CN113506045A - Risk user identification method, device, equipment and medium based on mobile equipment - Google Patents

Risk user identification method, device, equipment and medium based on mobile equipment Download PDF

Info

Publication number
CN113506045A
CN113506045A CN202110910485.8A CN202110910485A CN113506045A CN 113506045 A CN113506045 A CN 113506045A CN 202110910485 A CN202110910485 A CN 202110910485A CN 113506045 A CN113506045 A CN 113506045A
Authority
CN
China
Prior art keywords
data
historical
user
abnormal
mobile equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110910485.8A
Other languages
Chinese (zh)
Inventor
骆昕艳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ping An Bank Co Ltd
Original Assignee
Ping An Bank Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ping An Bank Co Ltd filed Critical Ping An Bank Co Ltd
Priority to CN202110910485.8A priority Critical patent/CN113506045A/en
Publication of CN113506045A publication Critical patent/CN113506045A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/06Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
    • G06Q10/063Operations research, analysis or management
    • G06Q10/0635Risk analysis of enterprise or organisation activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/27Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/211Selection of the most significant subset of features
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/22Matching criteria, e.g. proximity measures

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Business, Economics & Management (AREA)
  • Physics & Mathematics (AREA)
  • Human Resources & Organizations (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Evolutionary Biology (AREA)
  • Evolutionary Computation (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Artificial Intelligence (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Databases & Information Systems (AREA)
  • Economics (AREA)
  • Strategic Management (AREA)
  • Entrepreneurship & Innovation (AREA)
  • Game Theory and Decision Science (AREA)
  • Educational Administration (AREA)
  • Marketing (AREA)
  • Operations Research (AREA)
  • Quality & Reliability (AREA)
  • Tourism & Hospitality (AREA)
  • General Business, Economics & Management (AREA)
  • Computing Systems (AREA)
  • Development Economics (AREA)
  • Telephone Function (AREA)

Abstract

The invention relates to the field of security monitoring, and discloses a risk user identification method based on mobile equipment, which comprises the following steps: configuring a data embedding control in the mobile equipment, and acquiring historical user data of a historical user in the mobile equipment according to the data embedding control; performing feature extraction and vector conversion on historical user data to obtain historical feature vectors; detecting abnormal data points of the historical characteristic vector by using an abnormal point detection model, and identifying the abnormal historical characteristic vector of the historical characteristic vector according to the abnormal data points; receiving current user data of a current user on mobile equipment, and performing feature extraction and vector conversion on the current user data to obtain a current feature vector; and calculating the similarity of the abnormal historical feature vector and the current feature vector to identify the risk coefficient of the current user in the mobile equipment. Furthermore, the invention relates to a blockchain technique, wherein the historical characteristic data can be stored in the blockchain. The invention can improve the identification capability of the risk user under the mobile equipment.

Description

Risk user identification method, device, equipment and medium based on mobile equipment
Technical Field
The present invention relates to the field of security monitoring, and in particular, to a method and an apparatus for identifying a risky user based on a mobile device, an electronic device, and a computer-readable storage medium.
Background
With the continuous development of information technology, mobile devices (such as smart phones, tablets and the like) have become mainstream, and because the mobile devices have the characteristics of being light and easy to carry and have the functions of meeting the daily life requirements of people, such as internet surfing, conversation, chatting and the like, the mobile devices have become an indispensable part of the daily life of people.
With the increasing functionality of mobile devices, many potential safety hazards are brought, for example, in case of mobile device risky operation under non-user behavior, currently, device information (such as id and imei numbers) of the mobile device is usually used to identify whether the mobile device is in operation under non-user behavior, but since the mobile device information relates to core technologies of many manufacturers, device information collection of the mobile device is increasingly limited, so that the difficulty in identifying risky users of the mobile device is increased, and thus, the security protection of the mobile device under non-user behavior is increasingly difficult.
Disclosure of Invention
The invention provides a method and a device for identifying a risk user based on mobile equipment, electronic equipment and a computer readable storage medium, and mainly aims to improve the identification capability of the risk user under the mobile equipment and guarantee the use safety of the mobile equipment.
In order to achieve the above object, the present invention provides a method for identifying a risky user based on a mobile device, including:
configuring a data embedding control in mobile equipment, and acquiring historical user data of a historical user in the mobile equipment according to the data embedding control;
extracting the characteristics of the historical user data to obtain historical characteristic data, and converting the historical characteristic data into historical characteristic vectors;
detecting abnormal data points of the historical characteristic vectors by using an abnormal point detection model, and identifying abnormal historical characteristic vectors in the historical characteristic vectors according to the abnormal data points;
receiving current user data of a current user on the mobile equipment, performing feature extraction on the current user data to obtain current feature data, and converting the current feature data into a current feature vector;
and calculating the similarity between the abnormal historical feature vector and the current feature vector, and identifying the risk coefficient of the current user in the mobile equipment according to the similarity.
Optionally, the configuring a data site control in a mobile device includes:
detecting a click event in the mobile device;
configuring an event table and a user table of the mobile equipment according to the click event;
and establishing a data embedded point control piece of the mobile equipment by adopting an embedded point-free technology according to the event table and the user table.
Optionally, the acquiring, according to the data burial point control, historical user data of a historical user on the mobile device includes:
identifying an event table and a user table of the historical user in the data buried point control;
acquiring event data of the historical user triggering the event table in the mobile equipment and user data of the historical user triggering the user table in the mobile equipment;
and summarizing the event data and the user data to be used as historical user data of the historical user on the mobile equipment.
Optionally, the performing feature extraction on the historical user data to obtain historical feature data includes:
removing duplication of the historical user data to obtain duplication-removed data;
identifying data fields of the de-duplicated data, and extracting characteristic data fields in the data fields by adopting a linear method;
and generating historical characteristic data according to the characteristic data field.
Optionally, the detecting abnormal data points of the historical feature vector by using an abnormal point detection model includes:
randomly sampling the historical characteristic vectors by utilizing a sampling layer in the abnormal point detection model to obtain a plurality of sampling characteristic vectors, and constructing an isolated tree of each sampling characteristic vector to obtain a plurality of isolated trees;
performing node cutting on each isolated tree by using a cutting layer in the abnormal point detection model to obtain a cutting vector point of each isolated tree, and recording the cutting path length of the cutting vector point in each isolated tree;
according to the cutting path length, calculating the cutting abnormal score of the cutting vector point in each isolated tree by using an activation function in the abnormal point detection model;
fitting the cutting abnormal score of the cutting vector points in each isolated tree by using a fitting layer in the abnormal point detection model to obtain a final abnormal score of each cutting vector point;
and outputting the abnormal data points of the historical characteristic vectors by utilizing an output layer in the abnormal point detection model according to the final abnormal score.
Optionally, the activation function includes:
Figure BDA0003203333510000021
wherein f (x, phi) represents the cutting abnormal score of the cutting vector point x, x represents the cutting vector point, phi represents the number of sampling feature vectors in the isolated tree, h (x) represents the height of the cutting vector point x corresponding to the isolated tree, E (h (x)) represents the mean function of the isolated tree, and c (phi) represents the standardized function of the cutting path length.
Optionally, the identifying a risk factor of the current user in the mobile device according to the similarity includes:
if the similarity is in a first interval, identifying that the risk coefficient of the current user in the mobile equipment is high risk;
if the similarity is in a second interval, identifying that the risk coefficient of the current user in the mobile equipment is a medium risk;
and if the similarity is in a third interval, identifying that the risk coefficient of the current user in the mobile equipment is low risk.
In order to solve the above problem, the present invention further provides an apparatus for identifying a risky user based on a mobile device, the apparatus comprising:
the historical data acquisition module is used for configuring a data embedding point control in the mobile equipment and acquiring historical user data of a historical user in the mobile equipment according to the data embedding point control;
the historical data preprocessing module is used for extracting the characteristics of the historical user data to obtain historical characteristic data and converting the historical characteristic data into historical characteristic vectors;
the abnormal data detection module is used for detecting abnormal data points of the historical characteristic vectors by using an abnormal point detection model and identifying abnormal historical characteristic vectors in the historical characteristic vectors according to the abnormal data points;
the current data preprocessing module is used for receiving current user data of a current user on the mobile equipment, extracting features of the current user data to obtain current feature data, and converting the current feature data into a current feature vector;
and the risk user identification module is used for calculating the similarity between the abnormal historical characteristic vector and the current characteristic vector and identifying the risk coefficient of the current user in the mobile equipment according to the similarity.
In order to solve the above problem, the present invention also provides an electronic device, including:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores a computer program executable by the at least one processor to implement the mobile device based risky user identification method described above.
In order to solve the above problem, the present invention further provides a computer-readable storage medium, in which at least one computer program is stored, and the at least one computer program is executed by a processor in an electronic device to implement the mobile device-based risky user identification method described above.
According to the embodiment of the invention, firstly, according to a data embedded point control configured in mobile equipment, historical user data of a historical user on the mobile equipment is acquired, behavior data of the historical user in the mobile equipment can be acquired, the premise that whether the behavior of the current user is abnormal under the mobile equipment is judged is ensured, the identification capability of a risk user under the mobile equipment is improved, the use safety of the mobile equipment is ensured, the historical user data is subjected to feature extraction to obtain historical feature data, and the historical feature data is converted into a historical feature vector, so that the subsequent data processing speed can be improved; secondly, the embodiment of the invention detects abnormal data points of the historical characteristic vectors by using a pre-constructed abnormal point detection model, and identifies abnormal historical characteristic vectors in the historical characteristic vectors according to the abnormal data points, thereby judging abnormal points of the mobile equipment used under the non-user behavior and ensuring the identification premise of the risk users under the mobile equipment; further, embodiments of the present invention may be implemented by receiving current user data of a current user at the mobile device, extracting the features of the current user data to obtain current feature data, converting the current feature data into a current feature vector to judge whether the operation of the current user on the mobile equipment is normal operation or not, thereby judging whether the current user is a risk user, and calculating the similarity between the abnormal historical feature vector and the current feature vector, abnormal point conditions in the current feature vector can be identified, and according to the similarity, a risk coefficient of the current user in the mobile equipment is identified, the risk level of the current user using the mobile device is marked, so that corresponding early warning can be made, and the use safety of the mobile device is further improved. Therefore, the method, the device, the electronic device and the computer readable storage medium for identifying the risky users based on the mobile device can improve the identification capability of the risky users under the mobile device and guarantee the use safety of the mobile device.
Drawings
Fig. 1 is a flowchart illustrating a method for identifying a risky user based on a mobile device according to an embodiment of the present invention;
fig. 2 is a schematic block diagram of an apparatus for identifying a risky user based on a mobile device according to an embodiment of the present invention;
fig. 3 is a schematic internal structural diagram of an electronic device implementing a mobile device-based risky user identification method according to an embodiment of the present invention;
the implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The embodiment of the application provides a risk user identification method based on mobile equipment. The execution subject of the risk user identification method based on the mobile device includes, but is not limited to, at least one of electronic devices, such as a server and a terminal, which can be configured to execute the method provided by the embodiment of the present application. In other words, the mobile device based risk user identification method may be performed by software or hardware installed in the terminal device or the server device, and the software may be a block chain platform. The server includes but is not limited to: a single server, a server cluster, a cloud server or a cloud server cluster, and the like.
Referring to fig. 1, a flowchart of a method for identifying a risky user based on a mobile device according to an embodiment of the present invention is shown. In an embodiment of the present invention, the method for identifying a risky user based on a mobile device includes:
s1, configuring a data embedding point control in the mobile equipment, and collecting historical user data of a historical user in the mobile equipment according to the data embedding point control.
In the embodiment of the invention, the mobile equipment refers to computer equipment which can be used in movement, such as a smart phone, a tablet and the like, and it should be understood that a large amount of user data can be generated in the process of using the mobile equipment by a user, once the mobile equipment is lost or stolen, the user data using the mobile equipment can be easily stolen, so that a certain risk is brought to the user.
As an embodiment of the present invention, the configuring of the data site control in the mobile device includes: detecting a click event in the mobile equipment, configuring an event table and a user table of the mobile equipment according to the click event, and creating a data embedded point control piece of the mobile equipment by adopting a non-embedded point technology according to the event table and the user table.
The click event refers to a button trigger event of a user in the mobile device, such as a page unlocking event, an application program browsing event, a service request loading event and the like, the event table is used for recording dimension information of the trigger event and comprises id (such as a chat event, a commodity browsing event and the like) and attributes (such as type, name, time and the like) of the trigger event, the user table is used for recording the dimension information of the user and comprises basic information (such as sex, age and the like) and behavior information (such as frequency, mode and the like), and the non-embedded point technology refers to a technology that a developer does not need to embed a tracking point but breaks away from a code, and only needs to face an application interface circle point in the mobile device to add an event number data point which can take effect at any time.
In an optional embodiment, the configuring the event table and the user table of the mobile device according to the click event includes: and inquiring the event attribute and the user attribute of the click event, and respectively creating an event table and a user table of the mobile equipment by adopting SQL sentences according to the event attribute and the user attribute.
Further, according to the data embedding control, the embodiment of the invention collects historical user data of a historical user in the mobile equipment to identify the user data in the mobile equipment, so that the condition of identifying abnormal use points of the subsequent mobile equipment is guaranteed. Wherein the historical user data comprises: app usage habits, gesture operation characteristics, sensor information, and the like. In detail, the app usage habits include: the new and innocent types (i.e., apps are updated at the first time and never dragged), the old type (i.e., apps are never updated in any case), and the cut-off type (i.e., a large number of apps are deleted periodically and a new batch is downloaded) and so on, and the gesture operation characteristics include: fingerprint operation, gesture drawing, etc., the sensor information including: connected device data (e.g., WiFi data), projected device data (e.g., projected TV data), etc.
As an embodiment of the present invention, the acquiring, according to the data burial point control, historical user data of a historical user on the mobile device includes: identifying an event table and a user table of the historical user in the data buried point control, collecting event data of the historical user triggering the event table in the mobile equipment and user data of the historical user triggering the user table in the mobile equipment, and collecting the event data and the user data to be used as historical user data of the historical user in the mobile equipment.
In an optional embodiment, the identification of the event table and the user table may be implemented by a message chain object method, the event data collection of the event table may be implemented by a protocol routing method, and the user data collection of the user table may be implemented by a singleton method.
And S2, performing feature extraction on the historical user data to obtain historical feature data, and converting the historical feature data into historical feature vectors.
It should be understood that there may be some useless data and repeated data in the historical user data, such as the model of the mobile device, the click time of the user, and so on, and therefore, the embodiment of the present invention improves the subsequent data processing speed by performing feature extraction on the historical user data.
As an embodiment of the present invention, the performing feature extraction on the historical user data to obtain historical feature data includes: and removing duplication of the historical user data to obtain duplication-removed data, identifying a data field of the duplication-removed data, extracting a characteristic data field in the data field by adopting a linear method, and generating historical characteristic data according to the characteristic data field.
In an optional embodiment of the present invention, the performing a deduplication operation on the historical user data includes: and calculating the similarity of any two data in the historical user data, if the similarity is not greater than the preset similarity, simultaneously retaining the any two data, and if the similarity is greater than the preset similarity, deleting any one data in the any two data.
It should be noted that, before calculating the similarity of the historical user data, the embodiment of the present invention further includes: and converting the historical user data into a corresponding hash value by using a hash algorithm so as to realize the calculation of the similarity of the subsequent historical user data.
In an optional embodiment of the present invention, the data field is implemented by a preset field identification script, and the preset field identification script may be compiled by a JavaScript scripting language. The linear method comprises the following steps: principal component analysis, linear discriminant analysis, and multidimensional scaling.
Further, in order to ensure privacy and reusability of the historical feature data, the historical feature data can also be stored in a blockchain node.
It should be appreciated that, since the data in the historical feature data is structured data or semi-structured data and cannot be directly used for numerical calculation between data, the embodiment of the present invention implements numerical calculation of subsequent data by converting the historical feature data into a historical feature vector, and optionally, the vector conversion of the historical feature data may be implemented by a currently known word2vec word vector conversion algorithm.
And S3, detecting abnormal data points of the historical characteristic vectors by using an abnormal point detection model, and identifying abnormal historical characteristic vectors in the historical characteristic vectors according to the abnormal data points.
In the embodiment of the present invention, the abnormal point detection model is configured to detect data points with abnormality in a historical feature vector, that is, find out isolated outlier data points in the historical feature vector, for example, ten gesture postures exist in the historical feature vector, where nine gesture postures are all four point connections, and one gesture posture is ten point connections, the gesture postures with the ten point connections can be detected as abnormal data points. Further, the principle of implementation of the anomaly detection model is as follows: and cutting one data space by utilizing a random hyperplane, generating two subspaces by cutting once, and continuing to randomly select the hyperplane to cut the two subspaces obtained in the first step, and circulating until each subspace only contains one data point.
Further, in the embodiment of the present invention, the abnormal point detection model may be constructed by an isolated Forest (Isolation Forest) algorithm, where the isolated Forest algorithm is used to process a service scenario in which a proportion of abnormal data in a total sample size is small and a difference between feature values of an abnormal point and a normal point is large.
As an embodiment of the present invention, the detecting abnormal data points of the historical feature vector by using an abnormal point detection model includes: randomly sampling the historical characteristic vectors by utilizing a sampling layer in the abnormal point detection model to obtain a plurality of sampling characteristic vectors, and constructing an isolated tree of each sampling characteristic vector to obtain a plurality of isolated trees; performing node cutting on each isolated tree by using a cutting layer in the abnormal point detection model to obtain a cutting vector point of each isolated tree, and recording the cutting path length of the cutting vector point in each isolated tree; according to the cutting path length, calculating the cutting abnormal score of the cutting vector point in each isolated tree by using an activation function in the abnormal point detection model; and fitting the cutting abnormal score of the cutting vector points in each isolated tree by using a fitting layer in the abnormal point detection model to obtain a final abnormal score of each cutting vector point, and outputting the abnormal data points of the historical characteristic vector by using an output layer in the abnormal point detection model according to the final abnormal score.
The random sampling refers to randomly distributing the number of the data features in the historical feature vector, and is set based on an actual service scene, for example, if 100 data features exist in the historical feature vector, the data features with the labels of 1-40 can be used as one sampling feature, the data features with the labels of 20-60 can be used as one sampling feature, and the data features with the labels of 40-100 can be used as one sampling feature, and the isolated tree is used for representing that the sampled feature vector is used as a single body and is independent of the integral feature vector. The node cutting of the isolated tree is to perform dimension splitting on the sampling feature vectors of the isolated tree to identify the sampling feature vector with the largest difference value in the sampling feature vectors, and the cutting path length is the cutting times of the cutting vector points.
It should be appreciated that the isolated trees are generated by random sampling, so that the cutting anomaly scores of the cutting vector points in each isolated tree have a certain randomness, and thus, the embodiment of the invention fits the cutting anomaly scores of the cutting vector points in each isolated tree through the fitting layer in the anomaly detection model to ensure the accuracy and reliability of the cutting anomaly scores of the cutting vector points in each isolated tree.
Further, in an optional embodiment of the present invention, the performing node cutting on each isolated tree by using a cutting layer in the abnormal point detection model to obtain a cutting vector point of each isolated tree includes: and randomly selecting a sampling characteristic vector from each isolated tree, identifying the information dimension of the selected sampling characteristic vector, and determining the division point of the selected sampling characteristic vector according to the information dimension to obtain the division vector point of each isolated tree.
Illustratively, there is an orphan tree formed from the sampled feature vectors of five different users in the mobile device, wherein identifying the information dimension of each user's sampled feature vector comprises: determining the information dimension division points of the five different users as follows: whether the age is greater than 18 and whether the gesture is a four point connection, thereby obtaining whether the cut vector point of the isolated tree is greater than 18 and whether the gesture is a four point connection.
Further, in an optional embodiment of the present invention, the activation function includes:
Figure BDA0003203333510000081
wherein f (x, phi) represents the cutting abnormal score of the cutting vector point x, x represents the cutting vector point, phi represents the number of sampling feature vectors in the isolated tree, h (x) represents the height of the cutting vector point x corresponding to the isolated tree, E (h (x)) represents the mean function of the isolated tree, and c (phi) represents the standardized function of the cutting path length.
Further, according to the abnormal data points, the embodiment of the present invention identifies abnormal historical feature vectors in the historical feature vectors to identify feature vectors with a large difference between data features in the historical feature vectors, so as to be used as a basis for determining whether a subsequent user behavior operation of the mobile device is a normal operation.
S4, receiving current user data of a current user on the mobile device, performing feature extraction on the current user data to obtain current feature data, and converting the current feature data into a current feature vector.
In the embodiment of the invention, whether behavior operation of a suoshu current user on the mobile equipment is normal operation is judged by receiving current user data of the current user on the mobile equipment, so that whether the current user is a risk user is judged. It should be noted that the feature extraction of the current user data and the vector transformation of the current feature data are the same as the feature extraction of the historical user data and the vector transformation of the historical feature data in the above step S2, and will not be further described here.
S5, calculating the similarity between the abnormal historical feature vector and the current feature vector, and identifying the risk coefficient of the current user in the mobile equipment according to the similarity.
In the embodiment of the present invention, by calculating the similarity between the abnormal historical feature vector and the current feature vector, the abnormal vector existing in the current feature vector can be identified, so that it can be determined whether the behavior operation of the user in the mobile device corresponding to the current feature vector is a risk operation.
As an embodiment of the present invention, the similarity between the abnormal history feature vector and the current feature vector is calculated by using the following formula:
Figure BDA0003203333510000091
wherein T (x, y) represents similarity, xmRepresenting the mth eigenvector, y, of the anomaly history eigenvectornRepresenting the nth feature vector in the current feature vector.
Further, according to the similarity, the risk coefficient of the current user in the mobile device is identified, that is, according to the similarity, the risk level of the current user is marked, so that an early warning is given, the use safety of the mobile device is improved, and the information safety of the mobile device is guaranteed.
As an embodiment of the present invention, the identifying a risk factor of the current user in the mobile device according to the similarity includes: if the similarity is in a first interval, identifying that the risk coefficient of the current user in the mobile equipment is high risk; if the similarity is in a second interval, identifying that the risk coefficient of the current user in the mobile equipment is a medium risk; and if the similarity is in a third interval, identifying that the risk coefficient of the current user in the mobile equipment is low risk.
Wherein, the first interval, the second interval and the third interval may be respectively set as: 0.7-1.0, 0.4-0.7 and 0-0.4, and can also be set according to actual service scenarios.
According to the embodiment of the invention, firstly, according to a data embedded point control configured in mobile equipment, historical user data of a historical user on the mobile equipment is acquired, behavior data of the historical user in the mobile equipment can be acquired, the premise that whether the behavior of the current user is abnormal under the mobile equipment is judged is ensured, the identification capability of a risk user under the mobile equipment is improved, the use safety of the mobile equipment is ensured, the historical user data is subjected to feature extraction to obtain historical feature data, and the historical feature data is converted into a historical feature vector, so that the subsequent data processing speed can be improved; secondly, the embodiment of the invention detects abnormal data points of the historical characteristic vectors by using a pre-constructed abnormal point detection model, and identifies abnormal historical characteristic vectors in the historical characteristic vectors according to the abnormal data points, thereby judging abnormal points of the mobile equipment used under the non-user behavior and ensuring the identification premise of the risk users under the mobile equipment; further, embodiments of the present invention may be implemented by receiving current user data of a current user at the mobile device, extracting the features of the current user data to obtain current feature data, converting the current feature data into a current feature vector to judge whether the operation of the current user on the mobile equipment is normal operation or not, thereby judging whether the current user is a risk user, and calculating the similarity between the abnormal historical feature vector and the current feature vector, abnormal point conditions in the current feature vector can be identified, and according to the similarity, a risk coefficient of the current user in the mobile equipment is identified, the risk level of the current user using the mobile device is marked, so that corresponding early warning can be made, and the use safety of the mobile device is further improved. Therefore, the risk user identification method based on the mobile device can improve the identification capability of the risk user under the mobile device and guarantee the use safety of the mobile device.
Fig. 2 is a functional block diagram of the risky user identification apparatus based on a mobile device according to the present invention.
The mobile device based risky user identification apparatus 100 of the present invention may be installed in an electronic device. According to the implemented functions, the risk user identification device based on the mobile device can comprise a historical data acquisition module 101, a historical data preprocessing module 102, an abnormal data detection module 103, a current data preprocessing module 104 and a risk user identification module 105. A module according to the present invention, which may also be referred to as a unit, refers to a series of computer program segments that can be executed by a processor of an electronic device and that can perform a fixed function, and that are stored in a memory of the electronic device.
In the present embodiment, the functions regarding the respective modules/units are as follows:
the historical data acquisition module 101 is configured to configure a data embedding control in a mobile device, and acquire historical user data of a historical user in the mobile device according to the data embedding control;
the historical data preprocessing module 102 is configured to perform feature extraction on the historical user data to obtain historical feature data, and convert the historical feature data into a historical feature vector;
the abnormal data detection module 103 is configured to detect an abnormal data point of the historical feature vector by using an abnormal point detection model, and identify an abnormal historical feature vector in the historical feature vector according to the abnormal data point;
the current data preprocessing module 104 is configured to receive current user data of a current user on the mobile device, perform feature extraction on the current user data to obtain current feature data, and convert the current feature data into a current feature vector;
the risk user identification module 105 is configured to calculate a similarity between the abnormal historical feature vector and the current feature vector, and identify a risk coefficient of the current user in the mobile device according to the similarity.
In detail, when the modules in the mobile device based risk user identification apparatus 100 according to the embodiment of the present invention are used, the same technical means as the mobile device based risk user identification method described in fig. 1 above are adopted, and the same technical effects can be produced, which is not described herein again.
Fig. 3 is a schematic structural diagram of an electronic device implementing the method for identifying a risky user based on a mobile device according to the present invention.
The electronic device 1 may comprise a processor 10, a memory 11, a communication bus 12 and a communication interface 13, and may further comprise a computer program, such as a mobile device based risk user identification program, stored in the memory 11 and executable on the processor 10.
In some embodiments, the processor 10 may be composed of an integrated circuit, for example, a single packaged integrated circuit, or may be composed of a plurality of integrated circuits packaged with the same function or different functions, and includes one or more Central Processing Units (CPUs), a microprocessor, a digital Processing chip, a graphics processor, a combination of various control chips, and the like. The processor 10 is a Control Unit (Control Unit) of the electronic device 1, connects various components of the electronic device 1 by using various interfaces and lines, and executes various functions and processes data of the electronic device 1 by running or executing programs or modules (for example, executing a mobile device-based risk user identification program, etc.) stored in the memory 11 and calling data stored in the memory 11.
The memory 11 includes at least one type of readable storage medium including flash memory, removable hard disks, multimedia cards, card-type memory (e.g., SD or DX memory, etc.), magnetic memory, magnetic disks, optical disks, etc. The memory 11 may in some embodiments be an internal storage unit of the electronic device 1, such as a removable hard disk of the electronic device 1. The memory 11 may also be an external storage device of the electronic device 1 in other embodiments, such as a plug-in mobile hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like, which are provided on the electronic device 1. Further, the memory 11 may also include both an internal storage unit and an external storage device of the electronic device 1. The memory 11 may be used not only for storing application software installed in the electronic device 1 and various types of data, such as codes based on an risky user identification program of a mobile device, etc., but also for temporarily storing data that has been output or is to be output.
The communication bus 12 may be a Peripheral Component Interconnect (PCI) bus or an Extended Industry Standard Architecture (EISA) bus. The bus may be divided into an address bus, a data bus, a control bus, etc. The bus is arranged to enable connection communication between the memory 11 and at least one processor 10 or the like.
The communication interface 13 is used for communication between the electronic device 1 and other devices, and includes a network interface and a user interface. Optionally, the network interface may include a wired interface and/or a wireless interface (e.g., WI-FI interface, bluetooth interface, etc.), which are generally used for establishing a communication connection between the electronic device 1 and other electronic devices 1. The user interface may be a Display (Display), an input unit such as a Keyboard (Keyboard), and optionally a standard wired interface, a wireless interface. Alternatively, in some embodiments, the display may be an LED display, a liquid crystal display, a touch-sensitive liquid crystal display, an OLED (Organic Light-Emitting Diode) touch device, or the like. The display, which may also be referred to as a display screen or display unit, is suitable for displaying information processed in the electronic device 1 and for displaying a visualized user interface, among other things.
Fig. 3 shows only the electronic device 1 with components, and it will be understood by those skilled in the art that the structure shown in fig. 3 does not constitute a limitation of the electronic device 1, and may comprise fewer or more components than those shown, or some components may be combined, or a different arrangement of components.
For example, although not shown, the electronic device 1 may further include a power supply (such as a battery) for supplying power to each component, and preferably, the power supply may be logically connected to the at least one processor 10 through a power management device, so as to implement functions of charge management, discharge management, power consumption management, and the like through the power management device. The power supply may also include any component of one or more dc or ac power sources, recharging devices, power failure detection circuitry, power converters or inverters, power status indicators, and the like. The electronic device 1 may further include various sensors, a bluetooth module, a Wi-Fi module, and the like, which are not described herein again.
It is to be understood that the described embodiments are for purposes of illustration only and that the scope of the appended claims is not limited to such structures.
The memory 11 in the electronic device 1 stores a mobile device based risk user identification program that is a combination of computer programs that, when executed in the processor 10, enable:
configuring a data embedding control in mobile equipment, and acquiring historical user data of a historical user in the mobile equipment according to the data embedding control;
extracting the characteristics of the historical user data to obtain historical characteristic data, and converting the historical characteristic data into historical characteristic vectors;
detecting abnormal data points of the historical characteristic vectors by using an abnormal point detection model, and identifying abnormal historical characteristic vectors in the historical characteristic vectors according to the abnormal data points;
receiving current user data of a current user on the mobile equipment, performing feature extraction on the current user data to obtain current feature data, and converting the current feature data into a current feature vector;
and calculating the similarity between the abnormal historical feature vector and the current feature vector, and identifying the risk coefficient of the current user in the mobile equipment according to the similarity.
Specifically, the processor 10 may refer to the description of the relevant steps in the embodiment corresponding to fig. 1 for a specific implementation method of the computer program, which is not described herein again.
Further, the integrated modules/units of the electronic device 1, if implemented in the form of software functional units and sold or used as separate products, may be stored in a non-volatile computer-readable storage medium. The computer readable storage medium may be volatile or non-volatile. For example, the computer-readable medium may include: any entity or device capable of carrying said computer program code, recording medium, U-disk, removable hard disk, magnetic disk, optical disk, computer Memory, Read-Only Memory (ROM).
The present invention also provides a computer-readable storage medium, storing a computer program which, when executed by a processor of an electronic device 1, may implement:
configuring a data embedding control in mobile equipment, and acquiring historical user data of a historical user in the mobile equipment according to the data embedding control;
extracting the characteristics of the historical user data to obtain historical characteristic data, and converting the historical characteristic data into historical characteristic vectors;
detecting abnormal data points of the historical characteristic vectors by using an abnormal point detection model, and identifying abnormal historical characteristic vectors in the historical characteristic vectors according to the abnormal data points;
receiving current user data of a current user on the mobile equipment, performing feature extraction on the current user data to obtain current feature data, and converting the current feature data into a current feature vector;
and calculating the similarity between the abnormal historical feature vector and the current feature vector, and identifying the risk coefficient of the current user in the mobile equipment according to the similarity.
In the embodiments provided in the present invention, it should be understood that the disclosed apparatus, device and method can be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the modules is only one logical functional division, and other divisions may be realized in practice.
The modules described as separate parts may or may not be physically separate, and parts displayed as modules may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment.
In addition, functional modules in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional module.
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential attributes thereof.
The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference signs in the claims shall not be construed as limiting the claim concerned.
The block chain is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, a consensus mechanism, an encryption algorithm and the like. A block chain (Blockchain), which is essentially a decentralized database, is a series of data blocks associated by using a cryptographic method, and each data block contains information of a batch of network transactions, so as to verify the validity (anti-counterfeiting) of the information and generate a next block. The blockchain may include a blockchain underlying platform, a platform product service layer, an application service layer, and the like.
Furthermore, it is obvious that the word "comprising" does not exclude other elements or steps, and the singular does not exclude the plural. A plurality of units or means recited in the system claims may also be implemented by one unit or means in software or hardware. The terms second, etc. are used to denote names, but not any particular order.
Finally, it should be noted that the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting, and although the present invention is described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications or equivalent substitutions may be made on the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention.

Claims (10)

1. A method for mobile device based risk user identification, the method comprising:
configuring a data embedding control in mobile equipment, and acquiring historical user data of a historical user in the mobile equipment according to the data embedding control;
extracting the characteristics of the historical user data to obtain historical characteristic data, and converting the historical characteristic data into historical characteristic vectors;
detecting abnormal data points of the historical characteristic vectors by using an abnormal point detection model, and identifying abnormal historical characteristic vectors in the historical characteristic vectors according to the abnormal data points;
receiving current user data of a current user on the mobile equipment, performing feature extraction on the current user data to obtain current feature data, and converting the current feature data into a current feature vector;
and calculating the similarity between the abnormal historical feature vector and the current feature vector, and identifying the risk coefficient of the current user in the mobile equipment according to the similarity.
2. The mobile device-based risky user identification method of claim 1, wherein said configuring a data-embedded control in the mobile device comprises:
detecting a click event in the mobile device;
configuring an event table and a user table of the mobile equipment according to the click event;
and establishing a data embedded point control piece of the mobile equipment by adopting an embedded point-free technology according to the event table and the user table.
3. The mobile device-based risky user identification method of claim 1, wherein the collecting historical user data of the historical user on the mobile device according to the data burial point control comprises:
identifying an event table and a user table of the historical user in the data buried point control;
acquiring event data of the historical user triggering the event table in the mobile equipment and user data of the historical user triggering the user table in the mobile equipment;
and summarizing the event data and the user data to be used as historical user data of the historical user on the mobile equipment.
4. The method for mobile device based risky user identification of claim 1, wherein said extracting the features of the historical user data to obtain historical feature data comprises:
removing duplication of the historical user data to obtain duplication-removed data;
identifying data fields of the de-duplicated data, and extracting characteristic data fields in the data fields by adopting a linear method;
and generating historical characteristic data according to the characteristic data field.
5. The mobile device-based risky user identification method of claim 1, wherein said detecting outlier data points of said historical feature vector using an outlier detection model comprises:
randomly sampling the historical characteristic vectors by utilizing a sampling layer in the abnormal point detection model to obtain a plurality of sampling characteristic vectors, and constructing an isolated tree of each sampling characteristic vector to obtain a plurality of isolated trees;
performing node cutting on each isolated tree by using a cutting layer in the abnormal point detection model to obtain a cutting vector point of each isolated tree, and recording the cutting path length of the cutting vector point in each isolated tree;
according to the cutting path length, calculating the cutting abnormal score of the cutting vector point in each isolated tree by using an activation function in the abnormal point detection model;
fitting the cutting abnormal score of the cutting vector points in each isolated tree by using a fitting layer in the abnormal point detection model to obtain a final abnormal score of each cutting vector point;
and outputting the abnormal data points of the historical characteristic vectors by utilizing an output layer in the abnormal point detection model according to the final abnormal score.
6. The mobile device-based risky user identification method of claim 5, wherein the activation function comprises:
Figure FDA0003203333500000021
wherein f (x, phi) represents the cutting abnormal score of the cutting vector point x, x represents the cutting vector point, phi represents the number of sampling feature vectors in the isolated tree, h (x) represents the height of the cutting vector point x corresponding to the isolated tree, E (h (x)) represents the mean function of the isolated tree, and c (phi) represents the standardized function of the cutting path length.
7. The method as claimed in any one of claims 1 to 6, wherein the identifying the risk coefficient of the current user in the mobile device according to the similarity comprises:
if the similarity is in a first interval, identifying that the risk coefficient of the current user in the mobile equipment is high risk;
if the similarity is in a second interval, identifying that the risk coefficient of the current user in the mobile equipment is a medium risk;
and if the similarity is in a third interval, identifying that the risk coefficient of the current user in the mobile equipment is low risk.
8. An apparatus for mobile device based risky user identification, the apparatus comprising:
the historical data acquisition module is used for configuring a data embedding point control in the mobile equipment and acquiring historical user data of a historical user in the mobile equipment according to the data embedding point control;
the historical data preprocessing module is used for extracting the characteristics of the historical user data to obtain historical characteristic data and converting the historical characteristic data into historical characteristic vectors;
the abnormal data detection module is used for detecting abnormal data points of the historical characteristic vectors by using an abnormal point detection model and identifying abnormal historical characteristic vectors in the historical characteristic vectors according to the abnormal data points;
the current data preprocessing module is used for receiving current user data of a current user on the mobile equipment, extracting features of the current user data to obtain current feature data, and converting the current feature data into a current feature vector;
and the risk user identification module is used for calculating the similarity between the abnormal historical characteristic vector and the current characteristic vector and identifying the risk coefficient of the current user in the mobile equipment according to the similarity.
9. An electronic device, characterized in that the electronic device comprises:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the mobile device based risky user identification method of any one of claims 1 to 7.
10. A computer-readable storage medium, in which a computer program is stored, which, when being executed by a processor, carries out a mobile device based risky user identification method according to any one of claims 1 to 7.
CN202110910485.8A 2021-08-09 2021-08-09 Risk user identification method, device, equipment and medium based on mobile equipment Pending CN113506045A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110910485.8A CN113506045A (en) 2021-08-09 2021-08-09 Risk user identification method, device, equipment and medium based on mobile equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110910485.8A CN113506045A (en) 2021-08-09 2021-08-09 Risk user identification method, device, equipment and medium based on mobile equipment

Publications (1)

Publication Number Publication Date
CN113506045A true CN113506045A (en) 2021-10-15

Family

ID=78015577

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110910485.8A Pending CN113506045A (en) 2021-08-09 2021-08-09 Risk user identification method, device, equipment and medium based on mobile equipment

Country Status (1)

Country Link
CN (1) CN113506045A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114023037A (en) * 2021-10-19 2022-02-08 深圳市中博科创信息技术有限公司 User safety early warning method and device, electronic equipment and readable storage medium
CN114021605A (en) * 2021-11-02 2022-02-08 深圳市大数据研究院 Risk prediction method, device and system, computer equipment and storage medium
CN116522416A (en) * 2023-05-09 2023-08-01 深圳市银闪科技有限公司 Mobile storage security intelligent supervision system and method based on big data

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114023037A (en) * 2021-10-19 2022-02-08 深圳市中博科创信息技术有限公司 User safety early warning method and device, electronic equipment and readable storage medium
CN114021605A (en) * 2021-11-02 2022-02-08 深圳市大数据研究院 Risk prediction method, device and system, computer equipment and storage medium
CN116522416A (en) * 2023-05-09 2023-08-01 深圳市银闪科技有限公司 Mobile storage security intelligent supervision system and method based on big data
CN116522416B (en) * 2023-05-09 2023-11-24 深圳市银闪科技有限公司 Mobile storage security intelligent supervision system and method based on big data

Similar Documents

Publication Publication Date Title
CN113506045A (en) Risk user identification method, device, equipment and medium based on mobile equipment
CN113806434B (en) Big data processing method, device, equipment and medium
CN111949708A (en) Multi-task prediction method, device, equipment and medium based on time sequence feature extraction
CN112702228B (en) Service flow limit response method, device, electronic equipment and readable storage medium
CN111950621A (en) Target data detection method, device, equipment and medium based on artificial intelligence
CN113282854A (en) Data request response method and device, electronic equipment and storage medium
CN112559923A (en) Website resource recommendation method and device, electronic equipment and computer storage medium
CN112100239A (en) Portrait generation method and apparatus for vehicle detection device, server and readable storage medium
CN114550076A (en) Method, device and equipment for monitoring area abnormal behaviors and storage medium
CN111985545A (en) Target data detection method, device, equipment and medium based on artificial intelligence
CN114185776A (en) Big data point burying method, device, equipment and medium for application program
CN108388616B (en) Data collection device, method, system and computer readable storage medium
CN113434542A (en) Data relation identification method and device, electronic equipment and storage medium
CN116866422A (en) Method, device, equipment and storage medium for pushing sensitive information and desensitizing information in real time
CN111538768A (en) Data query method and device based on N-element model, electronic equipment and medium
CN111125193B (en) Method, device, equipment and storage medium for identifying abnormal multimedia comments
CN114547011A (en) Data extraction method and device, electronic equipment and storage medium
CN114329149A (en) Detection method and device for automatically capturing page information, electronic equipment and readable storage medium
CN112667244A (en) Data verification method and device, electronic equipment and computer readable storage medium
CN113449309B (en) Terminal security state identification method, device, equipment and medium
CN113434365B (en) Data characteristic monitoring method and device, electronic equipment and storage medium
CN113626533B (en) Ultraviolet power detection method and device and electronic equipment
CN113326421B (en) Data identification method and device for record carrier, electronic equipment and storage medium
CN114185622B (en) Page loading method, device, equipment and storage medium
CN117725899A (en) Medical detection report issuing method, device, equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination