 1 day, 2 days, 1 week, and the like. Each time period may be divided into a plurality of time slices. Each time slice may span 5 minutes, 8 minutes, 1 hour, etc. The span of each time slice in the plurality of time periods is the same. The number of time slices in different time periods is the same. Each time slice may correspond to a time location indicator that indicates the time location at which the time slice is located within the time period. The time position identification can be characters or numbers and the like. The temporal location identity of the various time slices in the same time period is different. In addition, temporally adjacent time slices may overlap during the same time period, i.e., temporally adjacent time slices may include overlapping time instants. Of course, the temporally adjacent time slices may also have no overlap.
In some scenario examples, the plurality of time periods may be 35 days. Each time period may be 1 day. Each time slice may span 5 minutes. Temporally adjacent time slices may overlap in the same time period. For example, 08: 00-08: 04 of each day can be used as a time slice, and the time position mark corresponding to the time slice can be a character 0802. 08: 01-08: 05 can be used as a time slice, and the time position mark corresponding to the time slice can be a character 0803. 8: 02-8: 06 can be used as a time slice, and the time position mark corresponding to the time slice can be a character 0804. 8: 03-8: 07 can be used as a time slice, and the time position mark corresponding to the time slice can be a character 0805. Thus, each time period includes 12 × 60 time slices, and the plurality of time periods may include 12 × 60 × 35 time slices.
In some embodiments, transaction data may be collected over multiple time periods. Each time period may include a plurality of time slices. Multiple transaction data may be generated within each time slice. The transaction data may include transaction amount data, and the like. For example, each time slice may span 5 minutes, producing one transaction amount data per minute. Then 5 transaction amount data can be generated per time slice.
Step S13: dividing the acquired transaction data into at least one transaction data set; each transaction data set corresponds to a time location identifier and comprises transaction data in the time slice corresponding to the time location identifier in each time period.
In some embodiments, each transaction data set corresponds to a time location identification. The time location identifications for different sets of transaction data are different. Thus, the number of transaction data sets may be equal to the number of time slices in a time period.
In some embodiments, the acquired transaction data may be partitioned into at least one transaction data set according to a time of generation of the transaction data. Each transaction data set may include transaction data generated within a time slice corresponding to the time location identification for a respective time period. This allows each transaction data set to include transaction data within a plurality of similar time slices, such that the transaction data in the transaction data set macroscopically has a relatively strong transaction performance law.
Continuing with the previous scenario example, the transaction data set corresponding to the time location identity 0802 may include transaction data generated in 08: 00-08: 04 time slices for each of the 35 days. The transaction data set corresponding to the time position mark 0803 may include transaction data generated in 08: 01-08: 05 time slices of each day of the 35 days. The transaction data set corresponding to the time position mark 0804 can include transaction data generated in 08: 02-08: 06 time slices of each day in the 35 days. The transaction data set corresponding to the time position mark 0805 can include transaction data generated in 08: 03-08: 07 time slices of each day in 35 days.
In some embodiments, the obtained transaction data may be directly partitioned into at least one transaction data set. Or, the acquired transaction data can be preprocessed; the pre-processed transaction data may be partitioned into at least one transaction data set. The pre-processing may include: and performing near filling processing on the missing value, performing mean interpolation processing on the abnormal value and the like.
Step S15: clustering the at least one transaction data set.
In some embodiments, a clustering algorithm may be used to perform clustering on the transaction data sets to obtain a clustering result of each transaction data set. The clustering algorithm includes, but is not limited to, K-Means clustering algorithm, DBSCAN clustering algorithm, and the like. Through the clustering algorithm, the interference caused by the randomness of transaction data can be overcome, and the risk threshold value can be accurately determined.
Step S17: and when the clustering result meets a first preset condition, determining a risk threshold according to the transaction data set, and taking the determined risk threshold as a risk threshold of the time position identifier corresponding to the transaction data set.
In some embodiments, the first preset condition may be used to determine whether the transaction data set is an abnormal transaction data set. Anomalous transactional data sets are subject to random interference and cannot be used to determine risk thresholds. In practice, the clustering result of the transaction data set may include the number of clusters. The first preset condition may include: the number of clusters is 1. For each transaction data set, if the clustering result of the transaction data set meets the first preset condition, it indicates that the transaction data set is not interfered by randomness, a risk threshold value can be determined according to the transaction data set, and the determined risk threshold value can be used as a risk threshold value of a time position identifier corresponding to the transaction data set; if the clustering result of the transaction data set does not meet the first preset condition, it is indicated that the transaction data set is disturbed by randomness, and the transaction data set can be ignored.
In some embodiments, the risk threshold may be used to detect anomalous transaction data. The risk threshold may include an upper threshold and/or a lower threshold. In practice, the largest of the transaction data in the transaction data set may be obtained as the upper threshold. The smallest of the transaction data in the transaction data set may be obtained as the lower threshold. Of course, in order to increase the risk tolerance interval, the largest transaction data in the transaction data set may also be obtained, and the largest transaction data may be corrected to obtain the upper threshold. The minimum transaction data in the transaction data set can be obtained, and the minimum transaction data can be corrected to obtain the lower threshold. For example, the maximum may be multiplied by 1.1 to obtain an upper threshold; the minimum may be multiplied by 0.9 to obtain the lower threshold.
Continuing the foregoing scenario example, if the clustering result of the transaction data set corresponding to the time position identifier 0802 does not satisfy the first preset condition, the transaction data set corresponding to the time position identifier 0802 may be ignored. If the clustering result of the transaction data set corresponding to the time position identifier 0803 meets the first preset condition, the minimum one can be obtained from the transaction data set corresponding to the time position identifier 0803, and the minimum one can be multiplied by 0.9 to obtain the lower threshold of the time position identifier 0803. If the clustering result of the transaction data set corresponding to the time position identifier 0804 meets the first preset condition, the minimum one can be obtained from the transaction data set corresponding to the time position identifier 0804, and the minimum one can be multiplied by 0.9 to obtain the lower threshold of the time position identifier 0804. If the clustering result of the transaction data set corresponding to the time position identifier 0805 meets the first preset condition, the minimum one can be obtained from the transaction data set corresponding to the time position identifier 0805, and the minimum one can be multiplied by 0.9 to obtain the lower threshold of the time position identifier 0805.
In some embodiments, in step S15, the transaction size corresponding to each time location identifier may be determined; the transaction data sets may be clustered according to transaction scale. Specifically, when the transaction scale meets the second preset condition, clustering processing may be performed on the transaction data set. When the transaction scale meets a third preset condition, the time interval between transaction data in the transaction data set can be reduced; the clustering process may be performed on the transaction data set after the reduction process.
Each time cycle may be divided into a plurality of time segments, each of which may include a plurality of time slices. The time period may span 1 hour, 2 hours, etc. The spans of the respective time segments in the plurality of time periods are the same. The number of time segments in different time periods is the same. Each time segment may correspond to a segment location indicator that indicates a time location at which the time segment is located within the time period. The segment position identification is different for each time segment in the same time cycle. In this way, the trading scale of each time period can be determined, and the trading scale can be the amount of trading data; the corresponding trade size of the segment position identifier may be calculated based on the trade size of the time segment. In particular, one segment location identity may correspond to multiple time segments. Then, the trade size of the segment location identifier may be calculated based on the trade sizes of the plurality of time segments. For example, an average of the trade sizes of the plurality of time segments may be calculated as the trade size of the segment location identifier.
Each time segment may include a plurality of time slices such that each segment location identity may correspond to a plurality of time location identities. In this way, the transaction size corresponding to the segment position id can be used as the transaction size of the time position id corresponding to the segment position id. Thus, the transaction scale corresponding to each time position mark can be obtained.
The second preset condition may be used to indicate whether the size of the transaction is large. For example, the second preset condition may be: the amount of transaction data is greater than or equal to 100. And aiming at a certain time position identification, if the transaction scale corresponding to the time position identification meets the second preset condition, clustering processing can be directly carried out on the transaction data set corresponding to the time position identification. The third preset condition may be used to indicate whether the size of the transaction is small. For example, the third preset condition may be: the amount of transaction data is greater than 10 and less than 100. For a certain time position identifier, if the transaction scale corresponding to the time position identifier meets the third preset condition, the time interval between transaction data in the transaction data set can be reduced for the transaction data set corresponding to the time position identifier; the clustering process may be performed on the transaction data set after the reduction process. Therefore, the long distance between the transaction data caused by overlarge time interval in the clustering algorithm can be avoided, and the clustering efficiency is improved. For example, the time interval between transaction data in the transaction data set may be reduced to 0.1 times the original time interval. Of course, for a certain time and position identifier, if the transaction scale corresponding to the time and position identifier does not satisfy the second preset condition or the third preset condition, it indicates that the transaction scale of the transaction data set corresponding to the time and position identifier is too small (for example, less than 10), and the transaction data set corresponding to the time and position identifier may be directly ignored.
In some embodiments, in step S15, a density-based clustering algorithm may be employed to cluster the transaction data set. The density-based clustering algorithm aims to find the maximum set of density-connected points. The density-based clustering algorithm involves two hyper-parameters. The two hyper-parameters comprise the neighborhood radius and the number of the minimum transaction data with the radius being the neighborhood. In practice, the initial value of the neighborhood radius may be 0.1 times the standard deviation, and the number of the least transaction data whose radius is the neighborhood may be 5.
For each transaction data set, after the clustering process, a clustering result for the transaction data set may be obtained. Additionally, a first distance value and a second distance value may be calculated for each transaction data in the set of transaction data. The first distance value is used for representing the distance between the transaction data and other transaction data in the cluster where the transaction data is located. Specifically, the first distance value may be an average distance between the transaction data and other transaction data in the cluster where the transaction data is located. The first distance value may be used to represent intra-cluster dissimilarity of the transactional data. The second distance value is used to represent the distance between the transaction data and the transaction data in other clusters. Specifically, the cluster in which the transaction data is located is taken as a first cluster, and other clusters are taken as second clusters, so that for each second cluster, the average distance between the transaction data and the transaction data in the second cluster can be calculated. The number of the second cluster is multiple, and multiple average distances can be obtained. A minimum of the plurality of average distances may be selected as the second distance value for the transaction data. The second distance value may be used to represent inter-cluster dissimilarity of the transactional data.
The first distance value and the second distance value can be fused to obtain a third distance value; for example, the third distance value of the transaction data i may be expressed as
siA third distance value, a, representing transaction data iiA first distance value, b, representing transaction data iiA second distance value representing transaction data i.
An evaluation index for the transaction data set may be calculated based on the third distance value. The evaluation index is used for evaluating the effect of the clustering result of the transaction data set. For example, an average value of the third distance values of the transaction data in the transaction data set may be calculated as the evaluation index of the transaction data set. The closer the evaluation index is to 1, the better the clustering result is. For example, FIG. 2 shows the clustering results for a certain transaction data set. The evaluation index of the clustering result may be 0.944791809.
When the evaluation index does not satisfy the fourth preset condition, the step of dividing the transaction data in the transaction data set into at least one cluster may be iteratively performed. And when the evaluation index meets a fourth preset condition, ending the clustering process to obtain a clustering result of the transaction data set. In practice, a grid search may be adopted, and the search is performed progressively with a distance of 0.1 times the standard deviation for a range of 0.1 to 3 times the standard deviation, and the stop condition of the search may include at least one of the following: (1) the increase range of the evaluation index is less than 10-9(ii) a (2) The evaluation index is continuously reduced for 3 times; (3) the calculation of all the selected parameters within the grid has been completed.
In the method for determining a risk threshold in the embodiment of the present specification, each transaction data set includes transaction data in a plurality of similar time slices, so that the transaction data in the transaction data set macroscopically has a relatively strong transaction performance rule. Through the transaction data set, in combination with clustering, a risk threshold may be obtained, which may more accurately detect anomalous transaction data.
The embodiment of the specification also provides an abnormality detection method.
Referring to fig. 3, the abnormality detection method may be applied to an electronic device, and specifically includes the following steps.
Step S21: selecting a target time position identifier from the time position identifier set according to the generation moment of the transaction data; the time position identification set comprises at least one time position identification, and each time position identification corresponds to one time slice and is used for representing the time position of the time slice.
In some embodiments, the transaction data may be transaction data to be detected. The transaction data may include transaction amount data, and the like. Corresponding target time and position identifications can be selected from the time and position identification set according to the generation time of the transaction data. The time location identifier set may include at least one time location identifier, and each time location identifier corresponds to a time slice and is used to indicate a time location where the time slice is located. For example, the time and location identifier set may include time and location identifier 0802, time and location identifier 0803, time and location identifier 0804, and time and location identifier 0805. The time position mark 0802 corresponds to the time slice 08: 00-08: 04. The time position mark 0803 corresponds to a time slice 08: 01-08: 05. The time position mark 0804 corresponds to the time slice 08: 02-08: 06. The time position mark 0805 corresponds to the time slice 08: 03-08: 07. The time slice corresponding to the target time location identification is matched with the generation time of the transaction data. Specifically, the generation time of the transaction data may be located in the time slice corresponding to the target time location identifier. Continuing with the previous example, the time of generation of the transaction data may be 08:04, and then the corresponding target time-location identifier 0804 may be selected from the set of time-location identifiers.
Step S23: selecting a target risk threshold from a risk threshold set according to the time position identification; the set of risk thresholds includes at least one risk threshold, each risk threshold corresponding to a temporal location identity.
In some embodiments, the set of risk thresholds includes at least one risk threshold, each risk threshold corresponding to a temporal location identity. The risk thresholds in the risk threshold set may be determined according to the method corresponding to fig. 1.
In some embodiments, a target risk threshold may be selected from the set of risk thresholds based on the selected temporal location identity. The target risk threshold corresponds to the selected time location identifier.
Step S25: and detecting whether the transaction data is abnormal transaction data or not according to the target risk threshold.
In some embodiments, the target risk threshold may include an upper threshold and/or a lower threshold.
When the transaction data is less than the lower threshold, it may be determined that the transaction data is abnormal transaction data; when the transaction data is greater than the upper threshold, it may be determined that the transaction data is abnormal transaction data; when the transaction data is between the upper threshold and the lower threshold, the transaction data may be determined to be normal transaction data.
Fig. 4 shows a diagram of the effect of anomalous transaction detection. In fig. 4, the lower thresholds of the individual risk thresholds in the risk threshold set constitute a lower threshold curve. The transaction data generated at each time constitutes the actual transaction data curve.
The anomaly detection method in the embodiments of the present specification can detect whether transaction data is anomalous transaction data according to a risk threshold.
Please refer to fig. 5. An embodiment of the present specification further provides a risk threshold determining apparatus, including:
a first acquiring unit 31 for acquiring transaction data in a plurality of time periods; each time period comprises a plurality of time slices, each time slice corresponds to a time position identification, and the time position identification is used for representing the time position of the time slice;
a dividing unit 33 for dividing the acquired transaction data into at least one transaction data set; each transaction data set corresponds to a time position identification and comprises transaction data in the time slices corresponding to the time position identification in each time period;
a clustering unit 35, configured to perform clustering processing on the at least one transaction data set;
a second obtaining unit 37, configured to determine a risk threshold according to the transaction data set when the clustering result meets a first preset condition, and use the determined risk threshold as a risk threshold of the time position identifier corresponding to the transaction data set; the risk threshold is used to detect anomalous transaction data.
Please refer to fig. 6. An embodiment of the present specification further provides an abnormality detection apparatus, including:
a first selecting unit 41, configured to select a target time location identifier from the time location identifier set according to a generation time of the transaction data; the time position identification set comprises at least one time position identification, each time position identification corresponds to a time slice and is used for representing the time position of the time slice, and the time slice corresponding to the target time position identification is matched with the generation time of the transaction data;
a second selecting unit 43, configured to select a target risk threshold from the risk threshold set according to the time location identifier; the set of risk thresholds comprises at least one risk threshold, each risk threshold corresponding to a temporal location identity;
and the detection unit 45 is used for detecting whether the transaction data is abnormal transaction data or not according to the target risk threshold.
Please refer to fig. 7. The embodiment of the specification also provides a computing device.
The computing device may include a memory and a processor.
In the present embodiment, the Memory includes, but is not limited to, a Dynamic Random Access Memory (DRAM), a Static Random Access Memory (SRAM), and the like. The memory may be used to store computer instructions.
In this embodiment, the processor may be implemented in any suitable manner. For example, the processor may take the form of, for example, a microprocessor or processor and a computer-readable medium that stores computer-readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, an Application Specific Integrated Circuit (ASIC), a programmable logic controller, an embedded microcontroller, and so forth. The processor may be configured to execute the computer instructions to implement the embodiments corresponding to fig. 1 or fig. 3.
It should be noted that, in the present specification, each embodiment is described in a progressive manner, and the same or similar parts in each embodiment may be referred to each other, and each embodiment focuses on differences from other embodiments. In particular, for the apparatus embodiment and the computing device embodiment, since they are substantially similar to the method embodiment, the description is relatively simple, and reference may be made to some descriptions of the method embodiment for relevant points. In addition, it is understood that one skilled in the art, after reading this specification document, may conceive of any combination of some or all of the embodiments listed in this specification without the need for inventive faculty, which combinations are also within the scope of the disclosure and protection of this specification.
In the 90 s of the 20 th century, improvements in a technology could clearly distinguish between improvements in hardware (e.g., improvements in circuit structures such as diodes, transistors, switches, etc.) and improvements in software (improvements in process flow). However, as technology advances, many of today's process flow improvements have been seen as direct improvements in hardware circuit architecture. Designers almost always obtain the corresponding hardware circuit structure by programming an improved method flow into the hardware circuit. Thus, it cannot be said that an improvement in the process flow cannot be realized by hardware physical modules. For example, a Programmable Logic Device (PLD), such as a Field Programmable Gate Array (FPGA), is an integrated circuit whose Logic functions are determined by programming the Device by a user. A digital system is "integrated" on a PLD by the designer's own programming without requiring the chip manufacturer to design and fabricate application-specific integrated circuit chips. Furthermore, nowadays, instead of manually making an integrated circuit chip, such Programming is often implemented by "logic compiler" software, which is similar to a software compiler used in program development and writing, but the original code before compiling is written by a specific Programming Language, which is called Hardware Description Language (HDL), and HDL is not only one but many, such as abel (advanced Boolean Expression Language), ahdl (alternate Language Description Language), Confluence, pl (core unified Programming Language), HDCal, JHDL (Java Hardware Description Language), languai, Lola, HDL, las, hard Language (software Description Language), etc. It will also be apparent to those skilled in the art that hardware circuitry that implements the logical method flows can be readily obtained by merely slightly programming the method flows into an integrated circuit using the hardware description languages described above.
The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. One typical implementation device is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smartphone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.
From the above description of the embodiments, it is clear to those skilled in the art that the present specification can be implemented by software plus a necessary general hardware platform. Based on such understanding, the technical solutions of the present specification may be essentially or partially implemented in the form of software products, which may be stored in a storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and include instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments of the present specification.
The description is operational with numerous general purpose or special purpose computing system environments or configurations. For example: personal computers, server computers, hand-held or portable devices, tablet-type devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable consumer electronics, network PCs, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like.
This description may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The specification may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
While the specification has been described with examples, those skilled in the art will appreciate that there are numerous variations and permutations of the specification that do not depart from the spirit of the specification, and it is intended that the appended claims include such variations and modifications that do not depart from the spirit of the specification.
Claims (15)
1. A method of risk threshold determination, comprising:
acquiring transaction data in a plurality of time periods; each time period comprises a plurality of time slices, each time slice corresponds to a time position identification, and the time position identification is used for representing the time position of the time slice;
dividing the acquired transaction data into at least one transaction data set; each transaction data set corresponds to a time position identification and comprises transaction data in the time slices corresponding to the time position identification in each time period;
clustering the at least one transaction data set;
when the clustering result meets a first preset condition, determining a risk threshold according to the transaction data set, and taking the determined risk threshold as a risk threshold of a time position identifier corresponding to the transaction data set; the risk threshold is used to detect anomalous transaction data.
2. The method of claim 1, the clustering the at least one transaction data set, comprising:
determining the transaction scale corresponding to each time position mark;
and clustering the transaction data set according to the transaction scale.
3. The method of claim 2, the clustering transaction data sets, comprising:
when the transaction scale meets a second preset condition, clustering the transaction data set;
or when the transaction scale meets a third preset condition, reducing the time interval between transaction data in the transaction data set, and clustering the transaction data set subjected to the reduction.
4. The method of claim 1, the clustering the at least one transaction data set, comprising:
dividing transaction data in a transaction data set into at least one cluster; calculating a first distance value and a second distance value of each transaction data in the transaction data set; the first distance value is used for representing the distance between the transaction data and other transaction data in a cluster where the first distance value is located, and the second distance value is used for representing the distance between the transaction data and the transaction data in other clusters; fusing the first distance value and the second distance value to obtain a third distance value; calculating an evaluation index of the transaction data set according to the third distance value, wherein the evaluation index is used for evaluating the clustering result effect of the transaction data set;
when the evaluation index does not meet a fourth preset condition, iteratively executing the step of dividing the transaction data in the transaction data set into at least one cluster; or when the evaluation index meets a fourth preset condition, obtaining a clustering result of the transaction data set.
5. The method of claim 1, the first preset condition comprising: the number of clusters is 1.
6. The method of claim 1, the risk threshold comprising an upper threshold;
the determining a risk threshold from the transaction data set includes:
acquiring the maximum transaction data in the transaction data set as an upper threshold; alternatively, the first and second electrodes may be,
and acquiring the largest transaction data in the transaction data set, and correcting the largest transaction data to obtain an upper threshold value.
7. The method of claim 1, the risk threshold comprising a lower threshold;
the determining a risk threshold from the transaction data set includes:
acquiring the minimum transaction data in the transaction data set as a lower threshold; alternatively, the first and second electrodes may be,
and acquiring the minimum transaction data in the transaction data set, and correcting the minimum transaction data to obtain a lower threshold value.
8. The method of claim 1, the transaction data comprising transaction amount data.
9. An anomaly detection method comprising:
selecting a target time position identifier from the time position identifier set according to the generation moment of the transaction data; the time position identification set comprises at least one time position identification, each time position identification corresponds to a time slice and is used for representing the time position of the time slice, and the time slice corresponding to the target time position identification is matched with the generation time of the transaction data;
selecting a target risk threshold from a risk threshold set according to the time position identification; the set of risk thresholds comprises at least one risk threshold, each risk threshold corresponding to a temporal location identity;
and detecting whether the transaction data is abnormal transaction data or not according to the target risk threshold.
10. The method of claim 9, the target risk threshold comprising a lower threshold;
the detecting whether the transaction data is abnormal transaction data includes:
and when the transaction data is smaller than the lower threshold value, determining that the transaction data is abnormal transaction data.
11. The method of claim 9, the target risk threshold comprising an upper threshold;
the detecting whether the transaction data is abnormal transaction data includes:
and when the transaction data is larger than the upper threshold value, determining that the transaction data is abnormal transaction data.
12. The method of claim 9, the transaction data comprising transaction amount data.
13. A risk threshold determination apparatus, comprising:
the system comprises a first acquisition unit, a second acquisition unit and a control unit, wherein the first acquisition unit is used for acquiring transaction data in a plurality of time periods; each time period comprises a plurality of time slices, each time slice corresponds to a time position identification, and the time position identification is used for representing the time position of the time slice;
the dividing unit is used for dividing the acquired transaction data into at least one transaction data set; each transaction data set corresponds to a time position identification and comprises transaction data in the time slices corresponding to the time position identification in each time period;
the clustering unit is used for clustering the at least one transaction data set;
the second acquisition unit is used for determining a risk threshold according to the transaction data set when the clustering result meets a first preset condition, and taking the determined risk threshold as a risk threshold of a time position identifier corresponding to the transaction data set; the risk threshold is used to detect anomalous transaction data.
14. An abnormality detection device comprising:
the first selection unit is used for selecting a target time position identifier from the time position identifier set according to the generation moment of the transaction data; the time position identification set comprises at least one time position identification, each time position identification corresponds to a time slice and is used for representing the time position of the time slice, and the time slice corresponding to the target time position identification is matched with the generation time of the transaction data;
the second selection unit is used for selecting a target risk threshold from the risk threshold set according to the time position identification; the set of risk thresholds comprises at least one risk threshold, each risk threshold corresponding to a temporal location identity;
and the detection unit is used for detecting whether the transaction data is abnormal transaction data or not according to the target risk threshold.
15. An electronic device, comprising:
at least one processor;
a memory storing program instructions configured for execution by the at least one processor, the program instructions comprising instructions for performing the method of any of claims 1-12.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110452547.5A CN112907257B (en) | 2021-04-26 | 2021-04-26 | Risk threshold determining method and device and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110452547.5A CN112907257B (en) | 2021-04-26 | 2021-04-26 | Risk threshold determining method and device and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112907257A true CN112907257A (en) | 2021-06-04 |
| CN112907257B CN112907257B (en) | 2024-03-26 |
Family
ID=76108938
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110452547.5A Active CN112907257B (en) | 2021-04-26 | 2021-04-26 | Risk threshold determining method and device and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112907257B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114037453A (en) * | 2021-11-16 | 2022-02-11 | 环球数科集团有限公司 | Payment processing system based on minimum credible threshold under multidimension degree |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170300919A1 (en) * | 2014-12-30 | 2017-10-19 | Alibaba Group Holding Limited | Transaction risk detection method and apparatus |
| CN109086975A (en) * | 2018-07-10 | 2018-12-25 | 阿里巴巴集团控股有限公司 | A kind of recognition methods of transaction risk and device |
| CN110689218A (en) * | 2019-08-13 | 2020-01-14 | 平安科技(深圳)有限公司 | Risk user identification method and device, computer equipment and storage medium |
| CN111898626A (en) * | 2020-05-18 | 2020-11-06 | 支付宝(杭州)信息技术有限公司 | Model determination method and device and electronic equipment |
| CN111967779A (en) * | 2020-08-19 | 2020-11-20 | 支付宝(杭州)信息技术有限公司 | Risk assessment method, device and equipment |
-
2021
- 2021-04-26 CN CN202110452547.5A patent/CN112907257B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170300919A1 (en) * | 2014-12-30 | 2017-10-19 | Alibaba Group Holding Limited | Transaction risk detection method and apparatus |
| CN109086975A (en) * | 2018-07-10 | 2018-12-25 | 阿里巴巴集团控股有限公司 | A kind of recognition methods of transaction risk and device |
| CN110689218A (en) * | 2019-08-13 | 2020-01-14 | 平安科技(深圳)有限公司 | Risk user identification method and device, computer equipment and storage medium |
| CN111898626A (en) * | 2020-05-18 | 2020-11-06 | 支付宝(杭州)信息技术有限公司 | Model determination method and device and electronic equipment |
| CN111967779A (en) * | 2020-08-19 | 2020-11-20 | 支付宝(杭州)信息技术有限公司 | Risk assessment method, device and equipment |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114037453A (en) * | 2021-11-16 | 2022-02-11 | 环球数科集团有限公司 | Payment processing system based on minimum credible threshold under multidimension degree |
| CN114037453B (en) * | 2021-11-16 | 2022-03-15 | 环球数科集团有限公司 | Payment processing system based on minimum credible threshold under multidimension degree |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112907257B (en) | 2024-03-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110928718B (en) | Abnormality processing method, system, terminal and medium based on association analysis | |
| CN106453437B (en) | equipment identification code acquisition method and device | |
| US11669083B2 (en) | System and method for proactive repair of sub optimal operation of a machine | |
| CN107766568B (en) | Efficient query processing using histograms in columnar databases | |
| TW202029079A (en) | Method and device for identifying irregular group | |
| CN110995482B (en) | Alarm analysis method and device, computer equipment and computer readable storage medium | |
| US9116879B2 (en) | Dynamic rule reordering for message classification | |
| CN112231174A (en) | Abnormity warning method, device, equipment and storage medium | |
| CN107577697B (en) | Data processing method, device and equipment | |
| CN107037978A (en) | Data Migration bearing calibration and system | |
| CN111241389A (en) | Sensitive word filtering method and device based on matrix, electronic equipment and storage medium | |
| CN110635962B (en) | Abnormity analysis method and device for distributed system | |
| CN109857618B (en) | Monitoring method, device and system | |
| CN106033574B (en) | Method and device for identifying cheating behaviors | |
| CN112907257A (en) | Risk threshold determining method, abnormality detecting device and electronic equipment | |
| CN110599004A (en) | Risk control method, equipment, medium and device | |
| CN109213476A (en) | A kind of generation method of installation kit, computer readable storage medium and terminal device | |
| US20230252055A1 (en) | Variable density-based clustering on data streams | |
| CN110322139B (en) | Policy recommendation method and device | |
| CN109039695B (en) | Service fault processing method, device and equipment | |
| CN111079560A (en) | Tumble monitoring method and device and terminal equipment | |
| CN107562533B (en) | Data loading processing method and device | |
| CN107368281B (en) | Data processing method and device | |
| CN115828244A (en) | Memory leak detection method and device and related equipment | |
| CN114138615A (en) | Service alarm processing method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |