CN113592499A

CN113592499A - Internet money laundering confrontation method and device

Info

Publication number: CN113592499A
Application number: CN202110134779.6A
Authority: CN
Inventors: 刘晓娟; 武丁泽宇; 颜若儒; 蒋鸿鑫; 郑浩; 宁德金
Original assignee: Weimeng Chuangke Network Technology China Co Ltd
Current assignee: Weimeng Chuangke Network Technology China Co Ltd
Priority date: 2021-01-29
Filing date: 2021-01-29
Publication date: 2021-11-02
Anticipated expiration: 2041-01-29
Also published as: CN113592499B

Abstract

The invention provides a method and a device for internet money laundering confrontation, which are characterized in that the operation characteristics of money laundering are identified through the statistical analysis of an offline log and an online log of an internet account, the money laundering account is found, a money laundering blacklist is established, the operation of a money laundering account number is limited, and the problem that the internet money laundering is difficult to track and qualify due to numerous participants and long transaction links is solved.

Description

Internet money laundering confrontation method and device

Technical Field

The invention relates to the field of internet money laundering, in particular to a method and a device for internet money laundering countermeasure.

Background

With the development of internet and on-line payment, internet products with fund flow property become a new target of money laundering black products. The development, lease or purchase of the running points platform aiming at each internet product in the money washing black products can absorb customers with the money washing requirements on one hand, and recruit running points with the investment requirements on the other hand on the network, so that the participants can be induced to wash money for illegal funds such as lotteries and the like with high return rate. The runner needs to have a large number of internet platform account numbers, and the runner operates the account numbers through the runner platform to conduct fund transactions so as to achieve the purpose of money laundering.

In the past, money laundering countermeasures are mainly carried out in a financial scene and a tax scene through a money laundering mode of financial transactions or offline false operation, and a complete financial transaction link or comprehensive operation and tax conditions and the like are traced through investigating and analyzing historical transaction data or operation and tax data, so that money laundering behaviors are discovered, and the number of financial entities participating in transactions is relatively small.

The internet money laundering takes a completely new online form, so the money laundering confrontation also has new characteristics and faces completely new challenges. Firstly, a non-financial internet product taking a microblog as an example is developed on the basis of internet payment tools such as a payment treasure or a WeChat, and financial institutions such as a bank are arranged at the bottom layer of the payment tools, so that a fund flow link of the non-financial internet product has at least three parties of the bank, the payment tools and the non-financial internet product, and the business product cannot obtain complete transaction link data. Secondly, the Internet money laundering is mainly characterized by low participation cost, participation of a large number of account numbers and small-amount transactions in batches, and is mainly characterized by network participants, and the participants change constantly, so that the difficulty in qualitative and tracking of money laundering behaviors is greatly increased.

To sum up, the conventional money laundering countermeasure mode is based on the complete financial transaction link data, or the underlying financial transaction data such as the bank; the traditional transaction network is relatively simple compared with the internet transaction network, and because the account number acquisition and maintenance cost of the traditional transaction network is high, money laundering participants are relatively fixed and the number of the money laundering participants is small; the traditional money laundering countermeasure mode is not suitable for the internet money laundering countermeasure scene.

Disclosure of Invention

The embodiment of the invention provides a method and a device for internet money laundering confrontation, which are used for identifying the operation characteristics of money laundering through statistical analysis of an offline log and an online log of an internet account, finding the money laundering account, establishing a money laundering blacklist, limiting the operation of the blacklist account, and solving the problem that the internet money laundering is difficult to track and qualify due to numerous participants and long transaction links.

To achieve the above object, in one aspect, an embodiment of the present invention provides an internet money laundering countermeasure method, which includes:

aiming at an online account number which is undergoing transaction operation, acquiring an offline blacklist and online log data of the online account number; the offline blacklist is used for storing an account number which is obtained by analyzing offline log data and is subjected to money laundering operation;

when the online account is judged to be in the offline blacklist, sending an instruction for intercepting an operation executed by the online account;

when the online account is judged not to be in the offline blacklist, analyzing online log data of the online account, and when a first type of money laundering characteristics are identified from the online log data, taking the online account as a suspected money laundering online account; and the number of the first and second groups,

and when the suspected money laundering online account is judged not to meet the preset exemption strategy, taking the suspected money laundering online account as a money laundering online account, adding the money laundering online account to an online accumulation list, and sending an instruction for intercepting the operation executed by the money laundering online account.

Further, the method further comprises:

periodically obtaining offline log data of one or more accounts at specified time intervals;

selecting offline log data in a first specified time range as data to be mined corresponding to each account number in the one or more account numbers aiming at the offline log data of each account number in the one or more account numbers;

when a second type of money laundering characteristics are identified for the data to be mined corresponding to each account in the one or more accounts, taking the account corresponding to the data to be mined as a suspected money laundering offline account;

when the suspected money laundering offline account is judged not to be in the white list, adding the suspected money laundering offline account to the offline black list; the white list is used to store accounts for which no money laundering operation is confirmed.

Further, when the second type of money laundering features are identified for the data to be mined corresponding to each account in the one or more accounts, taking the account corresponding to the data to be mined as a suspected money laundering offline account includes:

analyzing the total withdrawal amount, the recharging source and the difference value of the recharging withdrawal amount in the data to be mined, and if the total withdrawal amount is greater than a specified withdrawal threshold value and the recharging source is from software development kit SDK recharging, or if the difference value of the recharging withdrawal amount is less than a specified difference threshold value, taking an account corresponding to the data to be mined as a first key problem node;

and analyzing a recharge and cash-out time difference in the data to be mined corresponding to the first key problem node, and if the recharge and cash-out time difference is smaller than a specified time difference threshold, taking the first key problem node as the suspected money laundering offline account.

analyzing the number of red packets to be collected and the total amount of collected money in the data to be mined, and if the number of red packets to be collected is greater than a specified threshold value of the number of red packets and the total amount of collected money is greater than a specified threshold value of the total amount of collected money, taking the account corresponding to the data to be mined as a second key problem node;

analyzing social relationship data of the second key problem node through a transceiving network tracing and/or a network discovery algorithm, and discovering an associated account of the second key problem node;

analyzing the total time of receiving all the red parcels in the data to be mined corresponding to the second key problem node, if the total time of receiving all the red parcels is less than a specified receiving time threshold, taking the second key problem node as the suspected money laundering offline account, or analyzing the associated account of the second key problem node, and if the proportion of the low-activity account in the associated account is higher than a specified low-activity threshold, taking the second key problem node corresponding to the associated account as the suspected money laundering offline account.

Further, when it is determined that the online account is not in the offline blacklist, analyzing online log data of the online account, and when a first type of money laundering feature is identified from the online log data, taking the online account as a suspected money laundering online account includes:

and when the online account is judged not to be in the offline blacklist, analyzing the red packet sending times and the total sending amount in the online log data of the online account within a second designated time range, and if the red packet sending times within the second designated time range are larger than a designated sending time threshold value and the total sending amount is larger than a designated sending amount threshold value, taking the online account as a suspected money washing online account.

In another aspect, an embodiment of the present invention provides an internet money laundering countermeasure device, including:

the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring an offline blacklist and online log data of an online account aiming at the online account which is undergoing transaction operation; the offline blacklist is used for storing an account number which is obtained by analyzing offline log data and is subjected to money laundering operation;

the blacklist filtering unit is used for sending an instruction for intercepting the operation executed by the online account when the online account is judged to be in the offline blacklist;

the online suspected money washing system comprises an online suspected identification unit, a money washing unit and a money washing processing unit, wherein the online suspected identification unit is used for analyzing online log data of the online account when judging that the online account is not in the offline blacklist, and taking the online account as a suspected money washing online account when identifying a first type of money washing characteristics from the online log data;

and the exemption processing unit is arranged behind the online suspected money laundering online account and is used for taking the suspected money laundering online account as a money laundering online account, adding the money laundering online account to an online accumulation list and sending an instruction for intercepting the operation executed by the money laundering online account when judging that the suspected money laundering online account does not meet a preset exemption strategy.

Further, still include:

the system comprises an offline data acquisition unit, a storage unit and a processing unit, wherein the offline data acquisition unit is used for periodically acquiring offline log data of one or more accounts at specified time intervals;

the data selecting unit is used for selecting the offline log data in a first specified time range as the data to be mined corresponding to each account of the one or more accounts according to the offline log data of each account of the one or more accounts;

the offline suspected identification unit is used for taking the account corresponding to the data to be mined as a suspected money laundering offline account when a second type of money laundering characteristics are identified for the data to be mined corresponding to each account in the one or more accounts;

the white list filtering unit is used for adding the suspected money laundering offline account number to the offline black list when the suspected money laundering offline account number is judged not to be in the white list; the white list is used to store accounts for which no money laundering operation is confirmed.

Further, the offline suspected identification unit includes:

the money laundering cash-withdrawal identification module is used for analyzing the total cash-withdrawal amount, the recharging source and the difference value of the recharging cash-withdrawal amount in the data to be mined, and if the total cash-withdrawal amount is greater than a specified cash-withdrawal threshold value and the recharging source is from software development kit SDK recharging, or if the difference value of the recharging cash-withdrawal amount is less than a specified difference threshold value, the account corresponding to the data to be mined is used as a first key problem node;

and the machine cash withdrawal identification module is used for analyzing a recharging and cash withdrawal time difference in the data to be mined, which corresponds to the first key problem node, and if the recharging and cash withdrawal time difference is smaller than a specified time difference threshold value, taking the first key problem node as the suspected money laundering offline account.

Further, the offline suspected identification unit includes:

the money laundering receiving and identifying module is used for analyzing the number of red parcels to be received and the total amount to be received in the data to be mined, and if the number of red parcels to be received is greater than a specified threshold value of the number of red parcels to be received and the total amount to be received is greater than a specified threshold value of the amount to be received, the account corresponding to the data to be mined is used as a second key problem node;

the associated account number discovery module is used for analyzing the social relationship data of the second key problem node through a transceiving network tracing and/or a network discovery algorithm and discovering the associated account number of the second key problem node;

and the machine receiving identification module is used for analyzing the total receiving time of all the red parcels in the data to be mined, which corresponds to the second key problem node, if the total receiving time of all the red parcels is less than a specified receiving time threshold, the second key problem node is used as the suspected money laundering offline account, or the associated activity identification module is used for analyzing the associated account of the second key problem node, and if the proportion of the low activity account in the associated account is higher than a specified low activity threshold, the second key problem node corresponding to the associated account is used as the suspected money laundering offline account.

Further, the online suspected identification unit is specifically configured to:

Different from the prior art, the technical scheme has the following beneficial effects:

according to the technical scheme, in the face of a brand-new novel money laundering mode such as 'run-out' and the like, in order to not fall into a money laundering black-outlet tool, the product safety is maintained, the financial loss of a company is reduced, and the internet money laundering confrontation becomes one of the centers of gravity of the work of an internet security team. The internet money laundering countermeasure method and device provided by the embodiment of the invention can effectively aim at the characteristics of batch account participation, money laundering account change at any time, complex transaction network, fast transaction and other internet money laundering transaction characteristics under the condition that complete financial transaction data cannot be obtained, and can obtain a fast-response, timely, effective, accurate interception and comprehensive interception internet money laundering countermeasure scheme by utilizing a big data analysis and safety wind control technology and adopting a mode of combining offline data mining and real-time countermeasure. Money laundering in internet security projects has been successful in countering the running credit attack of money laundering dark products in practice. Money laundering operation can be intercepted in time, and loss is reduced; the characteristics in the operation log of the account are fully utilized, so that the dependence on basic financial department data such as a complete financial transaction link and a bank system is avoided, the characteristic that the data of the network account is concentrated in a server is fully utilized, and the problem that the money laundering on the internet participates in numerous accounts and is dispersed in regions is solved through the analysis of the characteristics of the data of the account by a machine; when online money laundering countermeasures are executed, the efficiency and the interception speed of online money laundering account identification are further improved by combining an offline blacklist; and the normal account is further prevented from being accidentally injured through an exemption strategy, and the accuracy of online recognition of the money laundering account is improved. The online countermeasure strategy focuses on machine behavior discovery; the online countermeasure strategy has the advantages of quick effect taking and good real-time performance, and the account number can be identified no matter what the money laundering black products change as long as the too-quick transaction is met; the online countermeasure strategy has the disadvantage that the identification conditions cannot be too strict, and account numbers which are not within the too fast transaction identification threshold must be released, otherwise a large number of normal account numbers can be accidentally injured. The offline money laundering countermeasure strategy focuses on the statistics discovery of transaction behaviors and a relationship network, and has the advantages that batch account number crime can be done through one network, and the offline money laundering countermeasure strategy can still identify the batch account number crime from normal transaction data through a statistic value and the relationship network no matter how frequently the transaction frequency is reduced and account numbers are changed; disadvantages of the offline money laundering countermeasure: the reaction is slow, the shortest data is the data of 1 day, and the effectiveness and the antagonism are insufficient in the antagonism scene; based on the complementarity of the advantages and the disadvantages of the online money laundering countermeasure strategy and the offline money laundering countermeasure strategy, the offline money laundering countermeasure strategy is combined with the online money laundering countermeasure strategy, so that the effects of ensuring the real-time performance of the online money laundering countermeasure and improving the accuracy and the comprehensiveness of the money laundering countermeasure are achieved.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.

FIG. 1 is a flow chart of an Internet money laundering countermeasure method according to one embodiment of the present invention;

FIG. 2 is a block diagram of an Internet money laundering countermeasure unit according to one embodiment of the present invention;

FIG. 3 is a block diagram of an Internet money laundering countermeasure business framework according to one embodiment of the present invention;

FIG. 4 is a schematic diagram illustrating a classification of an Internet money laundering identification method according to an embodiment of the present invention;

FIG. 5 is a schematic diagram of another Internet money laundering identification method according to one embodiment of the present invention;

FIG. 6 is a schematic diagram illustrating a classification of another Internet money laundering identification method according to one embodiment of the present invention;

FIG. 7 is a diagram of an in-line countermeasure architecture in accordance with one embodiment of the present invention;

FIG. 8 is a diagram of an offline countermeasure architecture in accordance with one embodiment of the present invention;

FIG. 9 is a flowchart of an offline analysis presentation strategy according to one embodiment of the present invention;

FIG. 10 is a flow chart of an off-line analysis transaction policy according to one embodiment of the present invention;

FIG. 11 is a flowchart illustrating an online analysis red envelope sending strategy according to an embodiment of the present invention;

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

Abbreviations and key terms in the examples are first explained as follows:

big data technology: the method refers to technologies related to services such as storage, processing, analysis, mining, calculation and the like of massive, high-growth-rate and diversified information data, such as a database, data mining, a distributed file system, a distributed database, a cloud computing platform and the like.

Safe wind control: the risk severity is determined by identifying dangerous and harmful factors existing in production and operation activities and applying a qualitative or quantitative statistical analysis method, so as to determine the priority of risk control and risk control measures.

Money laundering confrontation/money laundering reversal: it refers to the related actions of identification, prevention, disposal, etc. for illegal money laundering activities occurring in normal financial products or internet products.

And (3) offline data mining: the method is a process of storing, analyzing and calculating historical log data of a service by a big data technology to further obtain desired result data.

Online real-time confrontation: the online log data of the service is stored, analyzed and calculated in real time, and a wind control result is given in real time by combining the list data mined by the offline data, so that the aim of real-time countermeasure is fulfilled.

A running and dividing system: a novel automated system used in an Internet money laundering mode automates the operation of Internet product functions to conduct funds transactions.

Run and divide the person: people who engage in money laundering activities and earn return on funds for money laundering black products remotely using the running subsystem.

Recently, a new money laundering mode of a 'run-divide platform' is developed, which mainly uses the product function with fund flow in internet products, such as a red envelope function, and accounts in a remote organization network to launder money. The runners in the network run and get in favor, attack the platform rapidly, cause the transaction amount to increase sharply, stay high and stay high, seriously infringe the service safety of the platform, and cause economic loss.

Because the internet money laundering presents the characteristics of long transaction link, incapability of acquiring complete transaction link data, participation of batch account numbers, change of money laundering account numbers at any time, complex transaction network, rapid transaction and the like, the traditional money laundering countermeasure mode based on complete transaction link data or underlying financial transaction data such as banks and the like cannot be applied, and a set of money laundering countermeasure scheme aiming at the internet money laundering mode is urgently needed.

The participating account numbers of the internet money laundering are all recruited through the network, the account numbers are changed and controlled automatically, normal transactions are disguised by using functions of red packages, e-commerce and the like of internet products in the money laundering process, funds are rapidly transferred among a large number of account numbers, and a complex transaction network is formed.

Money laundering confrontation is the process of finding problem accounts and problem transactions through policies and algorithms, and blocking the problem transactions. During the confrontation period, the behavior mode of money laundering and black products can be changed at any time to achieve the purpose of avoiding wind control, so that on one hand, security personnel need to well mine and accumulate data, apply the data mining result to the security wind control, and simultaneously establish a behavior mode of a real-time strategy for responding to the change of the black products.

Therefore, the internet money laundering countermeasure system is divided into two parts of off-line data mining and on-line real-time countermeasure, and a business framework diagram is shown in fig. 3. The off-line part mainly identifies the behavior patterns presented by the account in a period of historical time to obtain list data with different risk levels. And the online part identifies the current occurring behavior pattern, responds in real time and stores the list data. And the wind control center combines the offline list data and the online list data to give a wind control result.

For the characteristics of internet money laundering, three key points are needed for identifying money laundering transactions, namely, as shown in fig. 4, money laundering account numbers of key nodes are mined through transaction behavior analysis, wherein the transaction behavior analysis can comprise historical receiving and sending transaction analysis and cash withdrawal transaction analysis; secondly, as shown in fig. 5, the money laundering transaction network and the related account number can be found through a receiving and sending network tracking and a network discovery algorithm and the like; thirdly, as shown in fig. 6, the machine operation behavior can be found through frequent transaction identification and too fast transaction identification. In practical application, the three key points are combined in offline data mining, and a strategy is formed by combined use; the online real-time countermeasure portion will focus more on the discovery and interception of machine behavior.

Under the condition that complete financial transaction data cannot be acquired, based on upper-layer internet service data, the internet money laundering transaction characteristics such as batch account participation, money laundering account change at any time, transaction network complexity, rapid transaction and the like are effectively aimed at, and a quick-response, accurate interception, timely and effective internet money laundering countermeasure scheme is obtained by utilizing a big data analysis and safety wind control technology and adopting a mode of combining offline data mining and real-time countermeasure.

In one aspect, as shown in fig. 1, the present invention provides a method for internet money laundering countermeasures, which comprises:

step 100, acquiring an offline blacklist and online log data of an online account for which a transaction operation is taking place; the offline blacklist is used for storing an account number which is obtained by analyzing offline log data and is subjected to money laundering operation;

101, when the online account is judged to be in the offline blacklist, sending an instruction for intercepting an operation executed by the online account;

102, when the online account is judged not to be in the offline blacklist, analyzing online log data of the online account, and when a first type of money laundering features are identified from the online log data, taking the online account as a suspected money laundering online account; and the number of the first and second groups,

and 103, when judging that the suspected money laundering online account does not meet a preset exemption strategy, taking the suspected money laundering online account as a money laundering online account, adding the money laundering online account to an online accumulation list, and sending an instruction for intercepting an operation executed by the money laundering online account.

The online money laundering countermeasure strategy is explained below, and when every transaction or cash withdrawal occurs in the business layer, step 100 is triggered to start money laundering identification of the account in which the transaction or cash withdrawal occurs; the manner in which step 100 is triggered may be by the business layer directly invoking a local money laundering countermeasure module, or the business layer making a request to other services that provide money laundering countermeasures. For example, an online money laundering countermeasure policy can be implemented in the wind control center, when a transaction or a promotion occurs, the business layer sends a request to the wind control center through the API, and the wind control center gives a risk rating to the transaction of the account number. After the step 100 is triggered, the online account on which the transaction occurs is actively obtained or passively obtained from the API request, and since the current online account may already be marked as a money laundering account, the offline blacklist is obtained, and the step 101 is executed to check that if the current online account is already in the offline blacklist, the current account can be directly identified as the money laundering account, and the operation on the current account is directly intercepted, or an interception instruction is sent to the service layer and intercepted by the service layer. And if the current online account is not in the blacklist, continuing to execute the step 102, analyzing the transaction or presented operation log in the online log of the current online account, judging whether the characteristics of the operation log conform to the first-type money laundering characteristics, and if so, taking the current online account as a suspected money laundering account. The first type of money laundering features can be features which are obtained by analyzing and counting log data of a large number of accounts through methods such as manual or machine learning and the like and summarizing and can be used for identifying money laundering operations in real time. The new log data can be counted through continuous periodic analysis to obtain new features that can be used to identify money laundering operations in real time, and these new features are supplemented into the first type of money laundering features to continuously improve the effectiveness of online money laundering countermeasures. After the suspected money laundering online account is obtained, executing step 103, identifying whether the suspected money laundering online account can be confirmed as a money laundering online account by using an exemption strategy, if the suspected money laundering online account is confirmed as the money laundering online account, adding the money laundering online account to an online accumulation list, and sending an instruction for intercepting the operation executed by the money laundering online account, wherein the operation layer can execute the intercepting operation; and after the exemption strategy is carried out, if the account is not the account of the money laundering online account, allowing the account to continue to finish the operation. The purpose of using an exemption policy is to avoid accidental injury to a normally operating account. The exemption strategy comprises white list identification and head account evaluation; the white list is used for saving accounts which are confirmed not to have money laundering operation, namely, accounts which are determined not to have money laundering operation are recorded, and specifically, the accounts can include but are not limited to internal official accounts; internal official accounts, i.e. official accounts used by some internal services; the white list identification comprises the steps of judging whether the suspected money laundering online account is in a white list or not, and if the suspected money laundering online account is in the white list, determining that no money laundering operation occurs on the suspected money laundering online account; if the account number is not in the white list, performing head account number evaluation on the suspected money laundering online account number; the head account evaluation comprises the steps of comprehensively making an evaluation strategy according to rating system data and V authentication data, rating the suspected money laundering online account, and evaluating the suspected money laundering online account as the head account if the rating result reaches a specified rating threshold; if the suspected money laundering online account is not in the white list or is not the head account, the suspected money laundering online account is determined as the money laundering online account; ratings system data includes: grading data with different dimensions, such as content contribution amount of the account, influence of fan, quality level of the account and the like; the head account, i.e. the high-quality account of the platform, may include some high-quality content accounts, media accounts, etc.; the account head evaluation result changes along with the real-time change of rating system data. For higher-ranked head account numbers, the higher-ranked head account numbers can also be added to a white list to improve efficiency. After the online accumulation list is obtained in step 103, the accounts in the online accumulation list can be synchronized to the offline blacklist at regular time, and whether the operation of the account needs to be intercepted can be determined by judging whether the current online account is in the offline blacklist, so that the efficiency is improved.

An architecture diagram for online real-time countermeasure, as shown in fig. 7, is divided into a service layer and a data layer. The data source part of the online real-time countermeasure is accessed with mining result data of offline data mining, namely an offline blacklist, besides online real-time logs related to business and transaction and a real-time data interface used for acquiring basic information characteristics of a user. The data layer provides data storage related services, and online real-time countermeasure needs to provide real-time online wind control services in the form of API (application programming interface), so that Redis storage services capable of processing high-concurrency and fast cache are introduced, and Mysql can provide permanent storage.

The service layer is divided into four sub-services, and the data acquisition module is responsible for accessing the three data sources; the feature extraction service is responsible for extracting user behavior features and user basic information features related to services, for example, the extracted features can be user basic features, can include the number of attacks, the number of concerns, the number of fans, the user quality and the like, and are mainly used for exemption or some user delineations; for another example, the extracted features may also be behavior features, which may include features of red packet transceiving and cashing behaviors, such as the number, total number, frequency, median of transactions, and the like of red packet transceiving or cashing within a time window. The online strategy calculation service carries out strategy calculation based on the characteristic data to obtain real-time mining list data; and the online real-time countermeasure service of the wind control center combines an offline data mining result and an online real-time mining result, wherein the offline data mining result is an offline blacklist, the online real-time mining result is an online accumulated list, and a transaction risk grade is given after comprehensive operation to guide a business layer to carry out graded wind control treatment on the receiving and dispatching transaction, the cash withdrawal behavior and the like. The wind control treatment includes but is not limited to transaction initiation behavior interception, receiving behavior limitation, cashing behavior limitation, and the like.

The present embodiment has the following effects: the online real-time analysis of the money laundering operation characteristics can intercept money laundering operation in time, so that the loss is reduced; the money laundering operation characteristics in the real-time operation log of the account are fully utilized, so that the dependence on basic financial department data such as a complete financial transaction link and a bank system is avoided, the characteristic that the data of the network account is concentrated in a server is fully utilized, and the problems of numerous and geographically dispersed accounts participating in internet money laundering are solved through the analysis of the data characteristics of the account by a machine; when online money laundering countermeasures are executed, the efficiency and the interception speed of online money laundering account identification are further improved by combining an offline blacklist; and the normal account is further prevented from being accidentally injured through an exemption strategy, and the accuracy of online recognition of the money laundering account is improved.

Further, the method further comprises:

step S1, obtaining offline log data of one or more accounts periodically according to a designated time interval;

step S2, selecting, for the offline log data of each account of the one or more accounts, offline log data within a first specified time range as to-be-mined data corresponding to each account of the one or more accounts;

step S3, when a second type of money laundering feature is identified for the data to be mined corresponding to each account in the one or more accounts, taking the account corresponding to the data to be mined as a suspected money laundering offline account;

step S4, when the suspected money laundering offline account is judged not to be in the white list, the suspected money laundering offline account is added to the offline black list; the white list is used to store accounts for which no money laundering operation is confirmed.

The offline countermeasure policy in one embodiment includes: step S1, obtaining offline log data of one or more accounts periodically according to a designated time interval; for example, every day transaction data is recorded in the form of logs, and the logs can be reported to the information statistics service every day, so that offline log data of one or more accounts can be acquired once a day; the number of the accounts acquired each time can be all accounts in the system or a specified part of accounts; the time range of the offline log obtained each time can be log data of the whole time range or the log data in the latest period of time; for example, acquiring all log data of each account once a day, and acquiring log data of the last 30 days of each account once a day; then, sequentially executing the steps S2 to S4 for each account so as to judge whether the corresponding account needs to be added into an offline blacklist; step S2, selecting offline log data within a first specified time range from the offline log data of each account as data to be mined corresponding to the current account; specifically selecting offline log data in different time ranges as data to be mined according to different strategies, for example, for a strategy taking 1 day as a unit, selecting a transaction log in a one-day range as the data to be mined; for the strategy requiring transaction logs in the range of 7 days, 15 days or 30 days, corresponding time span logs can be recovered from the current time point to serve as data to be mined. Step S3, identifying the second money laundering characteristic aiming at the data to be mined, and taking the account corresponding to the data to be mined as a suspected money laundering offline account. The second type of money laundering features may be features that are obtained by analyzing and counting log data of a large number of accounts through methods such as manual or machine learning, and summarizing and can be used for offline recognition of money laundering operations. The new log data may be counted by continuous periodic analysis to obtain newly emerging features that may be used for offline identification of money laundering operations, and these newly emerging features may be supplemented into a second type of money laundering feature to continuously improve the effectiveness of the offline money laundering countermeasure strategy. And step S4, if the suspected money laundering offline account is not in the white list, adding the suspected money laundering offline account into an offline black list. The white list is used to keep the confirmed accounts that have not been washed, and may include the designated official account and the head account confirmed by rating; the efficiency and the accuracy of the online money laundering countermeasure can be improved by acquiring the offline blacklist and judging whether the online account is in the offline blacklist.

An offline countermeasure architecture diagram, as shown in fig. 8, is divided into two layers, a service layer and a data layer. The data sources of the off-line data mining part comprise two service log data of a hive cluster formatted log and a text file log and API real-time data for acquiring the basic information characteristics of the account. The data layer provides a data storage service of a bottom layer, stores source data, feature data and data mining results, and supports three types of Log files, Hive databases and MySQL databases. The service layer comprises a data acquisition and cleaning module, a characteristic data extraction service, a strategy calculation service and a data output service, and is used for completing the collection and cleaning of off-line data, the characteristic extraction, the strategy and algorithm calculation and the data output.

The four sub-services of the service layer, although having a procedural relationship from the service layer, are sufficiently decoupled in technical implementation. Each service module supports interface calling and expansion access, the upstream state is actively confirmed before execution, and the background is asynchronously executed, so that the service of the interface is not blocked. The public computing service, the characteristic data, the intermediate result data and the like are encapsulated by the service, so that repeated computing is avoided, and data sharing among different strategies or algorithms is facilitated.

And the other two layers are accessed to the Prometheus monitoring system through the service monitoring component, so that the system fault and execution condition can be conveniently monitored.

The present embodiment has the following effects: the offline money laundering countermeasure is a beneficial complement to the online countermeasure; the online countermeasure strategy focuses on machine behavior discovery; the online countermeasure strategy has the advantages of quick effect taking and good real-time performance, and the account number can be identified no matter what the money laundering black products change as long as the too-quick transaction is met; the online countermeasure strategy has the disadvantage that the identification conditions cannot be too strict, and account numbers which are not within the too fast transaction identification threshold must be released, otherwise a large number of normal account numbers can be accidentally injured. The offline money laundering countermeasure strategy focuses on the statistics discovery of transaction behaviors and a relationship network, and has the advantages that batch account number crime can be done through one network, and the offline money laundering countermeasure strategy can still identify the batch account number crime from normal transaction data through a statistic value and the relationship network no matter how frequently the transaction frequency is reduced and account numbers are changed; disadvantages of the offline money laundering countermeasure: the reaction is slow, the shortest data is the data of 1 day, and the effectiveness and the antagonism are insufficient in the antagonism scene; based on the complementarity of the advantages and the disadvantages of the online money laundering countermeasure strategy and the offline money laundering countermeasure strategy, the offline money laundering countermeasure strategy is combined with the online money laundering countermeasure strategy, so that the effects of ensuring the real-time performance of the online money laundering countermeasure and improving the accuracy and the comprehensiveness of the money laundering countermeasure are achieved.

In another embodiment, the second category of money laundering features includes, but is not limited to, primarily capturing accounts that are larger in cash withdrawal amount, are operated by machines, and are withdrawn in short periods of time, and through analysis of log data for a large number of accounts, most of which are cash withdrawal or money laundering accounts. It should be noted that, in this embodiment or other embodiments, the suspected money laundering offline account identification methods included in the second type of money laundering characteristic may be executed separately, or the method for identifying suspected money laundering offline accounts by using the second type of money laundering characteristic described in this embodiment may be executed first, and then the method for identifying suspected money laundering offline accounts by using the second type of money laundering characteristic described in other embodiments is executed. As shown in fig. 9, the flowchart is an offline analysis presentation policy flowchart of this embodiment, and is configured to obtain offline log data of a current account to be analyzed within a first specified time range, specifically select offline log data of different time ranges as data to be mined according to different policies, and for example, for a policy with 1 day as a unit, select a transaction log of a day range as data to be mined; for the strategy requiring transaction logs in the range of 7 days, 15 days or 30 days, corresponding time span logs can be recovered from the current time point to serve as data to be mined. In fig. 9, the cash-out data of one day is acquired as the data to be mined, and it is first analyzed whether there is money laundering characteristics related to the cash-out amount, for example, the total cash-out amount is greater than the specified cash-out threshold value and the recharging sources are from the software development kit SDK recharging, or, the difference value of the recharging cash-out amount is less than the specified amount difference threshold value, that is, the difference threshold value in fig. 9; the specific cash withdrawal threshold and the amount difference threshold may be statistically derived from historical log data and validated money laundering accounts. The account number obtained by recognition according to money laundering characteristics related to the cash withdrawal amount is used as a first key problem node, and whether related characteristics of machine operation exist or not is further judged aiming at the first key problem node in order to avoid accidental injury of a normal account number, for example, money laundering participants can automatically recognize that balance capable of being withdrawn exists through a machine and automatically carry out withdrawal, so that withdrawal is completed with efficiency obviously exceeding that of manual work; specifically, it can be determined that the time difference of the recharge withdrawal is smaller than a specified time difference threshold, that is, the withdrawal occurs within a very short time after the account is recharged, so as to determine that the first key problem node is the suspected money laundering offline account. The white list is used to keep the confirmed accounts that have not been washed, and may include the designated official account and the head account confirmed by rating;

the present embodiment has the following effects: as one of off-line money-washing countermeasure strategies, batch account number crime can be paid out in a network, and no matter the transaction frequency is reduced and account numbers are frequently changed, the account numbers can still be identified from normal transaction data through a statistical value and a relationship network, so that the on-line money-washing countermeasure strategy can be used as a beneficial supplement, the real-time performance of the on-line money-washing countermeasure is ensured, and the accuracy and the comprehensiveness of the money-washing countermeasure are improved. Specifically, the cash withdrawal logs concentrated in the background server are fully utilized, and the money laundering account number is found through big data analysis and feature recognition, so that the dependence of a money laundering countermeasure strategy on a complete financial transaction chain, a bank and other financial infrastructure is avoided, and the problems that the number of people participating on the internet is large, the regions are scattered, and the money laundering transaction cannot be tracked by a traditional monitoring means are solved.

In another embodiment, the second type of money laundering characteristic includes, but is not limited to, identifying suspected money laundering offline account numbers, primarily by capturing how many red packs are charged and how large the total amount is charged, identification of machine operations, account numbers where associated operations occur, and the like. It should be noted that, in this embodiment or other embodiments, the suspected money laundering offline account identification methods included in the second type of money laundering characteristic may be executed separately, or the method for identifying suspected money laundering offline accounts by using the second type of money laundering characteristic described in this embodiment may be executed first, and then the method for identifying suspected money laundering offline accounts by using the second type of money laundering characteristic described in other embodiments is executed.

Fig. 10 is a flowchart of an off-line analysis transaction policy flow, and fig. 10 shows a mining policy for red packet transaction data. Firstly, screening account numbers of which the number of red parcels to be collected and the total amount of money exceed normal values, namely a red parcel number threshold value and a collection amount threshold value, wherein the collection amount threshold value is the collection threshold value in the graph 10, and then further judging, wherein one condition is that whether all red parcels are collected within the collection time threshold value, namely whether the total red parcel collection time is smaller than a specified collection time threshold value, and the judgment of machine behaviors is embodied herein; the second is whether most accounts in the accounts with the red package are platform low-activity accounts, for example, microblog is used as a social media platform, the activity of the normal accounts is mainly focused on content publishing and interaction, and if the accounts are only active on the red package, the activity is unreasonable. If only one of the two conditions is met, the node receiving the red packet can be judged as the suspected money laundering offline account. And then all account numbers in the money laundering transaction network are obtained through receiving and sending transaction tracking, and in order to avoid accidental injury, the account numbers with high quality are filtered and then added into an offline blacklist. And finding the associated account number of the second key problem node by tracing back through a transceiving network and/or analyzing the social relationship data of the second key problem node through a network discovery algorithm, specifically, in addition to a network discovery method using the transceiving network tracing back, the method can also assist in finding the same batch of black-produced account numbers in the virtual account number cluster, namely account numbers participating in money laundering, by using social relationship data such as microblog attention relationships through a network discovery algorithm, such as a Fraudar algorithm. And moreover, a strategy can be formulated by analyzing the median of the operation interval time of the transceiving behavior of the account, and the account for red packet transceiving is mined by the operation of the machine.

The discovery of machine behavior is mainly focused in online real-time countermeasure strategies, i.e. the direct limitation of excessively fast transactions. Fig. 11 is a flow chart of an online analysis red envelope sending strategy, and particularly, is an example of an online real-time countermeasure strategy in a microblog money laundering countermeasure. On one hand, service rejection is carried out according to accumulated list data, namely a money laundering blacklist, namely an offline blacklist, wherein the offline blacklist comprises an offline blacklist obtained by identifying a second type of money laundering characteristics to offline log data and an online accumulated list obtained by identifying a first type of money laundering characteristics to online log data; the online accumulated list may be periodically added to the offline blacklist. On the other hand, by identifying the first type of money laundering characteristics, the method can include but is not limited to identifying the account number which sends the red packet in a short time and sends the account number of which the total sum exceeds the limit as a suspected money laundering online account number in a focused manner; it should be noted that, one or more red packets may be sent after one red packet is sent; for example, in fig. 11, the number of times that the account number sends the red packet is greater than the threshold of the number of times that the account number sends the red packet within the specified time, and the amount of money is greater than the threshold of the amount of money to be sent, that is, the number of times that the account number sends the red packet within the second specified time range is greater than the threshold of the specified number of times to be sent and the total amount of money to be sent is greater than the threshold of the specified amount of money to be sent; identifying the number of times the red packet is sent in a short time in order to determine a suspected money laundering operation based on the frequency of the operation; and if the suspected money laundering online account is confirmed to be the money laundering account after passing the exemption strategy, sending and intercepting, otherwise, releasing. In this embodiment, the parameters such as the second designated time range, the red packet sending time threshold, the sending amount threshold, and the like may be selected from different limiting intervals according to conditions such as account quality. Similarly, similar strategies can be formulated for actions such as collecting a red envelope, bringing up a cash and the like.

The present embodiment has the following effects: the online countermeasure strategy focuses on machine behavior discovery; the online countermeasure strategy has the advantages of quick effect taking and good real-time performance, and the account number can be identified no matter what the money laundering black products change as long as the too-quick transaction is met; the online logs of all account numbers concentrated in the background server are fully utilized, the money laundering account numbers are found through big data analysis and characteristic recognition, dependence of money laundering countermeasure strategies on a complete financial transaction chain, banks and other financial infrastructure is avoided, the problems that the number of people participating in money laundering based on the internet is large, the regions are scattered, the occurrence time is randomly distributed, money laundering transactions cannot be tracked by a traditional monitoring means, and online money laundering operations cannot be immediately intercepted are solved, and timely finding and timely intercepting for internet money laundering are achieved.

In another aspect, as shown in fig. 2, an embodiment of the present invention provides an internet money laundering countermeasure apparatus, including:

an obtaining unit 200, configured to obtain an offline blacklist and online log data of an online account for a transaction operation occurring; the offline blacklist is used for storing an account number which is obtained by analyzing offline log data and is subjected to money laundering operation;

a blacklist filtering unit 201, configured to send an instruction to intercept an operation executed by the online account when it is determined that the online account is in the offline blacklist;

an online suspected identification unit 202, configured to analyze online log data of the online account when it is determined that the online account is not in the offline blacklist, and use the online account as a suspected money laundering online account when a first type of money laundering feature is identified from the online log data;

and the exemption processing unit 203 is arranged behind the online suspected money laundering online account, and is used for taking the suspected money laundering online account as a money laundering online account, adding the money laundering online account to an online accumulation list, and sending an instruction for intercepting an operation executed by the money laundering online account when the suspected money laundering online account does not meet a preset exemption policy.

As will be described below, when each transaction or cash withdrawal occurs in the business layer, the execution of the obtaining unit 200 is triggered, and money laundering identification of the account in which the transaction or cash withdrawal occurs is started; the manner of triggering the acquisition unit 200 may be to directly invoke a local money laundering countermeasure module through the business layer, or the business layer may issue a request to other services that provide money laundering countermeasure policies. For example, an online money laundering countermeasure policy can be implemented in the wind control center, when a transaction or a promotion occurs, the business layer sends a request to the wind control center through the API, and the wind control center gives a risk rating to the transaction of the account number. After the sending and acquiring unit 200 is triggered, the online account on which the transaction occurs is acquired from the API request actively or passively, and since the current online account may be already marked as a money laundering account, the offline blacklist is acquired and the blacklist filtering unit 201 is executed to check that if the current online account is already in the offline blacklist, the current account can be directly identified as a money laundering account, the operation of the current account is directly intercepted, or an interception instruction is sent to the service layer and intercepted by the service layer. And if the current online account is not in the blacklist, continuously executing the online suspected identification unit 202, analyzing the transaction or presented operation log in the online log of the current online account, judging whether the characteristics of the operation log conform to the first-class money laundering characteristics, and if so, taking the current online account as the suspected money laundering account. The first type of money laundering features can be features which are obtained by analyzing and counting log data of a large number of accounts through methods such as manual or machine learning and the like and summarizing and can be used for identifying money laundering operations in real time. The new log data can be counted through continuous periodic analysis to obtain new features that can be used to identify money laundering operations in real time, and these new features are supplemented into the first type of money laundering features to continuously improve the effectiveness of online money laundering countermeasures. After the suspected money laundering online account is obtained, the exemption processing unit 203 is executed, whether the suspected money laundering online account can be confirmed as a money laundering online account is identified by using an exemption strategy, if the suspected money laundering online account is confirmed as the money laundering online account, the money laundering online account is added to an online accumulation list, an instruction for intercepting the operation executed by the money laundering online account is sent, and the intercepting operation can be executed by a service layer; and after the exemption strategy is carried out, if the account is not the account of the money laundering online account, allowing the account to continue to finish the operation. The purpose of using an exemption policy is to avoid accidental injury to a normally operating account. The exemption strategy comprises white list identification and head account evaluation; the white list is used for saving accounts which are confirmed not to have money laundering operation, namely, accounts which are determined not to have money laundering operation are recorded, and specifically, the accounts can include but are not limited to internal official accounts; internal official accounts, i.e. official accounts used by some internal services; the white list identification comprises the steps of judging whether the suspected money laundering online account is in a white list or not, and if the suspected money laundering online account is in the white list, determining that no money laundering operation occurs on the suspected money laundering online account; if the account number is not in the white list, performing head account number evaluation on the suspected money laundering online account number; the head account evaluation comprises the steps of comprehensively making an evaluation strategy according to rating system data and V authentication data, rating the suspected money laundering online account, and evaluating the suspected money laundering online account as the head account if the rating result reaches a specified rating threshold; if the suspected money laundering online account is not in the white list or is not the head account, the suspected money laundering online account is determined as the money laundering online account; ratings system data includes: grading data with different dimensions, such as content contribution amount of the account, influence of fan, quality level of the account and the like; the head account, i.e. the high-quality account of the platform, may include some high-quality content accounts, media accounts, etc.; the account head evaluation result changes along with the real-time change of rating system data. For higher-ranked head account numbers, the higher-ranked head account numbers can also be added to a white list to improve efficiency. After the online accumulated list is obtained in the exemption processing unit 203, the account numbers in the online accumulated list can be synchronized to the offline blacklist at regular time, and whether the operation of the account numbers needs to be intercepted can be determined by judging whether the current online account numbers are in the offline blacklist, so that the efficiency is improved.

Further, still include:

Further, the offline suspected identification unit includes:

The above embodiment has the following beneficial effects:

in the face of a brand-new novel money laundering mode such as 'run fen' and the like, in order to not fall into the tools of money laundering and black products, the product safety is maintained, the financial loss of a company is reduced, and the internet money laundering confrontation becomes one of the centers of gravity of the work of an internet security team. The internet money laundering countermeasure method and device provided by the embodiment of the invention can effectively aim at the characteristics of batch account participation, money laundering account change at any time, complex transaction network, fast transaction and other internet money laundering transaction characteristics under the condition that complete financial transaction data cannot be obtained, and can obtain a fast-response, timely, effective, accurate interception and comprehensive interception internet money laundering countermeasure scheme by utilizing a big data analysis and safety wind control technology and adopting a mode of combining offline data mining and real-time countermeasure. Money laundering in internet security projects has been successful in countering the running credit attack of money laundering dark products in practice. Money laundering operation can be intercepted in time, and loss is reduced; the characteristics in the operation log of the account are fully utilized, so that the dependence on basic financial department data such as a complete financial transaction link and a bank system is avoided, the characteristic that the data of the network account is concentrated in a server is fully utilized, and the problem that the money laundering on the internet participates in numerous accounts and is dispersed in regions is solved through the analysis of the characteristics of the data of the account by a machine; when online money laundering countermeasures are executed, the efficiency and the interception speed of online money laundering account identification are further improved by combining an offline blacklist; and the normal account is further prevented from being accidentally injured through an exemption strategy, and the accuracy of online recognition of the money laundering account is improved. The online countermeasure strategy focuses on machine behavior discovery; the online countermeasure strategy has the advantages of quick effect taking and good real-time performance, and the account number can be identified no matter what the money laundering black products change as long as the too-quick transaction is met; the online countermeasure strategy has the disadvantage that the identification conditions cannot be too strict, and account numbers which are not within the too fast transaction identification threshold must be released, otherwise a large number of normal account numbers can be accidentally injured. The offline money laundering countermeasure strategy focuses on the statistics discovery of transaction behaviors and a relationship network, and has the advantages that batch account number crime can be done through one network, and the offline money laundering countermeasure strategy can still identify the batch account number crime from normal transaction data through a statistic value and the relationship network no matter how frequently the transaction frequency is reduced and account numbers are changed; disadvantages of the offline money laundering countermeasure: the reaction is slow, the shortest data is the data of 1 day, and the effectiveness and the antagonism are insufficient in the antagonism scene; based on the complementarity of the advantages and the disadvantages of the online money laundering countermeasure strategy and the offline money laundering countermeasure strategy, the offline money laundering countermeasure strategy is combined with the online money laundering countermeasure strategy, so that the effects of ensuring the real-time performance of the online money laundering countermeasure and improving the accuracy and the comprehensiveness of the money laundering countermeasure are achieved.

The embodiment of the invention provides an internet money laundering countermeasure device, which can realize the method embodiment provided above, and for specific function realization, reference is made to the description of the method embodiment, and no further description is given here.

It should be understood that the specific order or hierarchy of steps in the processes disclosed is an example of exemplary approaches.

Based upon design preferences, it is understood that the specific order or hierarchy of steps in the processes may be rearranged without departing from the scope of the present disclosure. The accompanying method claims present elements of the various steps in a sample order, and are not intended to be limited to the specific order or hierarchy presented.

In the foregoing detailed description, various features are grouped together in a single embodiment for the purpose of streamlining the disclosure. This method of disclosure is not to be interpreted as reflecting an intention that the claimed embodiments of the subject matter require more features than are expressly recited in each claim. Rather, as the following claims reflect, invention lies in less than all features of a single disclosed embodiment. Thus, the following claims are hereby expressly incorporated into the detailed description, with each claim standing on its own as a separate preferred embodiment of the invention.

The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. To those skilled in the art; various modifications to these embodiments will be readily apparent, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the disclosure. Thus, the present disclosure is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

What has been described above includes examples of one or more embodiments. It is, of course, not possible to describe every conceivable combination of components or methodologies for purposes of describing the aforementioned embodiments, but one of ordinary skill in the art may recognize that many further combinations and permutations of various embodiments are possible. Accordingly, the embodiments described herein are intended to embrace all such alterations, modifications and variations that fall within the scope of the appended claims. Furthermore, to the extent that the term "includes" is used in either the detailed description or the claims, such term is intended to be inclusive in a manner similar to the term "comprising" as "comprising" is interpreted when employed as a transitional word in a claim. Furthermore, any use of the term "or" in the specification of the claims is intended to mean a "non-exclusive or".

Those of skill in the art will further appreciate that the various illustrative logical blocks, units, and steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate the interchangeability of hardware and software, various illustrative components, elements, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends upon the particular application and design requirements of the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present embodiments.

The various illustrative logical blocks, or elements, described in connection with the embodiments disclosed herein may be implemented or performed with a general purpose processor, a digital signal processor, an Application Specific Integrated Circuit (ASIC), a field programmable gate array or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination thereof designed to perform the functions described herein. A general-purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices, e.g., a digital signal processor and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a digital signal processor core, or any other similar configuration.

The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may be stored in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. For example, a storage medium may be coupled to the processor such the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may reside in an ASIC, which may be located in a user terminal. In the alternative, the processor and the storage medium may reside in different components in a user terminal.

In one or more exemplary designs, the functions described above in connection with the embodiments of the invention may be implemented in hardware, software, firmware, or any combination of the three. If implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media that facilitate transfer of a computer program from one place to another. Storage media may be any available media that can be accessed by a general purpose or special purpose computer. For example, such computer-readable media can include, but is not limited to, RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to carry or store program code in the form of instructions or data structures and which can be read by a general-purpose or special-purpose computer, or a general-purpose or special-purpose processor. Additionally, any connection is properly termed a computer-readable medium, and, thus, is included if the software is transmitted from a website, server, or other remote source via a coaxial cable, fiber optic cable, twisted pair, Digital Subscriber Line (DSL), or wirelessly, e.g., infrared, radio, and microwave. Such discs (disk) and disks (disc) include compact disks, laser disks, optical disks, DVDs, floppy disks and blu-ray disks where disks usually reproduce data magnetically, while disks usually reproduce data optically with lasers. Combinations of the above may also be included in the computer-readable medium.

The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are merely exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims

1. A method of internet money laundering confrontation, characterized in that the method comprises:

2. The internet money laundering countermeasure method of claim 1, further comprising:

3. The internet money laundering countermeasure method of claim 2, wherein when a second type of money laundering characteristic is identified for the data to be mined corresponding to each account of the one or more accounts, the taking the account corresponding to the data to be mined as a suspected money laundering offline account comprises:

4. The internet money laundering countermeasure method of claim 2, wherein when a second type of money laundering characteristic is identified for the data to be mined corresponding to each account of the one or more accounts, the taking the account corresponding to the data to be mined as a suspected money laundering offline account comprises:

5. The internet money laundering countermeasure method of claim 1, wherein the analyzing online log data of the online account when determining that the online account is not in the offline blacklist, and regarding the online account as a suspected money laundering online account when identifying a first type of money laundering characteristic from the online log data comprises:

6. An internet money laundering confrontation apparatus, comprising:

7. The internet money laundering countermeasure apparatus of claim 6, further comprising:

8. The internet money laundering countermeasure apparatus of claim 7, wherein the offline suspected identification unit comprises:

9. The internet money laundering countermeasure apparatus of claim 7, wherein the offline suspected identification unit comprises:

10. The internet money laundering countermeasure apparatus of claim 6, wherein the online suspected identification unit is specifically configured to: