CN113592499B

CN113592499B - Internet money laundering countermeasure method and device

Info

Publication number: CN113592499B
Application number: CN202110134779.6A
Authority: CN
Inventors: 刘晓娟; 武丁泽宇; 颜若儒; 蒋鸿鑫; 郑浩; 宁德金
Original assignee: Weimeng Chuangke Network Technology China Co Ltd
Current assignee: Weimeng Chuangke Network Technology China Co Ltd
Priority date: 2021-01-29
Filing date: 2021-01-29
Publication date: 2023-08-25
Anticipated expiration: 2041-01-29
Also published as: CN113592499A

Abstract

The invention provides a method and a device for countermeasures against internet money laundering, which are used for identifying money laundering operation characteristics through statistical analysis of offline logs and online logs of internet accounts, finding money laundering accounts and establishing money laundering blacklists, limiting the operation of money laundering accounts and solving the problem that internet money laundering is difficult to track and qualify due to a plurality of participants and long transaction links.

Description

Internet money laundering countermeasure method and device

Technical Field

The invention relates to the field of internet money laundering, in particular to a method and a device for internet money laundering countermeasure.

Background

With the development of the internet and online payment, internet products with funding flow properties are new targets for money laundering and blackout. The development, leasing or buying of the money laundering black products are aimed at running and separating platforms of all internet products, on one hand, customers with money laundering requirements are absorbed, and on the other hand, running and separating persons with 'investment' requirements are recruited on the internet, and the participants are led to launder money for illegal funds such as betting and the like with high return rate. The running and separating platform operates the account numbers to conduct fund transaction so as to achieve the purpose of money laundering.

In the past, money laundering is performed mainly in financial scenes and tax scenes by means of financial transaction or offline false operation, and the complete financial transaction link or comprehensive operation, tax status and the like are searched by investigating and analyzing historical transaction data or operation and tax data, so that money laundering behaviors are found, and the number of financial entities participating in the transaction is relatively small.

The internet money laundering adopts a brand new online form, so money laundering countermeasure also has new characteristics and faces totally new challenges. Firstly, the non-financial internet product taking microblog as an example, the business function related to the fund flow is developed on the basis of internet payment tools such as payment treasures or WeChat, and the bottom layer of the payment tools is also provided with financial institutions such as banks, so that the fund flow link of the non-financial internet product comprises at least three participants of the banks, the payment tools and the non-financial internet product, and the business product cannot obtain complete transaction link data. And secondly, the internet money laundering has the characteristics of low participation cost, large account participation and batch small-amount transaction, and mainly network participants, and the participants change at any time, so that the difficulty of money laundering behavior qualitative and tracking is greatly increased.

In summary, the conventional money laundering countermeasure mode is based on the complete financial transaction link data, or the bottom financial transaction data of banks and the like; compared with the Internet transaction network, the traditional transaction network is relatively simple, and the money laundering participants are relatively fixed and the number of money laundering participants is small due to the high account acquisition and maintenance cost of the traditional transaction network; the conventional money laundering countermeasure mode is not suitable for the scene of internet money laundering countermeasure.

Disclosure of Invention

The embodiment of the invention provides a method and a device for countermeasures against internet money laundering, which are used for identifying money laundering operation characteristics through statistical analysis of offline logs and online logs of internet accounts, finding money laundering accounts, establishing a money laundering blacklist, limiting the operation of the blacklist accounts and solving the problem that internet money laundering is difficult to track and qualify due to a plurality of participants and long transaction links.

In order to achieve the above object, in one aspect, an embodiment of the present invention provides a method for countering money laundering on the internet, which includes:

acquiring an offline blacklist and online log data of an online account aiming at the online account in which transaction operation is occurring; the offline blacklist is used for storing an account number which is obtained by analyzing the offline log data and is subjected to money laundering operation;

When the online account is judged to be in the offline blacklist, an instruction for intercepting the operation executed by the online account is sent;

when the online account is judged not to be in the offline blacklist, online log data of the online account are analyzed, and when first-class money laundering features are identified from the online log data, the online account is taken as a suspected money laundering online account; the method comprises the steps of,

and when the suspected money-laundering online account does not meet a preset exemption policy, taking the suspected money-laundering online account as a money-laundering online account, adding the money-laundering online account to an online accumulation list, and sending an instruction for intercepting operations executed by the money-laundering online account.

Further, the method further comprises:

periodically obtaining offline log data of one or more accounts at specified time intervals;

selecting offline log data in a first appointed time range as data to be mined corresponding to each account of the one or more accounts according to the offline log data of each account of the one or more accounts;

aiming at the data to be mined corresponding to each account in the one or more accounts, when the second class money laundering features are identified, taking the account corresponding to the data to be mined as a suspected money laundering offline account;

When the suspected money laundering offline account is judged not to be in the white list, the suspected money laundering offline account is added to the offline black list; the whitelist is used to save the account number confirmed that there is no money laundering operation.

Further, the identifying the second type of money laundering feature according to the data to be mined corresponding to each account in the one or more accounts, using the account corresponding to the data to be mined as the suspected money laundering offline account includes:

analyzing the total amount to be extracted, a recharging source and a recharging amount difference value in the data to be extracted, and taking an account corresponding to the data to be extracted as a first key problem node if the total amount to be extracted is greater than a specified extraction threshold value and the recharging sources are all from a Software Development Kit (SDK) for recharging, or if the recharging amount difference value is smaller than the specified amount difference value threshold value;

and analyzing a recharging and presenting time difference in the data to be mined corresponding to the first key problem node, and taking the first key problem node as the suspected money laundering offline account if the recharging and presenting time difference is smaller than a specified time difference threshold.

Analyzing the number of the red packets and the total amount of the red packets to be mined, and if the number of the red packets to be mined is larger than a specified threshold value of the number of the red packets and the total amount of the red packets to be mined is larger than a specified threshold value of the amount of the red packets to be mined, taking an account corresponding to the data to be mined as a second key problem node;

the social relation data of the second key problem node is traced through a receiving and transmitting network and/or analyzed through a network discovery algorithm, and the associated account number of the second key problem node is discovered;

analyzing all red package collecting total time in the data to be mined corresponding to the second key problem node, if the total red package collecting time is smaller than a specified collecting time threshold, taking the second key problem node as the suspected money laundering offline account, or analyzing the associated account of the second key problem node, and if the ratio of a low-activity account in the associated account to the low-activity account in the associated account is higher than the specified low-activity threshold, taking the second key problem node corresponding to the associated account as the suspected money laundering offline account.

Further, when the online account is not in the offline blacklist, online log data of the online account is analyzed, and when a first type money laundering feature is identified from the online log data, the online account is used as a suspected money laundering online account, including:

And when the online account is not in the offline blacklist, analyzing the number of sending red packets and the total sending amount in the online log data of the online account in a second designated time range, and taking the online account as a suspected money laundering online account if the number of sending red packets in the second designated time range is larger than a designated sending number threshold and the total sending amount is larger than a designated sending amount threshold.

In another aspect, an embodiment of the present invention provides an apparatus for internet money laundering, including:

the acquisition unit is used for acquiring an offline blacklist and online log data of the online account aiming at the online account in which the transaction operation is occurring; the offline blacklist is used for storing an account number which is obtained by analyzing the offline log data and is subjected to money laundering operation;

the blacklist filtering unit is used for sending out an instruction for intercepting the operation executed by the online account when judging that the online account is in the offline blacklist;

the online suspected identification unit is used for analyzing online log data of the online account when the online account is not in the offline blacklist, and taking the online account as a suspected money laundering online account when a first money laundering feature is identified from the online log data;

And the exemption processing unit is arranged behind the online suspected identification unit and is used for taking the suspected money-laundering online account as the money-laundering online account when judging that the suspected money-laundering online account does not meet a preset exemption policy, adding the money-laundering online account to an online accumulation list and sending an instruction for intercepting the operation executed by the money-laundering online account.

Further, the method further comprises the following steps:

the offline data acquisition unit is used for periodically acquiring offline log data of one or more accounts at specified time intervals;

the data selecting unit is used for selecting the offline log data of each account in the one or more accounts as data to be mined, wherein the offline log data are in a first appointed time range, and the data correspond to each account in the one or more accounts;

the offline suspected identification unit is used for identifying the second class money laundering characteristics according to the data to be mined corresponding to each account in the one or more accounts, and taking the account corresponding to the data to be mined as a suspected money laundering offline account;

the white list filtering unit is used for adding the suspected money laundering offline account to the offline blacklist when judging that the suspected money laundering offline account is not in the white list; the whitelist is used to save the account number confirmed that there is no money laundering operation.

Further, the offline suspected identifying unit includes:

the money laundering and cash withdrawal identification module is used for analyzing the cash withdrawal total amount, the recharging source and the recharging cash withdrawal amount difference value in the data to be mined, and taking an account corresponding to the data to be mined as a first key problem node if the cash withdrawal total amount is greater than a specified cash withdrawal threshold value and the recharging source is from a Software Development Kit (SDK) for recharging, or if the recharging cash withdrawal amount difference value is less than the specified cash withdrawal amount difference value threshold value;

the machine cash-out identifying module is used for analyzing the recharging cash-out time difference in the data to be mined corresponding to the first key problem node, and if the recharging cash-out time difference is smaller than a specified time difference threshold, the first key problem node is used as the suspected money laundering offline account.

Further, the offline suspected identifying unit includes:

the money laundering and collecting identification module is used for analyzing the number of collected red packets and the total amount of collected money in the data to be mined, and if the number of collected red packets is larger than a specified red packet number threshold value and the total amount of collected money is larger than a specified collection amount threshold value, the account corresponding to the data to be mined is used as a second key problem node;

The associated account number discovery module is used for tracing back through a receiving-transmitting network and/or analyzing social relation data of the second key problem node through a network discovery algorithm to discover an associated account number of the second key problem node;

the machine collection identification module is configured to analyze a total time of collection of all red packets in the data to be mined corresponding to the second key problem node, if the total time of collection of all red packets is smaller than a specified collection time threshold, take the second key problem node as the suspected money laundering offline account, or the association activity identification module is configured to analyze the association account of the second key problem node, and if a ratio of a low-activity account in the association account to the association account is higher than a specified low-activity threshold, take the second key problem node corresponding to the association account as the suspected money laundering offline account.

Further, the online suspected identification unit is specifically configured to:

and when the online account is not in the offline blacklist, analyzing the number of sending red packets and the total sending amount in the online log data of the online account in a second specified time range, and taking the online account as a suspected money laundering online account if the number of sending red packets in the second specified time range is larger than a specified sending number threshold and the total sending amount is larger than a specified sending amount threshold.

Compared with the prior art, the technical scheme has the following beneficial effects:

according to the technical scheme, novel money laundering modes such as running and dividing are faced, so that the money laundering is not a tool for laundering money and blackproducing, the product safety is maintained, the financial loss of companies is reduced, and the internet money laundering is one of the centers of gravity of the work of internet security teams. According to the internet money laundering countermeasure method and device provided by the embodiment of the invention, under the condition that complete financial transaction data cannot be acquired, based on upper-layer internet business data, the internet money laundering countermeasure scheme which is quick in response, timely, effective, accurate in interception and comprehensively intercepted is obtained by utilizing the big data analysis and safety wind control technology and adopting a mode of combining offline data mining and real-time countermeasure, and aiming at the characteristics of batch account participation, change of money laundering account at any time, complex transaction network, quick transaction and the like. Money laundering in internet security projects successfully breaks down the branch-off attack of money laundering black products in practice. The money laundering operation can be intercepted in time, and the loss is reduced; features in an operation log of the account are fully utilized, so that dependence on basic financial departments such as a complete financial transaction link and a banking system is avoided, the feature that data of a network account are concentrated on a server is fully utilized, and the problems that internet money laundering participates in a plurality of accounts and regions are scattered are solved through analysis of the features of the account data by a machine; when online money laundering is executed, the efficiency and interception speed of online money laundering account number identification are further improved by combining an offline blacklist; the normal account number is further prevented from being accidentally injured by the exemption strategy, and the accuracy of online identification of the money laundering account number is improved. On-line countermeasure policies focus on machine behavior discovery; the online countermeasure strategy has the advantages of quick effectiveness and good real-time performance, and can be identified no matter how the account number is changed no matter what the money laundering blackout is, as long as the too-quick transaction is satisfied; the disadvantage of online countermeasure strategies is that the conditions for identification cannot be too strict, and accounts that are not within the recognition threshold of the too fast transaction must be released, otherwise a large number of normal accounts will be accidentally injured. The offline money laundering countermeasure policy focuses on statistical discovery of transaction behaviors and relation networks, and has the advantages that batch account number planning can be done completely, no matter how frequently the transaction frequency is reduced, account numbers can be replaced frequently, and the account numbers can be identified from normal transaction data through the statistics value and the relation networks; drawbacks of offline money laundering countermeasure strategies: the response is slow, the shortest data is 1 day, and the effectiveness and the antagonism are insufficient in the antagonism scene; based on the complementarity of the advantages and disadvantages of the online money laundering countermeasure strategy and the offline money laundering countermeasure strategy, the offline money laundering countermeasure strategy is combined with the online money laundering countermeasure strategy, so that the effects of ensuring the real-time property of the online money laundering countermeasure and improving the accuracy and the comprehensiveness of the money laundering countermeasure are achieved.

Drawings

In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

FIG. 1 is a flow chart of an Internet money laundering countermeasure method according to one embodiment of the invention;

FIG. 2 is a diagram showing a construction of an Internet money laundering countermeasure device according to one embodiment of the present invention;

FIG. 3 is a diagram of an Internet money laundering countermeasure business framework in accordance with one embodiment of the present invention;

FIG. 4 is a schematic diagram showing a classification of an Internet money laundering identification method according to one embodiment of the present invention;

FIG. 5 is a schematic diagram showing a classification of another method for identifying money laundering on the Internet according to one embodiment of the invention;

FIG. 6 is a schematic diagram showing a classification of another method for identifying money laundering on the Internet according to one embodiment of the invention;

FIG. 7 is a diagram of an online countermeasure architecture according to one embodiment of the present invention;

FIG. 8 is a diagram of an offline countermeasure architecture according to one embodiment of the present invention;

FIG. 9 is a flowchart of an offline analysis rendering strategy according to one embodiment of the present invention;

FIG. 10 is a flowchart of an offline analysis transceiving transaction strategy according to an embodiment of the present invention;

FIG. 11 is a flow chart of an online analysis send red packet strategy according to one embodiment of the present invention;

Detailed Description

The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

Abbreviations and key terms in the examples are explained first as follows:

big data technology: the method is a technology related to services such as storage, processing, analysis, mining, computing and the like of massive, high-growth-rate and diversified information data, such as databases, data mining, distributed file systems, distributed databases, cloud computing platforms and the like.

Safety wind control: the risk severity is determined by identifying dangerous and harmful factors existing in production operation activities and using a qualitative or quantitative statistical analysis method, so that the priority order of risk control and risk control measures are determined.

Money laundering counter/counter money laundering: refers to the identification, prevention, disposition, etc. of illegal money laundering activities occurring in normal financial products or internet products.

Offline data mining: the method is characterized by comprising the steps of storing, analyzing and calculating historical log data of a service through a big data technology so as to obtain the desired result data.

Online real-time countermeasure: the method is characterized in that online log data of the business are stored, analyzed and calculated in real time, and wind control results are given out in real time by combining with list data mined by offline data, so that the aim of real-time countermeasure is achieved.

Running and separating system: an automatic system used in a novel internet money laundering mode automatically operates internet product functions to conduct funds transaction.

And (3) the score counting: and remotely utilizing the running subsystem to perform money laundering activities for the money laundering black products and earn funds return.

Recently, a novel money laundering mode of a 'run-divide platform' appears, mainly using product functions with fund flow in internet products, such as a red-book function, and remotely organizing account numbers in a network to launder money for the products. The runners in the network get on the way, and attack the platform rapidly, so that the transaction amount is increased rapidly, the transaction amount is high, the service safety of the platform is seriously infringed, and the economic loss is caused.

Because the internet money laundering presents the characteristics of long transaction link, unavailable complete transaction link data, batch account participation, change of money laundering account at any time, complex transaction network, quick transaction and the like, the traditional money laundering countermeasure mode based on the complete transaction link data or the bottom financial transaction data of banks and the like cannot be applicable, and a money laundering countermeasure scheme aiming at the internet money laundering mode is urgently needed.

The participating accounts of the internet money laundering are all network recruitment, the accounts are controlled in a multiple and automatic mode, the functions of red packages, electronic commerce and the like of internet products are disguised into normal transactions in the money laundering process, funds are rapidly circulated among a large number of accounts, and a complex transaction network is formed.

Money laundering is the process of finding out and blocking problem accounts and problem transactions by policies and algorithms. During the countermeasure, the behavior mode of the money laundering black product can be changed at any time to achieve the purpose of avoiding wind control, so that safety personnel need to perform data mining and accumulation on one hand, apply the data mining result to the safety wind control, and simultaneously also formulate the behavior mode of real-time strategy to cope with the black product change.

Therefore, the internet money laundering countermeasure system is divided into an offline data mining part and an online real-time countermeasure part, and a business framework diagram is shown in fig. 3. The offline part is mainly used for identifying the behavior patterns presented by the account in a period of historical time to obtain list data of different risk levels. The online part is used for identifying the current action mode, responding in real time and storing the list data. And the wind control center combines the offline list data and the online list data to give a wind control result.

Aiming at the characteristics of internet money laundering, three core key points are identified, namely, as shown in fig. 4, money laundering accounts of key nodes are mined through transaction behavior analysis, wherein the transaction behavior analysis can comprise historical receiving and sending transaction analysis and cash lifting transaction analysis; secondly, as shown in fig. 5, the money laundering transaction network and the related account numbers can be found through a receiving and transmitting network tracking and network finding algorithm and the like; third, as shown in fig. 6, the machine operation behavior can be found through frequent transaction recognition and too fast transaction recognition. In practical application, the three key points of offline data mining are combined and used again to form a strategy; the online real-time countermeasure part is more focused on the discovery and interception of machine behaviors.

According to the invention, under the condition that complete financial transaction data cannot be acquired, based on upper Internet service data, the Internet money laundering transaction characteristics of batch account participation, change of money laundering account at any time, complex transaction network, quick transaction and the like are effectively aimed, and a quick response, accurate interception, timely and effective Internet money laundering countermeasure scheme is obtained by utilizing a big data analysis and safety wind control technology and adopting a mode of combining offline data mining and real-time countermeasure.

As shown in fig. 1, in one aspect, the method for internet money laundering countermeasure provided by the invention includes:

step 100, acquiring an offline blacklist and online log data of an online account for the online account in which transaction operation is occurring; the offline blacklist is used for storing an account number which is obtained by analyzing the offline log data and is subjected to money laundering operation;

step 101, when the online account is judged to be in the offline blacklist, an instruction for intercepting the operation executed by the online account is sent;

102, when the online account is judged not to be in the offline blacklist, analyzing online log data of the online account, and when a first type money laundering feature is identified from the online log data, taking the online account as a suspected money laundering online account; the method comprises the steps of,

and 103, when the suspected money-laundering online account does not meet a preset exemption policy, taking the suspected money-laundering online account as a money-laundering online account, adding the money-laundering online account to an online accumulation list, and sending an instruction for intercepting operations executed by the money-laundering online account.

The online money laundering countermeasure is described below, and when each transaction or withdrawal occurs in the business layer, step 100 is triggered to start money laundering identification of the account in which the transaction or withdrawal occurs; the triggering step 100 may be implemented by directly invoking the local money laundering countermeasure policy module through the service layer, or may be implemented by the service layer sending a request to other services providing the money laundering countermeasure policy. For example, an online money laundering countermeasure policy can be implemented in the wind control center, and when a transaction or a promotion occurs, the business layer sends a request to the wind control center through the API, and the wind control center gives a risk rating to the transaction of the account. After triggering step 100, the online account on which the transaction occurs is obtained from the API request by actively obtaining or passively obtaining, because the current online account may already be marked as a money laundering account, by obtaining an offline blacklist and executing step 101, it is checked that if the current online account is already in the offline blacklist, the current account may be directly considered as a money laundering account, and the operation of the current account may be directly intercepted, or an interception instruction may be sent to the service layer and intercepted by the service layer. If the current online account is not in the blacklist, continuing to execute step 102, analyzing the transaction or the extracted operation log in the online log of the current online account, judging whether the characteristics of the operation log accord with the first type money laundering characteristics, and if so, taking the current online account as a suspected money laundering account. The first type of money laundering features can be features which are obtained by analyzing and counting log data of a large number of accounts through methods such as manual or machine learning and the like and can be used for identifying money laundering operations in real time. Newly added log data can be counted through continuous and periodical analysis, so that newly-appearing characteristics which can be used for identifying money laundering operation in real time are obtained, the newly-found characteristics are supplemented into the first kind of money laundering characteristics, and the effect of online money laundering countermeasure strategy is continuously improved. After the suspected money-laundering online account is obtained, step 103 is executed, whether the suspected money-laundering online account can be confirmed as the money-laundering online account is identified by using an exemption policy, if the suspected money-laundering online account is confirmed as the money-laundering online account, the money-laundering online account is added to an online accumulation list, an instruction for intercepting operations executed by the money-laundering online account is sent, and the service layer can execute the intercepting operations; and after the exemption strategy, the account number is not the money laundering online account number, and the money laundering online account number is allowed to continue to finish the operation. The purpose of using the exemption policy is to avoid accidentally injuring the normally operating account number. The exemption strategy comprises white list identification and head account evaluation; the white list is used for storing the account number confirmed that no money laundering operation is performed, namely, the account number confirmed that no money laundering operation is performed is recorded, and specifically, the white list can comprise but is not limited to an internal official account number; an internal official account, namely an official account used by some internal businesses; the white list identification comprises judging whether the suspected money laundering online account is in the white list, and if so, judging that the suspected money laundering online account does not have money laundering operation; if the account number is not in the white list, performing head account number evaluation on the suspected money laundering online account number; the head account evaluation comprises comprehensively making an evaluation policy according to the rating system data and the V authentication data, rating the suspected money laundering online account, and evaluating the suspected money laundering online account as the head account if the rating result reaches a specified rating threshold; if the suspected money laundering online account is not in the white list or the head account, the suspected money laundering online account is identified as the money laundering online account; the rating system data includes: content contribution of the account, influence of vermicelli, quality grade of the account and other grading data with different dimensions; the head account number, i.e. the high-quality account number of the platform, can comprise some high-quality content account numbers, media account numbers and the like; the head account number evaluation result of the account number changes along with the real-time change of the rating system data. For higher rated head accounts, to increase efficiency, it may also be added to the whitelist. After the online cumulative list is obtained in step 103, the accounts in the online cumulative list can be synchronized to the offline blacklist at regular time, and whether the operation of intercepting the accounts is needed can be determined by judging whether the current online account is in the offline blacklist, so that the efficiency is improved.

An architecture diagram of online real-time countermeasure as shown in fig. 7 is divided into a service layer and a data layer. The data source part of the online real-time countermeasure is accessed with mining result data of offline data mining, namely an offline blacklist, besides online real-time logs related to business and transaction and a real-time data interface for acquiring basic information characteristics of users. The data layer provides data storage related services, and because online real-time countermeasure needs to provide real-time online wind control services in the form of API and the like, redis storage services capable of processing high-concurrency and fast-access caches are introduced, and Mysql can provide permanent storage.

The service layer is divided into four sub-services, and the data acquisition module is responsible for accessing the three data sources mentioned above; the feature extraction service is responsible for extracting user behavior features and user basic information features related to the service, for example, the extracted features can be user basic features, and can comprise the number of blogs, the number of attention, the number of fan units, the user quality and the like, and are mainly used for exemption or some user delineations; for another example, the extracted features may be behavioral features, which may include features of red pack receiving and sending and presenting behaviors, such as receiving and sending red packs or presenting numbers, total numbers, frequency, trading median, etc. in a time window. The online policy calculation service performs policy calculation based on the feature data to obtain real-time mining list data; the online real-time countermeasure service of the wind control center combines the offline data mining result and the online real-time mining result, wherein the offline data mining result is an offline blacklist, the online real-time mining result is an online accumulated list, the transaction risk rating is given after comprehensive operation, and the service layer is guided to conduct hierarchical wind control treatment on the receiving and transmitting transaction, the presenting behavior and the like. The pneumatic control treatments include, but are not limited to, transaction initiation behavior interception, reception behavior restriction, presentation behavior restriction, and the like.

The present embodiment has the following effects: the money laundering operation can be intercepted in time by analyzing the money laundering operation characteristics on line in real time, so that the loss is reduced; the money laundering operation characteristics in the real-time operation log of the account number are fully utilized, so that the dependence on basic financial departments such as a complete financial transaction link and a banking system is avoided, the characteristic that the data of the network account number are concentrated in a server is fully utilized, and the problems that the money laundering of the Internet participates in a plurality of accounts and the regions are scattered are solved through the analysis of the data characteristics of the account number by a machine; when online money laundering is executed, the efficiency and interception speed of online money laundering account number identification are further improved by combining an offline blacklist; the normal account number is further prevented from being accidentally injured by the exemption strategy, and the accuracy of online identification of the money laundering account number is improved.

Further, the method further comprises:

step S1, periodically obtaining offline log data of one or more accounts according to a specified time interval;

step S2, selecting the offline log data in a first appointed time range as data to be mined corresponding to each account of the one or more accounts according to the offline log data of each account of the one or more accounts;

Step S3, aiming at the data to be mined corresponding to each account in the one or more accounts, when the second class money laundering features are identified, taking the account corresponding to the data to be mined as a suspected money laundering offline account;

step S4, when the suspected money-laundering offline account is judged not to be in the white list, the suspected money-laundering offline account is added to the offline black list; the whitelist is used to save the account number confirmed that there is no money laundering operation.

The offline countermeasure strategy in one embodiment includes: step S1, periodically obtaining offline log data of one or more accounts according to a specified time interval; for example, daily transaction data is recorded in the form of logs that can be reported daily to an information statistics service so that offline log data for one or more accounts can be obtained daily; the number of the accounts acquired each time can be all accounts in the system or a designated part of accounts; the time range of the offline log obtained each time can be log data of all time ranges, and can also be log data in the last period of time; for example, the respective total log data of each account is obtained once a day, and for example, the last 30 days log data of each account is obtained once a day; step S2 to step S4 are sequentially executed for each account, so that whether the corresponding account needs to be added into an offline blacklist or not is judged; step S2, selecting offline log data in a first appointed time range from the offline log data of each account as data to be mined corresponding to the current account; specifically selecting offline log data in different time ranges as data to be mined according to different strategies, for example, for a strategy taking 1 day as a unit, selecting a transaction log in a one-day range as the data to be mined; for the strategies requiring 7-day, 15-day or 30-day range transaction logs, the corresponding time span logs can be recovered from the current time point to serve as data to be mined. And S3, aiming at the data to be mined, identifying a second money laundering feature, and taking an account corresponding to the data to be mined as a suspected money laundering offline account. The second type of money laundering features may be features that are obtained by analyzing and counting log data of a large number of accounts through methods such as manual or machine learning, and summarizing the obtained features that can be used for offline recognition of money laundering operations. Newly added log data can be counted through continuous and periodical analysis, so that newly-appearing characteristics which can be used for offline identification of money laundering operations are obtained, the newly-found characteristics are supplemented into second-class money laundering characteristics, and the effect of offline money laundering countermeasure strategies is continuously improved. And S4, checking that the suspected money laundering off-line account is not in the white list, and adding the suspected money laundering off-line account into the off-line black list. The white list is used for storing confirmed accounts without money laundering, and can comprise a designated official account and a head account confirmed by rating; the online money laundering countermeasure can be obtained by acquiring the offline blacklist, and the efficiency and the accuracy of the online money laundering countermeasure can be improved by judging whether the online account is in the offline blacklist.

An offline countermeasure architecture, as shown in fig. 8, is divided into two layers, a service layer and a data layer. The data sources of the offline data mining part comprise two business log data, namely a hive cluster formatted log and a text file log, and API real-time data for acquiring basic information characteristics of an account. The data layer provides data storage service of the bottom layer, stores source data, feature data and data mining results, and supports three types of Log files, hive databases and MySQL databases. The service layer comprises four parts, namely a data acquisition and cleaning module, a feature data extraction service, a strategy calculation service and a data output service, and is used for completing offline data collection and cleaning, feature extraction, strategy and algorithm calculation and data output.

The four sub-services of the service layer, while having a flow-like relationship from the service level, are sufficiently decoupled in technical implementation. And each service module supports interface calling and expansion access, and actively confirms the upstream state before executing, and the background executes asynchronously, so that the service of the interface is not blocked. The public computing service, the feature data, the intermediate result data and the like are all provided with service packages, so that repeated computation is avoided, and data sharing among different strategies or algorithms is facilitated.

The other two layers are connected to the Prometaheus monitoring system through the service monitoring component, so that system faults and execution conditions can be monitored conveniently.

The present embodiment has the following effects: the offline money laundering countermeasure is a beneficial supplement to the online countermeasure; on-line countermeasure policies focus on machine behavior discovery; the online countermeasure strategy has the advantages of quick effectiveness and good real-time performance, and can be identified no matter how the account number is changed no matter what the money laundering blackout is, as long as the too-quick transaction is satisfied; the disadvantage of online countermeasure strategies is that the conditions for identification cannot be too strict, and accounts that are not within the recognition threshold of the too fast transaction must be released, otherwise a large number of normal accounts will be accidentally injured. The offline money laundering countermeasure policy focuses on statistical discovery of transaction behaviors and relation networks, and has the advantages that batch account number planning can be done completely, no matter how frequently the transaction frequency is reduced, account numbers can be replaced frequently, and the account numbers can be identified from normal transaction data through the statistics value and the relation networks; drawbacks of offline money laundering countermeasure strategies: the response is slow, the shortest data is 1 day, and the effectiveness and the antagonism are insufficient in the antagonism scene; based on the complementarity of the advantages and disadvantages of the online money laundering countermeasure strategy and the offline money laundering countermeasure strategy, the offline money laundering countermeasure strategy is combined with the online money laundering countermeasure strategy, so that the effects of ensuring the real-time property of the online money laundering countermeasure and improving the accuracy and the comprehensiveness of the money laundering countermeasure are achieved.

In another embodiment, the second type of money laundering feature includes, but is not limited to, primarily capturing accounts for which the amount of money to be offered is large, how much is offered by machine operation, and how much is offered in a short period of time, and by analysis of log data for a large number of accounts, such accounts are mostly cash-out or money laundering accounts. It should be noted that, in this embodiment or other embodiments, the method for identifying the suspected offline account of money laundering by the second type money laundering feature may be executed separately, or the method for identifying the suspected offline account of money laundering by the second type money laundering feature in this real-time embodiment may be executed first, and then the method for identifying the suspected offline account of money laundering by the second type money laundering feature in other embodiments may be executed in any specific order, so long as the method for identifying the suspected offline account of money laundering by the second type money laundering feature in any embodiment obtains the judgment of the suspected offline account of money laundering, that is, the currently identified account is considered to be the suspected offline account of money laundering. As shown in fig. 9, which is a flowchart of an offline analysis and extraction policy in this embodiment, offline log data of a current account to be analyzed in a first specified time range is obtained, and the offline log data in different time ranges are specifically selected as data to be mined according to different policies, for example, for a policy taking 1 day as a unit, a transaction log in a one-day range is selected as the data to be mined; for the strategies requiring 7-day, 15-day or 30-day range transaction logs, the corresponding time span logs can be recovered from the current time point to serve as data to be mined. Acquiring one day of cash data as data to be mined in fig. 9, firstly analyzing whether cash washing characteristics related to cash amount exist or not, for example, the cash amount is larger than a specified cash threshold value and recharging sources are from a Software Development Kit (SDK) to recharge, or the recharging cash amount difference is smaller than a specified amount difference threshold value, namely, the difference threshold value in fig. 9; the specific presentation threshold and the amount difference threshold may be derived from historical log data and confirmed money laundering account statistics. According to the account number obtained by recognition of the money laundering features related to the cash withdrawal amount, the account number is taken as a first key problem node, and in order to avoid accidentally injuring a normal account number, whether related features of machine operation exist or not is further judged according to the first key problem node, for example, a money laundering participant can automatically recognize that a cash withdrawal balance exists through a machine and automatically execute cash withdrawal, so that the cash withdrawal is completed with efficiency obviously exceeding that of manpower; specifically, it may be determined that the recharging and current extracting time difference is smaller than a specified time difference threshold, that is, after the account is recharged, the current extracting occurs within a very short time, so as to determine that the first key problem node is a suspected offline account for washing money, and in order to further avoid accidentally injuring a normal account, the suspected offline account for washing money is filtered through a white list, and the suspected offline account for washing money which is not in the white list is considered as the account for washing money, and is added into an offline blacklist. The white list is used for storing confirmed accounts without money laundering, and can comprise a designated official account and a head account confirmed by rating;

The present embodiment has the following effects: as one of the offline money laundering countermeasure strategies, batch account number planning can be done completely, no matter how frequently the transaction frequency is reduced, the account numbers are frequently exchanged, the account numbers can be still identified from normal transaction data through statistics and a relational network, and the online money laundering countermeasure strategy is used as a beneficial supplement, so that the effects of ensuring the real-time performance of online money laundering countermeasures and improving the accuracy and the comprehensiveness of the money laundering countermeasures are achieved. Specifically, the cash-on-hand log concentrated in the background server is fully utilized, and the cash-on-hand account number is found through big data analysis and feature recognition, so that the dependence of a cash-on-hand countermeasure strategy on financial infrastructures such as a complete financial transaction chain, banks and the like is avoided, and the problems that the number of participants based on the Internet is numerous, the territory is dispersed, and the traditional monitoring means cannot track the cash-on-hand transaction are solved.

In another embodiment, the second type of money laundering feature includes, but is not limited to, identifying a suspected money laundering offline account primarily by capturing how much the number of red packs is charged and the size of the total amount charged, identification of machine operations, account numbers where the associated operations occur, and the like. It should be noted that, in this embodiment or other embodiments, the method for identifying the suspected offline account of money laundering by the second type money laundering feature may be executed separately, or the method for identifying the suspected offline account of money laundering by the second type money laundering feature in this real-time embodiment may be executed first, and then the method for identifying the suspected offline account of money laundering by the second type money laundering feature in other embodiments may be executed in any specific order, so long as the method for identifying the suspected offline account of money laundering by the second type money laundering feature in any embodiment obtains the judgment of the suspected offline account of money laundering, that is, the currently identified account is considered to be the suspected offline account of money laundering.

In the following, the embodiment will be specifically explained with reference to fig. 10, and fig. 10 is a flowchart of an offline analysis transaction policy, which shows a mining policy for red-packet transaction data. The method comprises the steps of screening out account numbers with the number of red packets and the total amount exceeding normal values, namely a red packet number threshold value and a collecting amount threshold value, wherein the collecting amount threshold value is the collecting threshold value in fig. 10, and then further judging whether two conditions exist, namely whether all red packets are collected within a collecting time threshold value or not, namely whether the collecting total time of all red packets is smaller than a designated collecting time threshold value or not, wherein the judging of machine behaviors is shown; the second is whether most accounts in the redpack accounts are platform low active accounts, for example, microblogs are used as social media platforms, and the activities of normal accounts are mainly concentrated on content publishing and interaction, and if the accounts are only active on the redpack, the activities are unreasonable. And if one of the two conditions is met, the red packet receiving node can be judged to be a suspected money laundering offline account. And then, all accounts in the money laundering transaction network are obtained through receiving and transmitting transaction tracking, and in order to avoid accidental injury, the high-quality accounts are filtered and added into an offline blacklist. And (3) the social relation data of the second key problem node is traced through a transceiving network and/or analyzed through a network discovery algorithm, and the associated account number of the second key problem node is discovered, specifically, social relation data such as microblog attention relations and the like can be utilized besides a network discovery method traced through the transceiving network, and the network discovery algorithm such as Fraudar algorithm is used for assisting in discovering the same batch of blackout account numbers in the virtual account number cluster, namely account numbers participating in money laundering. And a strategy can be formulated by utilizing the median analysis of the operation interval time of the receiving and transmitting behaviors of the account, and the account for receiving and transmitting the red packet is mined by the machine operation.

And when the online account is not in the offline blacklist, analyzing the number of sending red packets and the total sending amount in the online log data of the online account in a second specified time range, and taking the online account as a suspected money-washing online account if the number of sending red packets in the second specified time range is larger than a specified sending number threshold and the total sending amount is larger than a specified sending amount threshold.

The discovery of machine behavior is mainly focused in online real-time countermeasure strategies, namely, the excessively fast transactions are directly limited. Fig. 11 is a flowchart of an online analysis send red packet strategy, specifically, an example of an online real-time countermeasure strategy in microblog money laundering countermeasures. On one hand, service rejection is carried out according to accumulated list data, namely a money laundering blacklist, namely an offline blacklist, wherein the offline blacklist comprises an offline blacklist obtained by identifying a second type of money laundering feature for offline log data and an online accumulated list obtained by identifying a first type of money laundering feature for online log data; the online cumulative list may be periodically added to the offline blacklist. On the other hand, by identifying the first type of money laundering features, the method can include, but is not limited to, identifying the number of times of sending the red package in a short time and sending an account with total amount exceeding the limit as a suspected money laundering online account; it should be noted that, one red packet may be sent, and one or more red packets may be sent; for example, in fig. 11, the number of times the account number transmits a red packet is greater than the threshold number of times the red packet is transmitted, and the amount is greater than the threshold number of times the red packet is transmitted, that is, the number of times the red packet is transmitted in the second specified time range is greater than the threshold number of times the red packet is transmitted and the total amount of transmission is greater than the threshold number of times the red packet is transmitted; identifying the number of times of sending the red packet in a short time is to judge the suspected money laundering operation according to the operation frequency; and if the suspected money laundering online account is confirmed to be a money laundering account after passing the exemption policy, the sending interception is carried out, otherwise, the money laundering online account is released. The parameters of the second designated time range, the threshold value of the number of times of sending red packets, the threshold value of the sending amount, and the like in the embodiment can be selected from different limiting sections in combination with the conditions of account quality, and the like. Similarly, similar strategies can be formulated for the actions of receiving the red packet, presenting the presentation and the like.

The present embodiment has the following effects: on-line countermeasure policies focus on machine behavior discovery; the online countermeasure strategy has the advantages of quick effectiveness and good real-time performance, and can be identified no matter how the account number is changed no matter what the money laundering blackout is, as long as the too-quick transaction is satisfied; the online log of each account concentrated in the background server is fully utilized, the money-laundering account is found through big data analysis and feature recognition, the dependence of money laundering countermeasures on financial infrastructures such as a complete financial transaction chain, banks and the like is avoided, the problems that the number of participants based on internet money laundering is numerous, the territories are scattered, the occurrence time is randomly distributed, the traditional monitoring means cannot track money laundering transactions and cannot intercept online money laundering operation immediately are solved, and timely finding and timely intercepting of the internet money laundering are achieved.

On the other hand, as shown in fig. 2, an embodiment of the present invention provides an internet money laundering countermeasure device, including:

the obtaining unit 200 is configured to obtain, for an online account in which a transaction operation is occurring, an offline blacklist and online log data of the online account; the offline blacklist is used for storing an account number which is obtained by analyzing the offline log data and is subjected to money laundering operation;

A blacklist filtering unit 201, configured to send an instruction to intercept an operation performed by the online account when the online account is determined to be in the offline blacklist;

an online suspected identifying unit 202, configured to analyze online log data of the online account when the online account is not in the offline blacklist, and identify a first type of money laundering feature from the online log data, and use the online account as a suspected money laundering online account;

and the exemption processing unit 203 is configured to, after the online suspected identification unit, use the suspected money-laundering online account as a money-laundering online account when it is determined that the suspected money-laundering online account does not meet a preset exemption policy, add the money-laundering online account to an online accumulation list, and send an instruction for intercepting an operation performed by the money-laundering online account.

As described below, when each transaction or presentation occurs in the business layer, the execution of the acquisition unit 200 is triggered, and the money laundering identification of the account in which the transaction or presentation occurs is started; the triggering of the trigger acquisition unit 200 may be that the service layer directly invokes the local money laundering countermeasure policy module, or that the service layer sends a request to other services providing the money laundering countermeasure policy. For example, an online money laundering countermeasure policy can be implemented in the wind control center, and when a transaction or a promotion occurs, the business layer sends a request to the wind control center through the API, and the wind control center gives a risk rating to the transaction of the account. After triggering the trigger acquiring unit 200, the online account of the transaction is obtained from the API request by actively acquiring or passively, and since the current online account may already be marked as a money laundering account, by acquiring the offline blacklist and executing the blacklist filtering unit 201, checking that the current online account is already in the offline blacklist, the current account may be directly considered as a money laundering account, the operation of the current account may be directly intercepted, or an interception instruction may be sent to the service layer, and intercepted by the service layer. If the current online account is not in the blacklist, the online suspected identification unit 202 is continuously executed, the transaction or the presented operation log in the online log of the current online account is analyzed, whether the characteristics of the operation log accord with the first type money laundering characteristics is judged, and if so, the current online account is taken as the suspected money laundering account. The first type of money laundering features can be features which are obtained by analyzing and counting log data of a large number of accounts through methods such as manual or machine learning and the like and can be used for identifying money laundering operations in real time. Newly added log data can be counted through continuous and periodical analysis, so that newly-appearing characteristics which can be used for identifying money laundering operation in real time are obtained, the newly-found characteristics are supplemented into the first kind of money laundering characteristics, and the effect of online money laundering countermeasure strategy is continuously improved. After the suspected money-laundering online account is obtained, executing an exemption processing unit 203, identifying whether the suspected money-laundering online account can be confirmed as the money-laundering online account by using an exemption policy, if so, adding the money-laundering online account to an online accumulation list, sending an instruction for intercepting operations executed by the money-laundering online account, and executing the intercepting operations by a business layer; and after the exemption strategy, the account number is not the money laundering online account number, and the money laundering online account number is allowed to continue to finish the operation. The purpose of using the exemption policy is to avoid accidentally injuring the normally operating account number. The exemption strategy comprises white list identification and head account evaluation; the white list is used for storing the account number confirmed that no money laundering operation is performed, namely, the account number confirmed that no money laundering operation is performed is recorded, and specifically, the white list can comprise but is not limited to an internal official account number; an internal official account, namely an official account used by some internal businesses; the white list identification comprises judging whether the suspected money laundering online account is in the white list, and if so, judging that the suspected money laundering online account does not have money laundering operation; if the account number is not in the white list, performing head account number evaluation on the suspected money laundering online account number; the head account evaluation comprises comprehensively making an evaluation policy according to the rating system data and the V authentication data, rating the suspected money laundering online account, and evaluating the suspected money laundering online account as the head account if the rating result reaches a specified rating threshold; if the suspected money laundering online account is not in the white list or the head account, the suspected money laundering online account is identified as the money laundering online account; the rating system data includes: content contribution of the account, influence of vermicelli, quality grade of the account and other grading data with different dimensions; the head account number, i.e. the high-quality account number of the platform, can comprise some high-quality content account numbers, media account numbers and the like; the head account number evaluation result of the account number changes along with the real-time change of the rating system data. For higher rated head accounts, to increase efficiency, it may also be added to the whitelist. After the online accumulated list is obtained in the exemption processing unit 203, the accounts in the online accumulated list can be synchronized to the offline blacklist at regular time, and whether the operation of intercepting the account is needed can be determined by judging whether the current online account is in the offline blacklist, so that the efficiency is improved.

Further, the method further comprises the following steps:

Further, the offline suspected identifying unit includes:

The above embodiment has the following beneficial effects:

in order to avoid the novel money laundering modes such as 'run-off' and the like, the money laundering system maintains the safety of products, reduces the financial loss of companies and becomes one of the centers of gravity of the work of Internet security team. According to the internet money laundering countermeasure method and device provided by the embodiment of the invention, under the condition that complete financial transaction data cannot be acquired, based on upper-layer internet business data, the internet money laundering countermeasure scheme which is quick in response, timely, effective, accurate in interception and comprehensively intercepted is obtained by utilizing the big data analysis and safety wind control technology and adopting a mode of combining offline data mining and real-time countermeasure, and aiming at the characteristics of batch account participation, change of money laundering account at any time, complex transaction network, quick transaction and the like. Money laundering in internet security projects successfully breaks down the branch-off attack of money laundering black products in practice. The money laundering operation can be intercepted in time, and the loss is reduced; features in an operation log of the account are fully utilized, so that dependence on basic financial departments such as a complete financial transaction link and a banking system is avoided, the feature that data of a network account are concentrated on a server is fully utilized, and the problems that internet money laundering participates in a plurality of accounts and regions are scattered are solved through analysis of the features of the account data by a machine; when online money laundering is executed, the efficiency and interception speed of online money laundering account number identification are further improved by combining an offline blacklist; the normal account number is further prevented from being accidentally injured by the exemption strategy, and the accuracy of online identification of the money laundering account number is improved. On-line countermeasure policies focus on machine behavior discovery; the online countermeasure strategy has the advantages of quick effectiveness and good real-time performance, and can be identified no matter how the account number is changed no matter what the money laundering blackout is, as long as the too-quick transaction is satisfied; the disadvantage of online countermeasure strategies is that the conditions for identification cannot be too strict, and accounts that are not within the recognition threshold of the too fast transaction must be released, otherwise a large number of normal accounts will be accidentally injured. The offline money laundering countermeasure policy focuses on statistical discovery of transaction behaviors and relation networks, and has the advantages that batch account number planning can be done completely, no matter how frequently the transaction frequency is reduced, account numbers can be replaced frequently, and the account numbers can be identified from normal transaction data through the statistics value and the relation networks; drawbacks of offline money laundering countermeasure strategies: the response is slow, the shortest data is 1 day, and the effectiveness and the antagonism are insufficient in the antagonism scene; based on the complementarity of the advantages and disadvantages of the online money laundering countermeasure strategy and the offline money laundering countermeasure strategy, the offline money laundering countermeasure strategy is combined with the online money laundering countermeasure strategy, so that the effects of ensuring the real-time property of the online money laundering countermeasure and improving the accuracy and the comprehensiveness of the money laundering countermeasure are achieved.

The embodiment of the invention provides a device for countermeasures against money laundering on the internet, which can realize the method embodiment provided above, and specific function implementation is shown in the description of the method embodiment and will not be repeated here.

It should be understood that the specific order or hierarchy of steps in the processes disclosed are examples of exemplary approaches.

Based on design preferences, it is understood that the specific order or hierarchy of steps in the processes may be rearranged without departing from the scope of the present disclosure. The accompanying method claims present elements of the various steps in a sample order, and are not meant to be limited to the specific order or hierarchy presented.

In the foregoing detailed description, various features are grouped together in a single embodiment for the purpose of streamlining the disclosure. This method of disclosure is not to be interpreted as reflecting an intention that the claimed embodiments of the subject matter require more features than are expressly recited in each claim. Rather, as the following claims reflect, invention lies in less than all features of a single disclosed embodiment. Thus the following claims are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate preferred embodiment of this invention.

The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. As will be apparent to those skilled in the art; various modifications to these embodiments will be readily apparent, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the disclosure. Thus, the present disclosure is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

The foregoing description includes examples of one or more embodiments. It is, of course, not possible to describe every conceivable combination of components or methodologies for purposes of describing the aforementioned embodiments, but one of ordinary skill in the art may recognize that many further combinations and permutations of various embodiments are possible. Accordingly, the embodiments described herein are intended to embrace all such alterations, modifications and variations that fall within the scope of the appended claims. Furthermore, as used in the specification or claims, the term "comprising" is intended to be inclusive in a manner similar to the term "comprising," as interpreted when employed as a transitional word in a claim. Furthermore, any use of the term "or" in the specification of the claims is intended to mean "non-exclusive or".

Those of skill in the art will further appreciate that the various illustrative logical blocks (illustrative logical block), units, and steps described in connection with the embodiments of the invention may be implemented by electronic hardware, computer software, or combinations of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components (illustrative components), elements, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends upon the particular application and design requirements of the overall system. Those skilled in the art may implement the described functionality in varying ways for each particular application, but such implementation is not to be understood as beyond the scope of the embodiments of the present invention.

The various illustrative logical blocks or units described in the embodiments of the invention may be implemented or performed with a general purpose processor, a digital signal processor, an Application Specific Integrated Circuit (ASIC), a field programmable gate array or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination thereof designed to perform the functions described. A general purpose processor may be a microprocessor, but in the alternative, the general purpose processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices, e.g., a digital signal processor and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a digital signal processor core, or any other similar configuration.

The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may be stored in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. In an example, a storage medium may be coupled to the processor such that the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may reside in an ASIC, which may reside in a user terminal. In the alternative, the processor and the storage medium may reside as distinct components in a user terminal.

In one or more exemplary designs, the above-described functions of embodiments of the present invention may be implemented in hardware, software, firmware, or any combination of the three. If implemented in software, the functions may be stored on a computer-readable medium or transmitted as one or more instructions or code on the computer-readable medium. Computer readable media includes both computer storage media and communication media that facilitate transfer of computer programs from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer. For example, such computer-readable media may include, but is not limited to, RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium that may be used to carry or store program code in the form of instructions or data structures and other data structures that may be read by a general or special purpose computer, or a general or special purpose processor. Further, any connection is properly termed a computer-readable medium, e.g., if the software is transmitted from a website, server, or other remote source via a coaxial cable, fiber optic cable, twisted pair, digital Subscriber Line (DSL), or wireless such as infrared, radio, and microwave, and is also included in the definition of computer-readable medium. The disks (disks) and disks (disks) include compact disks, laser disks, optical disks, DVDs, floppy disks, and blu-ray discs where disks usually reproduce data magnetically, while disks usually reproduce data optically with lasers. Combinations of the above may also be included within the computer-readable media.

The foregoing description of the embodiments has been provided for the purpose of illustrating the general principles of the invention, and is not meant to limit the scope of the invention, but to limit the invention to the particular embodiments, and any modifications, equivalents, improvements, etc. that fall within the spirit and principles of the invention are intended to be included within the scope of the invention.

Claims

1. A method of internet money laundering countermeasure, the method comprising:

When the suspected money-laundering online account does not meet a preset exemption policy, taking the suspected money-laundering online account as a money-laundering online account, adding the money-laundering online account to an online accumulation list, and sending an instruction for intercepting operations executed by the money-laundering online account;

the method further comprises the steps of:

when the suspected money laundering offline account is judged not to be in the white list, the suspected money laundering offline account is added to the offline black list; the white list is used for storing the account number confirmed that no money laundering operation is performed;

when the first type of money laundering features are identified from the online log data, the online account is taken as a suspected money laundering online account, and the method comprises the following steps: identifying the number of times of sending the red package in a short time and an account with the total amount exceeding the limit is sent and taking the account as a suspected money laundering online account;

When the second type money laundering feature is identified, taking the account corresponding to the data to be mined as a suspected money laundering offline account, including: capturing an account number which is larger in cash withdrawal amount and is more and more to be withdrawn after being recharged in a short time through machine operation, and taking the account number as a suspected money laundering offline account number; or, the suspected money laundering offline account is identified by capturing the number of the red packets and the total amount of money received, identifying the machine operation and the account with the associated operation.

2. The method of internet money laundering countermeasure of claim 1, wherein the identifying the second type of money laundering feature for each account of the one or more accounts respectively corresponds to data to be mined, taking the account corresponding to the data to be mined as a suspected money laundering offline account, comprises:

3. The method of internet money laundering countermeasure of claim 1, wherein the identifying the second type of money laundering feature for each account of the one or more accounts respectively corresponds to data to be mined, taking the account corresponding to the data to be mined as a suspected money laundering offline account, comprises:

4. The method of internet money laundering countermeasure of claim 1, wherein when the online account is determined not to be in the offline blacklist, analyzing online log data of the online account, and when a first type of money laundering feature is identified from the online log data, taking the online account as a suspected money laundering online account includes:

5. An internet money laundering countermeasure device, comprising:

the exemption processing unit is arranged behind the online suspected identification unit and is used for taking the suspected money-laundering online account as a money-laundering online account when judging that the suspected money-laundering online account does not meet a preset exemption policy, adding the money-laundering online account to an online accumulation list and sending an instruction for intercepting operations executed by the money-laundering online account;

the apparatus further comprises:

The white list filtering unit is used for adding the suspected money laundering offline account to the offline blacklist when judging that the suspected money laundering offline account is not in the white list; the white list is used for storing the account number confirmed that no money laundering operation is performed;

the online suspected identification unit is specifically configured to: identifying the number of times of sending the red package in a short time and an account with the total amount exceeding the limit is sent and taking the account as a suspected money laundering online account;

the offline suspected identification unit is specifically configured to: capturing an account number which is larger in cash withdrawal amount and is more and more to be withdrawn after being recharged in a short time through machine operation, and taking the account number as a suspected money laundering offline account number; or, the suspected money laundering offline account is identified by capturing the number of the red packets and the total amount of money received, identifying the machine operation and the account with the associated operation.

6. The internet money laundering countermeasure apparatus of claim 5, wherein the offline suspected identification unit comprises:

7. The internet money laundering countermeasure apparatus of claim 5, wherein the offline suspected identification unit comprises:

8. The internet money laundering countermeasure device of claim 5, wherein the online suspected identification unit is specifically configured to: