CN113344697A - Group partner detection method, device, equipment and medium - Google Patents
Group partner detection method, device, equipment and medium Download PDFInfo
- Publication number
- CN113344697A CN113344697A CN202110725939.4A CN202110725939A CN113344697A CN 113344697 A CN113344697 A CN 113344697A CN 202110725939 A CN202110725939 A CN 202110725939A CN 113344697 A CN113344697 A CN 113344697A
- Authority
- CN
- China
- Prior art keywords
- community
- nodes
- main body
- graph
- node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q40/00—Finance; Insurance; Tax strategies; Processing of corporate or income taxes
- G06Q40/03—Credit; Loans; Processing thereof
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/23—Updating
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/901—Indexing; Data structures therefor; Storage structures
- G06F16/9024—Graphs; Linked lists
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Business, Economics & Management (AREA)
- Databases & Information Systems (AREA)
- Physics & Mathematics (AREA)
- Accounting & Taxation (AREA)
- Finance (AREA)
- General Engineering & Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Development Economics (AREA)
- General Business, Economics & Management (AREA)
- Technology Law (AREA)
- Software Systems (AREA)
- Strategic Management (AREA)
- Marketing (AREA)
- Economics (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention relates to the field of artificial intelligence, and provides a group partner detection method, a group partner detection device, a group partner detection equipment and a group partner detection medium, wherein a target relation graph can be constructed, the target relation graph is updated to a total relation graph, incremental updating of the total relation graph is realized, data are more comprehensive, coverage is wider, further the practicability of the data is improved, subsequent identification is more accurate and reliable, data fusion is performed on the updated total relation graph, targeted risk identification is performed on each community subsequently, a preset label propagation algorithm is adopted to propagate in each community obtained after fusion to obtain candidate communities, the candidate communities are screened to obtain risk communities, further the detection on the risk communities is realized by combining the preset label propagation algorithm and the relation graph, the detection efficiency is improved, the detection result is more accurate, and the safety is higher. In addition, the invention also relates to a block chain technology, and the risk community can be stored in the block chain node.
Description
Technical Field
The invention relates to the technical field of artificial intelligence, in particular to a group partner detection method, a group partner detection device, group partner detection equipment and a group partner detection medium.
Background
The internet financial credit industry has been rapidly developed in recent years, and along with the development of the industry, the black industry chain of fraud is continuously permeating the field, and various novel fraud modes emerge endlessly. Some people acquire the loan amount through various fraud means and do not pay any more after using the amount, which brings huge loss to financial companies. These groups often present an organized group, so in order to avoid loss, it is necessary to quickly and accurately identify possible fraudulent groups and to perform a differentiated wind control strategy for the identified risk users.
Traditional anti-fraud measures are mainly to intercept the black products in a way of establishing wind control rules around business safety. Since wind control is a process of attack and defense confrontation, as wind control rules are accumulated, black products are also continuously upgraded, such as hiding explicit features by means of counterfeit devices, Location Based Services (LBS), frequent IP (Internet Protocol) replacement, and the like, thereby bypassing the wind control rules.
In the scheme of identifying the cheating group through the knowledge graph, the detection result accuracy needs to be improved and needs to be further improved due to the influences of factors such as data acquisition, few black samples, algorithm timeliness and result inexplicability in practical application scenes.
Disclosure of Invention
In view of the above, there is a need to provide a group detection method, device, apparatus and medium, which can implement detection on a risk community by combining with a preset tag propagation algorithm and a relationship map, so as to improve detection efficiency, and achieve more accurate detection result and higher security.
A group detection method, the group detection method comprising:
responding to a group partner detection instruction, and acquiring data to be detected according to the group partner detection instruction;
extracting a main body and an incidence relation corresponding to the main body from the data to be detected;
determining the main body as a node, and constructing a target relation graph according to the incidence relation corresponding to the main body;
calling a pre-established overall relation graph, and updating the target relation graph to the overall relation graph;
performing data fusion on the updated general relationship graph to obtain at least one community;
for each community in the at least one community, propagating in each community by adopting a preset label propagation algorithm to obtain a candidate community, wherein an initial node of the preset label propagation algorithm is predetermined, and the preset label propagation algorithm is propagated based on the weight of the edge;
and screening the candidate communities to obtain the risk communities.
According to the preferred embodiment of the present invention, the acquiring data to be detected according to the group detection command includes:
analyzing the group partner detection command to obtain the information carried by the group partner detection command;
acquiring a preset label;
constructing a regular expression according to the preset label;
traversing information carried by the group detection instruction by using the regular expression, and determining the traversed information matched with the regular expression as a target application identifier;
determining a target application according to the target application identifier;
acquiring a buried point log and an access log of the target application;
and acquiring the data to be detected from the embedded point log and the access log.
According to a preferred embodiment of the present invention, the extracting a main body from the data to be detected, and the association relationship corresponding to the main body includes:
acquiring a user ID from the buried point log, and determining a target user as the main body according to the user ID;
acquiring an access request of the subject to the target application from the access log;
obtaining a cookie, a token and a user-agent from a request header of the access request;
randomly extracting from the cookie, token and user-agent to perform MD5 operation, and generating a main body identification code of the main body;
obtaining the operation behavior of the main body and the occurrence time of the operation behavior from the access log;
and constructing an association relation corresponding to the main body according to the operation behavior of the main body and the occurrence time of the operation behavior.
According to a preferred embodiment of the present invention, the updating the target relationship graph to the overall relationship graph includes:
comparing the nodes in the target relational graph with the nodes in the total relational graph to obtain a first comparison result;
acquiring nodes which are not in the total relational graph from the target relational graph as nodes to be added according to the first comparison result, and acquiring edges of the nodes to be added;
updating the nodes to be added and the edges of the nodes to be added to the general relationship graph;
determining other nodes except the node to be added in the target relation graph as alternative nodes, and acquiring edges of the alternative nodes;
comparing the edges of the alternative nodes with the edges in the general relationship graph to obtain a second comparison result;
acquiring edges which are not included in the total relation graph from the edges of the alternative nodes according to the second comparison result to serve as edges to be added;
and updating the edge to be added to the general relationship graph.
According to a preferred embodiment of the present invention, the performing data fusion on the updated overall relationship graph to obtain at least one community includes:
identifying nodes which access the same equipment, access the same order or are in the same WiFi MAC from the updated general relationship graph to obtain an identification result;
dividing the nodes in the updated general relation graph into at least one category according to the identification result;
and respectively constructing a communication subgraph by using the nodes of each category and the corresponding edges to obtain the at least one community.
According to the preferred embodiment of the present invention, the propagating in each community by using a preset tag propagation algorithm to obtain candidate communities includes:
when the first transmission is executed, traversing all nodes in each community by adopting a k-core algorithm, and determining the nodes with the incomes larger than a configuration threshold value as initial nodes; or when the first transmission is not executed, determining the known risk node as the initial node;
calculating the weight of each edge in each community;
starting from the initial node, performing breadth-first traversal according to the weight of each edge in each community until each node in each community is traversed, and stopping traversal to obtain a label of each node in each community;
and determining communities corresponding to the nodes with the abnormal labels as the candidate communities.
According to the preferred embodiment of the present invention, the screening the candidate communities to obtain the risk communities comprises:
acquiring the access duplicate removal account number and the access duplicate removal part number of each node in each candidate community;
calculating the risk value of each node according to the number of the duplicate removal account numbers and the number of the duplicate removal entry numbers accessed by each node;
calculating the average value of all nodes in each candidate community according to the risk value of each node to obtain the risk value of each candidate community;
determining a candidate community having the risk value greater than or equal to a configured risk value as the risk community.
A partnership detection apparatus, the partnership detection apparatus comprising:
the acquiring unit is used for responding to the group detection command and acquiring the data to be detected according to the group detection command;
the extraction unit is used for extracting a main body and an incidence relation corresponding to the main body from the data to be detected;
the construction unit is used for determining the main body as a node and constructing a target relation graph according to the incidence relation corresponding to the main body;
the updating unit is used for calling a pre-established overall relation graph and updating the target relation graph to the overall relation graph;
the fusion unit is used for carrying out data fusion on the updated general relation graph to obtain at least one community;
the propagation unit is used for propagating each community in the at least one community in each community by adopting a preset label propagation algorithm to obtain a candidate community, wherein an initial node of the preset label propagation algorithm is predetermined, and the preset label propagation algorithm is propagated based on the weight of the edge;
and the screening unit is used for screening the candidate communities to obtain the risk communities.
A computer device, the computer device comprising:
a memory storing at least one instruction; and
a processor executing instructions stored in the memory to implement the group detection method.
A computer-readable storage medium having at least one instruction stored therein, the at least one instruction being executable by a processor in a computer device to implement the group detection method.
According to the technical scheme, the method can respond to the group detection instruction, acquire the data to be detected according to the group detection instruction, extract the main body and the incidence relation corresponding to the main body from the data to be detected, determine the main body as the node, construct the target relation graph according to the incidence relation corresponding to the main body, call the pre-established total relation graph, update the target relation graph to the total relation graph, realize the incremental update of the total relation graph, enable the data in the total relation graph to be more comprehensive and wider in coverage, further improve the practicability of the data, provide an effective data base for subsequent risk community identification, enable the subsequent identification to be more accurate and reliable, perform data fusion on the updated total relation graph to obtain at least one community, and facilitate the subsequent targeted risk identification of each community, for each community in the at least one community, the initial node of the preset label propagation algorithm is predetermined, the preset label propagation algorithm is propagated based on the weight of the edge, the preset label propagation algorithm is adopted to propagate in each community to obtain a candidate community, the candidate community is screened to obtain a risk community, and then the detection of the risk community is realized by combining the preset label propagation algorithm and the relation graph, so that the detection efficiency is improved, the detection result is more accurate, and the safety is higher.
Drawings
Fig. 1 is a flow chart of a preferred embodiment of the group detection method of the present invention.
Fig. 2 is a functional block diagram of a preferred embodiment of the group detection apparatus of the present invention.
Fig. 3 is a schematic structural diagram of a computer device for implementing the group detection method according to the preferred embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in detail with reference to the accompanying drawings and specific embodiments.
Fig. 1 is a flow chart of a preferred embodiment of the group detection method of the present invention. The order of the steps in the flow chart may be changed and some steps may be omitted according to different needs.
The group detection method is applied to one or more computer devices, which are devices capable of automatically performing numerical calculation and/or information processing according to preset or stored instructions, and the hardware thereof includes, but is not limited to, a microprocessor, an Application Specific Integrated Circuit (ASIC), a Programmable Gate Array (FPGA), a Digital Signal Processor (DSP), an embedded device, and the like.
The computer device may be any electronic product capable of performing human-computer interaction with a user, for example, a Personal computer, a tablet computer, a smart phone, a Personal Digital Assistant (PDA), a game machine, an interactive web Television (IPTV), an intelligent wearable device, and the like.
The computer device may also include a network device and/or a user device. The network device includes, but is not limited to, a single network server, a server group consisting of a plurality of network servers, or a Cloud Computing (Cloud Computing) based Cloud consisting of a large number of hosts or network servers.
The Network in which the computer device is located includes, but is not limited to, the internet, a wide area Network, a metropolitan area Network, a local area Network, a Virtual Private Network (VPN), and the like.
And S10, responding to the group detection command, and acquiring the data to be detected according to the group detection command.
In at least one embodiment of the present invention, the group detection command may be triggered by a worker in charge of security protection, or may be triggered by a developer, which is not limited by the present invention.
Of course, to ensure effective and timely protection, the group detection command may also be configured to trigger periodically.
In at least one embodiment of the present invention, the acquiring data to be detected according to the group detection instruction includes:
analyzing the group partner detection command to obtain the information carried by the group partner detection command;
acquiring a preset label;
constructing a regular expression according to the preset label;
traversing information carried by the group detection instruction by using the regular expression, and determining the traversed information matched with the regular expression as a target application identifier;
determining a target application according to the target application identifier;
acquiring a buried point log and an access log of the target application;
and acquiring the data to be detected from the embedded point log and the access log.
The preset tag can be configured in a user-defined mode, corresponds to the application identifier and is used for uniquely marking one application program.
For example: the preset tag may be configured as an AppID, and then the regular expression established according to the preset tag may be an AppID ().
Further, traversing information carried by the group partner detection instruction by using the regular expression AppID (), determining the traversed information matched with the regular expression AppID () as the target application identifier, and further determining an application program with the target application identifier as the target application.
Through the embodiment, the required data can be acquired based on the labels and the regular expressions, and due to the uniqueness of the labels, the data acquisition efficiency is improved, and meanwhile, the accuracy of the acquired data is guaranteed.
In this embodiment, data such as a user ID, an IP (Internet Protocol) address, a WiFi (Wireless Fidelity, Wireless Access Channel) address, and the like may be acquired from the embedded log as the data to be detected.
In this embodiment, data such as a user identifier, an access request, a requested account, a requested incoming number, and an accessed URL (Uniform Resource locator) may be acquired from the access log as the data to be detected.
And S11, extracting a main body from the data to be detected and the corresponding incidence relation of the main body.
Specifically, the extracting a main body from the data to be detected, and the association relationship corresponding to the main body includes:
acquiring a user ID from the buried point log, and determining a target user as the main body according to the user ID;
acquiring an access request of the subject to the target application from the access log;
obtaining a cookie, a token and a user-agent from a request header of the access request;
randomly extracting from the cookie, token and user-agent to perform MD5(message-digest algorithm 5) operation, and generating a main body identification code of the main body;
obtaining the operation behavior of the main body and the occurrence time of the operation behavior from the access log;
and constructing an association relation corresponding to the main body according to the operation behavior of the main body and the occurrence time of the operation behavior.
In this embodiment, the generated main body identification code has the uniqueness of hash coding, and since data is randomly extracted from the cookie, token, and user-agent for MD5 operation, the generated main body identification code also has randomness and higher security.
Of course, in other embodiments, data may be extracted from the device ID to perform MD5 operation, which is not limited by the present invention.
In this embodiment, when the operation behavior of the main body and the occurrence time of the operation behavior are obtained from the access log, what operation is performed by the target user at what time may be identified through different URI (Uniform Resource Identifier) interfaces based on arrangement of a service Interface API (Application Programming Interface), and "what operation is performed by the target user at what time" may be used as an association relationship corresponding to the main body.
And S12, determining the main body as a node, and constructing a target relation graph according to the incidence relation corresponding to the main body.
In at least one embodiment of the present invention, the number of the main bodies may be at least one, and the determining the main bodies as nodes and constructing the target relationship graph according to the association relationship corresponding to the main bodies includes:
determining each main body in the main bodies as a starting point of aggregation, and acquiring the association relation of each main body from the association relation corresponding to the main bodies;
and according to the main body identification code of each main body, adopting spark streaming technology to aggregate the association relation of each main body in a preset time window to obtain the target relation graph.
The preset time window may be configured by self-definition, for example, the size of the preset time window may be 5 minutes.
In this embodiment, since the association relationship includes occurrence time, the target relationship diagram is a time slice association diagram.
And S13, calling a pre-established overall relational graph, and updating the target relational graph to the overall relational graph.
In this embodiment, the general relationship graph is a general relationship graph including comprehensive relationship data, and the general relationship graph is constantly updated to ensure a high coverage.
In at least one embodiment of the present invention, the updating the target relationship graph to the overall relationship graph includes:
comparing the nodes in the target relational graph with the nodes in the total relational graph to obtain a first comparison result;
acquiring nodes which are not in the total relational graph from the target relational graph as nodes to be added according to the first comparison result, and acquiring edges of the nodes to be added;
updating the nodes to be added and the edges of the nodes to be added to the general relationship graph;
determining other nodes except the node to be added in the target relation graph as alternative nodes, and acquiring edges of the alternative nodes;
comparing the edges of the alternative nodes with the edges in the general relationship graph to obtain a second comparison result;
acquiring edges which are not included in the total relation graph from the edges of the alternative nodes according to the second comparison result to serve as edges to be added;
and updating the edge to be added to the general relationship graph.
Through the embodiment, the incremental updating of the general relation graph can be realized, so that the data in the general relation graph is more comprehensive, the coverage is wider, the practicability of the data is further improved, an effective data base is provided for subsequent risk community identification, and the subsequent identification is more accurate and reliable.
In addition, through incremental updating, the problems of overlong map calculation period and the like are solved, and the problems of untimely group discovery and the like are further avoided.
And S14, performing data fusion on the updated general relationship graph to obtain at least one community.
In at least one embodiment of the present invention, the performing data fusion on the updated overall relationship graph to obtain at least one community includes:
identifying nodes which access the same equipment, access the same order or are in the same WiFi MAC from the updated general relationship graph to obtain an identification result;
dividing the nodes in the updated general relation graph into at least one category according to the identification result;
and respectively constructing a communication subgraph by using the nodes of each category and the corresponding edges to obtain the at least one community.
For example: and when 20 nodes in the updated general relationship graph are detected to access the same device, constructing a communication subgraph by using the 20 nodes and the edges corresponding to the 20 nodes, and using the communication subgraph as one community.
It will be appreciated that there may also be one node that has accessed both a device with other nodes and an order with other nodes, and thus there may be cross-overs between communities.
Through the embodiment, communities can be constructed based on the common attributes of the nodes, and the subsequent targeted risk identification of each community is facilitated.
And S15, for each community in the at least one community, propagating in each community by adopting a preset label propagation algorithm to obtain a candidate community.
The initial node of the preset label propagation algorithm is predetermined, and the preset label propagation algorithm is propagated based on the weight of the edge.
In at least one embodiment of the present invention, the propagating in each community by using a preset tag propagation algorithm to obtain candidate communities includes:
when the first transmission is executed, traversing all nodes in each community by adopting a k-core algorithm, and determining the nodes with the incomes larger than a configuration threshold value as initial nodes; or when the first transmission is not executed, determining the known risk node as the initial node;
calculating the weight of each edge in each community;
starting from the initial node, performing breadth-first traversal according to the weight of each edge in each community until each node in each community is traversed, and stopping traversal to obtain a label of each node in each community;
and determining communities corresponding to the nodes with the abnormal labels as the candidate communities.
Specifically, the following formula can be used to calculate the weight of each edge in each community:
W=∑p*k/∑k
wherein, W represents the weight, k represents the number of the involved interfaces, and p represents the value range of the weight of each interface as [0,1 ].
In the above embodiment, the traversal efficiency is effectively improved by performing traversal with the risk node as the starting point, and meanwhile, the accuracy is effectively improved by performing traversal in combination with the weight.
In the embodiment, the preset label propagation algorithm is adopted to propagate in each community, and due to the strong correlation of the map, the advantages of strong interpretability of the map and abnormal correlation found by the algorithm are fully exerted, and meanwhile, the recognition is quicker and more accurate by combining the preset label propagation algorithm.
And S16, screening the candidate communities to obtain risk communities.
In at least one embodiment of the present invention, the screening the candidate communities to obtain risk communities includes:
acquiring the access duplicate removal account number and the access duplicate removal part number of each node in each candidate community;
calculating the risk value of each node according to the number of the duplicate removal account numbers and the number of the duplicate removal entry numbers accessed by each node;
calculating the average value of all nodes in each candidate community according to the risk value of each node to obtain the risk value of each candidate community;
determining a candidate community having the risk value greater than or equal to a configured risk value as the risk community.
Specifically, the risk value of each node is calculated according to the number of the deduplication accounts and the number of the deduplication advances accessed by each node by adopting the following formula:
R=(0.3*R1+0.3*R2+0.4*R3)*100
wherein R represents a risk value of a node;
r3 is the weighted average of all access interfaces.
Wherein the configured risk value can be custom configured, such as 70.
Through the embodiment, secondary screening of the risk communities is performed, and the accuracy of group detection is further improved.
In at least one embodiment of the invention, after the risk community is obtained, the risk community is reported to assist in prompting policy attack on the risk community, so that the security of data is protected.
Further, the identified risk communities can form analysis reports through association visualization of the maps, relevant risk management and control platforms are automatically checked, and wind control rule early warning is formed.
It should be noted that, in order to further improve the security of the data and avoid malicious tampering of the data, the risk community may be stored in the blockchain node.
According to the technical scheme, the method can respond to the group detection instruction, acquire the data to be detected according to the group detection instruction, extract the main body and the incidence relation corresponding to the main body from the data to be detected, determine the main body as the node, construct the target relation graph according to the incidence relation corresponding to the main body, call the pre-established total relation graph, update the target relation graph to the total relation graph, realize the incremental update of the total relation graph, enable the data in the total relation graph to be more comprehensive and wider in coverage, further improve the practicability of the data, provide an effective data base for subsequent risk community identification, enable the subsequent identification to be more accurate and reliable, perform data fusion on the updated total relation graph to obtain at least one community, and facilitate the subsequent targeted risk identification of each community, for each community in the at least one community, the initial node of the preset label propagation algorithm is predetermined, the preset label propagation algorithm is propagated based on the weight of the edge, the preset label propagation algorithm is adopted to propagate in each community to obtain a candidate community, the candidate community is screened to obtain a risk community, and then the detection of the risk community is realized by combining the preset label propagation algorithm and the relation graph, so that the detection efficiency is improved, the detection result is more accurate, and the safety is higher.
Fig. 2 is a functional block diagram of a preferred embodiment of the group detection apparatus of the present invention. The group detection device 11 comprises an acquisition unit 110, an extraction unit 111, a construction unit 112, an update unit 113, a fusion unit 114, a propagation unit 115 and a screening unit 116. The module/unit referred to in the present invention refers to a series of computer program segments that can be executed by the processor 13 and that can perform a fixed function, and that are stored in the memory 12. In the present embodiment, the functions of the modules/units will be described in detail in the following embodiments.
In response to the group detection command, the obtaining unit 110 obtains the data to be detected according to the group detection command.
In at least one embodiment of the present invention, the group detection command may be triggered by a worker in charge of security protection, or may be triggered by a developer, which is not limited by the present invention.
Of course, to ensure effective and timely protection, the group detection command may also be configured to trigger periodically.
In at least one embodiment of the present invention, the obtaining unit 110 obtains the data to be detected according to the group detection instruction includes:
analyzing the group partner detection command to obtain the information carried by the group partner detection command;
acquiring a preset label;
constructing a regular expression according to the preset label;
traversing information carried by the group detection instruction by using the regular expression, and determining the traversed information matched with the regular expression as a target application identifier;
determining a target application according to the target application identifier;
acquiring a buried point log and an access log of the target application;
and acquiring the data to be detected from the embedded point log and the access log.
The preset tag can be configured in a user-defined mode, corresponds to the application identifier and is used for uniquely marking one application program.
For example: the preset tag may be configured as an AppID, and then the regular expression established according to the preset tag may be an AppID ().
Further, traversing information carried by the group partner detection instruction by using the regular expression AppID (), determining the traversed information matched with the regular expression AppID () as the target application identifier, and further determining an application program with the target application identifier as the target application.
Through the embodiment, the required data can be acquired based on the labels and the regular expressions, and due to the uniqueness of the labels, the data acquisition efficiency is improved, and meanwhile, the accuracy of the acquired data is guaranteed.
In this embodiment, data such as a user ID, an IP (Internet Protocol) address, a WiFi (Wireless Fidelity, Wireless Access Channel) address, and the like may be acquired from the embedded log as the data to be detected.
In this embodiment, data such as a user identifier, an access request, a requested account, a requested incoming number, and an accessed URL (Uniform Resource locator) may be acquired from the access log as the data to be detected.
The extracting unit 111 extracts the main body and the association relation corresponding to the main body from the data to be detected.
Specifically, the extracting unit 111 extracts a main body from the data to be detected, and the association relationship corresponding to the main body includes:
acquiring a user ID from the buried point log, and determining a target user as the main body according to the user ID;
acquiring an access request of the subject to the target application from the access log;
obtaining a cookie, a token and a user-agent from a request header of the access request;
randomly extracting from the cookie, token and user-agent to perform MD5(message-digest algorithm 5) operation, and generating a main body identification code of the main body;
obtaining the operation behavior of the main body and the occurrence time of the operation behavior from the access log;
and constructing an association relation corresponding to the main body according to the operation behavior of the main body and the occurrence time of the operation behavior.
In this embodiment, the generated main body identification code has the uniqueness of hash coding, and since data is randomly extracted from the cookie, token, and user-agent for MD5 operation, the generated main body identification code also has randomness and higher security.
Of course, in other embodiments, data may be extracted from the device ID to perform MD5 operation, which is not limited by the present invention.
In this embodiment, when the operation behavior of the main body and the occurrence time of the operation behavior are obtained from the access log, what operation is performed by the target user at what time may be identified through different URI (Uniform Resource Identifier) interfaces based on arrangement of a service Interface API (Application Programming Interface), and "what operation is performed by the target user at what time" may be used as an association relationship corresponding to the main body.
The construction unit 112 determines the subject as a node, and constructs a target relationship graph according to the association relationship corresponding to the subject.
In at least one embodiment of the present invention, the number of the main bodies may be at least one, the constructing unit 112 determines the main bodies as nodes, and constructing the target relationship graph according to the association relationship corresponding to the main bodies includes:
determining each main body in the main bodies as a starting point of aggregation, and acquiring the association relation of each main body from the association relation corresponding to the main bodies;
and according to the main body identification code of each main body, adopting spark streaming technology to aggregate the association relation of each main body in a preset time window to obtain the target relation graph.
The preset time window may be configured by self-definition, for example, the size of the preset time window may be 5 minutes.
In this embodiment, since the association relationship includes occurrence time, the target relationship diagram is a time slice association diagram.
The updating unit 113 retrieves a pre-established overall relationship graph and updates the target relationship graph to the overall relationship graph.
In this embodiment, the general relationship graph is a general relationship graph including comprehensive relationship data, and the general relationship graph is constantly updated to ensure a high coverage.
In at least one embodiment of the present invention, the updating unit 113 updating the target relationship graph to the overall relationship graph includes:
comparing the nodes in the target relational graph with the nodes in the total relational graph to obtain a first comparison result;
acquiring nodes which are not in the total relational graph from the target relational graph as nodes to be added according to the first comparison result, and acquiring edges of the nodes to be added;
updating the nodes to be added and the edges of the nodes to be added to the general relationship graph;
determining other nodes except the node to be added in the target relation graph as alternative nodes, and acquiring edges of the alternative nodes;
comparing the edges of the alternative nodes with the edges in the general relationship graph to obtain a second comparison result;
acquiring edges which are not included in the total relation graph from the edges of the alternative nodes according to the second comparison result to serve as edges to be added;
and updating the edge to be added to the general relationship graph.
Through the embodiment, the incremental updating of the general relation graph can be realized, so that the data in the general relation graph is more comprehensive, the coverage is wider, the practicability of the data is further improved, an effective data base is provided for subsequent risk community identification, and the subsequent identification is more accurate and reliable.
In addition, through incremental updating, the problems of overlong map calculation period and the like are solved, and the problems of untimely group discovery and the like are further avoided.
The fusion unit 114 performs data fusion on the updated overall relationship graph to obtain at least one community.
In at least one embodiment of the present invention, the fusing unit 114 performs data fusion on the updated overall relationship graph to obtain at least one community, where the step includes:
identifying nodes which access the same equipment, access the same order or are in the same WiFi MAC from the updated general relationship graph to obtain an identification result;
dividing the nodes in the updated general relation graph into at least one category according to the identification result;
and respectively constructing a communication subgraph by using the nodes of each category and the corresponding edges to obtain the at least one community.
For example: and when 20 nodes in the updated general relationship graph are detected to access the same device, constructing a communication subgraph by using the 20 nodes and the edges corresponding to the 20 nodes, and using the communication subgraph as one community.
It will be appreciated that there may also be one node that has accessed both a device with other nodes and an order with other nodes, and thus there may be cross-overs between communities.
Through the embodiment, communities can be constructed based on the common attributes of the nodes, and the subsequent targeted risk identification of each community is facilitated.
For each community in the at least one community, the propagation unit 115 performs propagation in each community by using a preset tag propagation algorithm to obtain a candidate community.
The initial node of the preset label propagation algorithm is predetermined, and the preset label propagation algorithm is propagated based on the weight of the edge.
In at least one embodiment of the present invention, the propagating unit 115 performs propagation in each community by using a preset tag propagation algorithm, and obtaining candidate communities includes:
when the first transmission is executed, traversing all nodes in each community by adopting a k-core algorithm, and determining the nodes with the incomes larger than a configuration threshold value as initial nodes; or when the first transmission is not executed, determining the known risk node as the initial node;
calculating the weight of each edge in each community;
starting from the initial node, performing breadth-first traversal according to the weight of each edge in each community until each node in each community is traversed, and stopping traversal to obtain a label of each node in each community;
and determining communities corresponding to the nodes with the abnormal labels as the candidate communities.
Specifically, the following formula can be used to calculate the weight of each edge in each community:
W=∑p*k/∑k
wherein, W represents the weight, k represents the number of the involved interfaces, and p represents the value range of the weight of each interface as [0,1 ].
In the above embodiment, the traversal efficiency is effectively improved by performing traversal with the risk node as the starting point, and meanwhile, the accuracy is effectively improved by performing traversal in combination with the weight.
In the embodiment, the preset label propagation algorithm is adopted to propagate in each community, and due to the strong correlation of the map, the advantages of strong interpretability of the map and abnormal correlation found by the algorithm are fully exerted, and meanwhile, the recognition is quicker and more accurate by combining the preset label propagation algorithm.
The screening unit 116 screens the candidate communities to obtain risk communities.
In at least one embodiment of the present invention, the screening unit 116 screens the candidate communities to obtain risk communities, which includes:
acquiring the access duplicate removal account number and the access duplicate removal part number of each node in each candidate community;
calculating the risk value of each node according to the number of the duplicate removal account numbers and the number of the duplicate removal entry numbers accessed by each node;
calculating the average value of all nodes in each candidate community according to the risk value of each node to obtain the risk value of each candidate community;
determining a candidate community having the risk value greater than or equal to a configured risk value as the risk community.
Specifically, the risk value of each node is calculated according to the number of the deduplication accounts and the number of the deduplication advances accessed by each node by adopting the following formula:
R=(0.3*R1+0.3*R2+0.4*R3)*100
wherein R represents a risk value of a node;
r3 is the weighted average of all access interfaces.
Wherein the configured risk value can be custom configured, such as 70.
Through the embodiment, secondary screening of the risk communities is performed, and the accuracy of group detection is further improved.
In at least one embodiment of the invention, after the risk community is obtained, the risk community is reported to assist in prompting policy attack on the risk community, so that the security of data is protected.
Further, the identified risk communities can form analysis reports through association visualization of the maps, relevant risk management and control platforms are automatically checked, and wind control rule early warning is formed.
It should be noted that, in order to further improve the security of the data and avoid malicious tampering of the data, the risk community may be stored in the blockchain node.
According to the technical scheme, the method can respond to the group detection instruction, acquire the data to be detected according to the group detection instruction, extract the main body and the incidence relation corresponding to the main body from the data to be detected, determine the main body as the node, construct the target relation graph according to the incidence relation corresponding to the main body, call the pre-established total relation graph, update the target relation graph to the total relation graph, realize the incremental update of the total relation graph, enable the data in the total relation graph to be more comprehensive and wider in coverage, further improve the practicability of the data, provide an effective data base for subsequent risk community identification, enable the subsequent identification to be more accurate and reliable, perform data fusion on the updated total relation graph to obtain at least one community, and facilitate the subsequent targeted risk identification of each community, for each community in the at least one community, the initial node of the preset label propagation algorithm is predetermined, the preset label propagation algorithm is propagated based on the weight of the edge, the preset label propagation algorithm is adopted to propagate in each community to obtain a candidate community, the candidate community is screened to obtain a risk community, and then the detection of the risk community is realized by combining the preset label propagation algorithm and the relation graph, so that the detection efficiency is improved, the detection result is more accurate, and the safety is higher.
Fig. 3 is a schematic structural diagram of a computer device for implementing the group partner detection method according to the preferred embodiment of the present invention.
The computer device 1 may comprise a memory 12, a processor 13 and a bus, and may further comprise a computer program, such as a group detection program, stored in the memory 12 and executable on the processor 13.
It will be understood by those skilled in the art that the schematic diagram is merely an example of the computer device 1, and does not constitute a limitation to the computer device 1, the computer device 1 may have a bus-type structure or a star-shaped structure, the computer device 1 may further include more or less other hardware or software than those shown, or different component arrangements, for example, the computer device 1 may further include an input and output device, a network access device, etc.
It should be noted that the computer device 1 is only an example, and other electronic products that are currently available or may come into existence in the future, such as electronic products that can be adapted to the present invention, should also be included in the scope of the present invention, and are included herein by reference.
The memory 12 includes at least one type of readable storage medium, which includes flash memory, removable hard disks, multimedia cards, card-type memory (e.g., SD or DX memory, etc.), magnetic memory, magnetic disks, optical disks, etc. The memory 12 may in some embodiments be an internal storage unit of the computer device 1, for example a removable hard disk of the computer device 1. The memory 12 may also be an external storage device of the computer device 1 in other embodiments, such as a plug-in removable hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), etc. provided on the computer device 1. Further, the memory 12 may also include both an internal storage unit and an external storage device of the computer device 1. The memory 12 may be used not only for storing application software installed in the computer device 1 and various types of data, such as codes of a group detection program, etc., but also for temporarily storing data that has been output or is to be output.
The processor 13 may be composed of an integrated circuit in some embodiments, for example, a single packaged integrated circuit, or may be composed of a plurality of integrated circuits packaged with the same or different functions, including one or more Central Processing Units (CPUs), microprocessors, digital Processing chips, graphics processors, and combinations of various control chips. The processor 13 is a Control Unit (Control Unit) of the computer device 1, connects various components of the whole computer device 1 by using various interfaces and lines, and executes various functions and processes data of the computer device 1 by running or executing programs or modules (for example, executing a group detection program and the like) stored in the memory 12 and calling data stored in the memory 12.
The processor 13 executes the operating system of the computer device 1 and various installed application programs. The processor 13 executes the application to implement the steps of the various embodiments of a group detection method described above, such as the steps shown in fig. 1.
Illustratively, the computer program may be divided into one or more modules/units, which are stored in the memory 12 and executed by the processor 13 to accomplish the present invention. The one or more modules/units may be a series of computer readable instruction segments capable of performing certain functions, which are used to describe the execution of the computer program in the computer device 1. For example, the computer program may be divided into an acquisition unit 110, an extraction unit 111, a construction unit 112, an update unit 113, a fusion unit 114, a propagation unit 115, a filtering unit 116.
The integrated unit implemented in the form of a software functional module may be stored in a computer-readable storage medium. The software functional module is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a computer device, or a network device) or a processor (processor) to execute parts of the group detection method according to the embodiments of the present invention.
The integrated modules/units of the computer device 1 may be stored in a computer-readable storage medium if they are implemented in the form of software functional units and sold or used as separate products. Based on such understanding, all or part of the flow of the method according to the embodiments of the present invention may be implemented by a computer program, which may be stored in a computer-readable storage medium, and when the computer program is executed by a processor, the steps of the method embodiments may be implemented.
Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, U-disk, removable hard disk, magnetic disk, optical disk, computer Memory, Read-Only Memory (ROM), random-access Memory, or the like.
Further, the computer-readable storage medium may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function, and the like; the storage data area may store data created according to the use of the blockchain node, and the like.
The block chain is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, a consensus mechanism, an encryption algorithm and the like. A block chain (Blockchain), which is essentially a decentralized database, is a series of data blocks associated by using a cryptographic method, and each data block contains information of a batch of network transactions, so as to verify the validity (anti-counterfeiting) of the information and generate a next block. The blockchain may include a blockchain underlying platform, a platform product service layer, an application service layer, and the like.
The bus may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one line is shown in FIG. 3, but this does not mean only one bus or one type of bus. The bus is arranged to enable connection communication between the memory 12 and at least one processor 13 or the like.
Although not shown, the computer device 1 may further include a power supply (such as a battery) for supplying power to each component, and preferably, the power supply may be logically connected to the at least one processor 13 through a power management device, so that functions of charge management, discharge management, power consumption management and the like are realized through the power management device. The power supply may also include any component of one or more dc or ac power sources, recharging devices, power failure detection circuitry, power converters or inverters, power status indicators, and the like. The computer device 1 may further include various sensors, a bluetooth module, a Wi-Fi module, and the like, which are not described herein again.
Further, the computer device 1 may further include a network interface, and optionally, the network interface may include a wired interface and/or a wireless interface (such as a WI-FI interface, a bluetooth interface, etc.), which are generally used for establishing a communication connection between the computer device 1 and other computer devices.
Optionally, the computer device 1 may further comprise a user interface, which may be a Display (Display), an input unit, such as a Keyboard (Keyboard), and optionally a standard wired interface, a wireless interface. Alternatively, in some embodiments, the display may be an LED display, a liquid crystal display, a touch-sensitive liquid crystal display, an OLED (Organic Light-Emitting Diode) touch device, or the like. The display, which may also be referred to as a display screen or display unit, is suitable for displaying information processed in the computer device 1 and for displaying a visualized user interface.
It is to be understood that the described embodiments are for purposes of illustration only and that the scope of the appended claims is not limited to such structures.
Fig. 3 shows only the computer device 1 with the components 12-13, and it will be understood by a person skilled in the art that the structure shown in fig. 3 does not constitute a limitation of the computer device 1 and may comprise fewer or more components than shown, or a combination of certain components, or a different arrangement of components.
In connection with fig. 1, the memory 12 in the computer device 1 stores a plurality of instructions to implement a group detection method, and the processor 13 is executable by the plurality of instructions to implement:
responding to a group partner detection instruction, and acquiring data to be detected according to the group partner detection instruction;
extracting a main body and an incidence relation corresponding to the main body from the data to be detected;
determining the main body as a node, and constructing a target relation graph according to the incidence relation corresponding to the main body;
calling a pre-established overall relation graph, and updating the target relation graph to the overall relation graph;
performing data fusion on the updated general relationship graph to obtain at least one community;
for each community in the at least one community, propagating in each community by adopting a preset label propagation algorithm to obtain a candidate community, wherein an initial node of the preset label propagation algorithm is predetermined, and the preset label propagation algorithm is propagated based on the weight of the edge;
and screening the candidate communities to obtain the risk communities.
Specifically, the processor 13 may refer to the description of the relevant steps in the embodiment corresponding to fig. 1 for a specific implementation method of the instruction, which is not described herein again.
In the embodiments provided in the present invention, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the modules is only one logical functional division, and other divisions may be realized in practice.
The modules described as separate parts may or may not be physically separate, and parts displayed as modules may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment.
In addition, functional modules in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional module.
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential attributes thereof.
The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference signs in the claims shall not be construed as limiting the claim concerned.
Furthermore, it is obvious that the word "comprising" does not exclude other elements or steps, and the singular does not exclude the plural. A plurality of units or means recited in the present invention may also be implemented by one unit or means through software or hardware. The terms first, second, etc. are used to denote names, but not any particular order.
Finally, it should be noted that the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting, and although the present invention is described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications or equivalent substitutions may be made on the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention.
Claims (10)
1. A group detection method, characterized in that the group detection method comprises:
responding to a group partner detection instruction, and acquiring data to be detected according to the group partner detection instruction;
extracting a main body and an incidence relation corresponding to the main body from the data to be detected;
determining the main body as a node, and constructing a target relation graph according to the incidence relation corresponding to the main body;
calling a pre-established overall relation graph, and updating the target relation graph to the overall relation graph;
performing data fusion on the updated general relationship graph to obtain at least one community;
for each community in the at least one community, propagating in each community by adopting a preset label propagation algorithm to obtain a candidate community, wherein an initial node of the preset label propagation algorithm is predetermined, and the preset label propagation algorithm is propagated based on the weight of the edge;
and screening the candidate communities to obtain the risk communities.
2. The partnership detection method of claim 1, wherein the obtaining data to be detected according to the partnership detection instructions comprises:
analyzing the group partner detection command to obtain the information carried by the group partner detection command;
acquiring a preset label;
constructing a regular expression according to the preset label;
traversing information carried by the group detection instruction by using the regular expression, and determining the traversed information matched with the regular expression as a target application identifier;
determining a target application according to the target application identifier;
acquiring a buried point log and an access log of the target application;
and acquiring the data to be detected from the embedded point log and the access log.
3. The gang detection method of claim 2, wherein the extracting a main body from the data to be detected and the association relationship corresponding to the main body comprises:
acquiring a user ID from the buried point log, and determining a target user as the main body according to the user ID;
acquiring an access request of the subject to the target application from the access log;
obtaining a cookie, a token and a user-agent from a request header of the access request;
randomly extracting from the cookie, token and user-agent to perform MD5 operation, and generating a main body identification code of the main body;
obtaining the operation behavior of the main body and the occurrence time of the operation behavior from the access log;
and constructing an association relation corresponding to the main body according to the operation behavior of the main body and the occurrence time of the operation behavior.
4. The partnership detection method of claim 1, wherein the updating the target relationship graph to the overall relationship graph comprises:
comparing the nodes in the target relational graph with the nodes in the total relational graph to obtain a first comparison result;
acquiring nodes which are not in the total relational graph from the target relational graph as nodes to be added according to the first comparison result, and acquiring edges of the nodes to be added;
updating the nodes to be added and the edges of the nodes to be added to the general relationship graph;
determining other nodes except the node to be added in the target relation graph as alternative nodes, and acquiring edges of the alternative nodes;
comparing the edges of the alternative nodes with the edges in the general relationship graph to obtain a second comparison result;
acquiring edges which are not included in the total relation graph from the edges of the alternative nodes according to the second comparison result to serve as edges to be added;
and updating the edge to be added to the general relationship graph.
5. The group detection method according to claim 1, wherein the data fusion of the updated overall relationship graph to obtain at least one community comprises:
identifying nodes which access the same equipment, access the same order or are in the same WiFiMAC from the updated general relationship graph to obtain an identification result;
dividing the nodes in the updated general relation graph into at least one category according to the identification result;
and respectively constructing a communication subgraph by using the nodes of each category and the corresponding edges to obtain the at least one community.
6. The method as claimed in claim 1, wherein the propagating in each community by using a preset label propagation algorithm to obtain the candidate communities comprises:
when the first transmission is executed, traversing all nodes in each community by adopting a k-core algorithm, and determining the nodes with the incomes larger than a configuration threshold value as initial nodes; or when the first transmission is not executed, determining the known risk node as the initial node;
calculating the weight of each edge in each community;
starting from the initial node, performing breadth-first traversal according to the weight of each edge in each community until each node in each community is traversed, and stopping traversal to obtain a label of each node in each community;
and determining communities corresponding to the nodes with the abnormal labels as the candidate communities.
7. The partnership detection method of claim 1, wherein the screening of the candidate communities to obtain risk communities comprises:
acquiring the access duplicate removal account number and the access duplicate removal part number of each node in each candidate community;
calculating the risk value of each node according to the number of the duplicate removal account numbers and the number of the duplicate removal entry numbers accessed by each node;
calculating the average value of all nodes in each candidate community according to the risk value of each node to obtain the risk value of each candidate community;
determining a candidate community having the risk value greater than or equal to a configured risk value as the risk community.
8. A partnership detection arrangement, characterized in that it comprises:
the acquiring unit is used for responding to the group detection command and acquiring the data to be detected according to the group detection command;
the extraction unit is used for extracting a main body and an incidence relation corresponding to the main body from the data to be detected;
the construction unit is used for determining the main body as a node and constructing a target relation graph according to the incidence relation corresponding to the main body;
the updating unit is used for calling a pre-established overall relation graph and updating the target relation graph to the overall relation graph;
the fusion unit is used for carrying out data fusion on the updated general relation graph to obtain at least one community;
the propagation unit is used for propagating each community in the at least one community in each community by adopting a preset label propagation algorithm to obtain a candidate community, wherein an initial node of the preset label propagation algorithm is predetermined, and the preset label propagation algorithm is propagated based on the weight of the edge;
and the screening unit is used for screening the candidate communities to obtain the risk communities.
9. A computer device, characterized in that the computer device comprises:
a memory storing at least one instruction; and
a processor executing instructions stored in the memory to implement a group detection method as claimed in any one of claims 1 to 7.
10. A computer-readable storage medium characterized by: the computer-readable storage medium having stored therein at least one instruction for execution by a processor in a computer device to implement a group detection method as claimed in any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110725939.4A CN113344697A (en) | 2021-06-29 | 2021-06-29 | Group partner detection method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110725939.4A CN113344697A (en) | 2021-06-29 | 2021-06-29 | Group partner detection method, device, equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113344697A true CN113344697A (en) | 2021-09-03 |
Family
ID=77481297
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110725939.4A Pending CN113344697A (en) | 2021-06-29 | 2021-06-29 | Group partner detection method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113344697A (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107194623A (en) * | 2017-07-20 | 2017-09-22 | 深圳市分期乐网络科技有限公司 | A kind of discovery method and device of clique's fraud |
| CN108681936A (en) * | 2018-04-26 | 2018-10-19 | 浙江邦盛科技有限公司 | A kind of fraud clique recognition methods propagated based on modularity and balance label |
| CN111401775A (en) * | 2020-03-27 | 2020-07-10 | 深圳壹账通智能科技有限公司 | Information analysis method, device, equipment and storage medium of complex relation network |
| CN111475736A (en) * | 2020-03-18 | 2020-07-31 | 华为技术有限公司 | Community mining method, device and server |
| CN111738817A (en) * | 2020-05-15 | 2020-10-02 | 苏宁金融科技(南京)有限公司 | Method and system for identifying risk community |
| CN112350989A (en) * | 2020-09-21 | 2021-02-09 | 西安交大捷普网络科技有限公司 | Log data analysis method |
-
2021
- 2021-06-29 CN CN202110725939.4A patent/CN113344697A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107194623A (en) * | 2017-07-20 | 2017-09-22 | 深圳市分期乐网络科技有限公司 | A kind of discovery method and device of clique's fraud |
| CN108681936A (en) * | 2018-04-26 | 2018-10-19 | 浙江邦盛科技有限公司 | A kind of fraud clique recognition methods propagated based on modularity and balance label |
| CN111475736A (en) * | 2020-03-18 | 2020-07-31 | 华为技术有限公司 | Community mining method, device and server |
| CN111401775A (en) * | 2020-03-27 | 2020-07-10 | 深圳壹账通智能科技有限公司 | Information analysis method, device, equipment and storage medium of complex relation network |
| CN111738817A (en) * | 2020-05-15 | 2020-10-02 | 苏宁金融科技(南京)有限公司 | Method and system for identifying risk community |
| CN112350989A (en) * | 2020-09-21 | 2021-02-09 | 西安交大捷普网络科技有限公司 | Log data analysis method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111901327B (en) | Cloud network vulnerability mining method and device, electronic equipment and medium | |
| CN112507936B (en) | Image information auditing method and device, electronic equipment and readable storage medium | |
| CN111262851A (en) | DDOS attack detection method and device, electronic equipment and storage medium | |
| CN111950621A (en) | Target data detection method, device, equipment and medium based on artificial intelligence | |
| CN112559831A (en) | Link monitoring method and device, computer equipment and medium | |
| CN113364753A (en) | Anti-crawler method and device, electronic equipment and computer readable storage medium | |
| CN112084486A (en) | User information verification method and device, electronic equipment and storage medium | |
| CN115081538A (en) | Customer relationship identification method, device, equipment and medium based on machine learning | |
| CN111985545A (en) | Target data detection method, device, equipment and medium based on artificial intelligence | |
| CN111694843A (en) | Missing number detection method and device, electronic equipment and storage medium | |
| CN112396547B (en) | Course recommendation method, device, equipment and medium based on unsupervised learning | |
| CN112700261B (en) | Method, device, equipment and medium for detecting single file of brushing on basis of suspicious communities | |
| CN112866285B (en) | Gateway interception method and device, electronic equipment and storage medium | |
| CN112017763B (en) | Medical image data transmission method, device, equipment and medium | |
| CN113176968A (en) | Safety test method, device and storage medium based on interface parameter classification | |
| CN115119197B (en) | Wireless network risk analysis method, device, equipment and medium based on big data | |
| CN114697132B (en) | Method, device, equipment and storage medium for intercepting repeated access request attack | |
| CN114268559B (en) | Directional network detection method, device, equipment and medium based on TF-IDF algorithm | |
| CN113344697A (en) | Group partner detection method, device, equipment and medium | |
| CN112330080B (en) | Factor screening method, device, equipment and medium based on connectivity graph | |
| CN112560721B (en) | Non-perception model switching method and device, electronic equipment and storage medium | |
| CN114372892A (en) | Payment data monitoring method, device, equipment and medium | |
| CN112597490A (en) | Security threat arrangement response method and device, electronic equipment and readable storage medium | |
| CN113657546A (en) | Information classification method and device, electronic equipment and readable storage medium | |
| CN113936313B (en) | Method, device, equipment and storage medium for detecting out-of-account borrowing of website employee account |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20210903 |
|
| WD01 | Invention patent application deemed withdrawn after publication |