CN114331593A - Malicious order identification and processing method, device, equipment and storage medium - Google Patents
Malicious order identification and processing method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN114331593A CN114331593A CN202111525100.2A CN202111525100A CN114331593A CN 114331593 A CN114331593 A CN 114331593A CN 202111525100 A CN202111525100 A CN 202111525100A CN 114331593 A CN114331593 A CN 114331593A
- Authority
- CN
- China
- Prior art keywords
- order
- address
- malicious
- abnormal
- contact telephone
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Telephonic Communication Services (AREA)
Abstract
The invention discloses a method, a device, equipment and a storage medium for identifying and processing a malicious order, wherein the method comprises the following steps: acquiring IP address, contact telephone, receiving address and behavior data when a user places an order; inputting the behavior data into a pre-trained behavior analysis prediction model to obtain the probability that the behavior data is abnormal behavior; when the probability exceeds a preset probability threshold value, whether the IP address, the contact telephone and the receiving address are abnormal or not is analyzed based on a preset rule; when the IP address, the contact telephone and the receiving address have more than one dimension abnormity, marking the order as a malicious order and blacking out the user; and when the IP address, the contact telephone and the receiving address are normal, the order is marked with a suspicious label. According to the invention, the behavior data with higher probability of malicious orders is analyzed, and other dimensions are used for analyzing whether the orders are malicious orders, so that the accuracy of malicious order identification is improved.
Description
Technical Field
The present application relates to the field of electronic commerce and data processing technologies, and in particular, to a method, an apparatus, a device, and a storage medium for identifying and processing a malicious order.
Background
Along with the development of the e-commerce industry, the platform flow is higher and higher, malicious methods of customers are enriched day by day, merchants have concentrated complaints and are attacked by malicious orders, and loss caused by the malicious orders is increased day by day. And the malicious orders actively reported by the merchant only account for a part of the malicious orders, a large number of malicious orders are also in fierce growth, and if the merchant encounters malicious ordering, the merchant not only can affect the overstock of the commodity inventory, but also can cause the increase of return application of the orders from the merchant to the supplier, and the evaluation of the merchant at the supplier is affected.
At present, when customer service personnel identify malicious orders, comprehensive objective analysis on all information of the orders is lacked, so that the analysis result is not accurate enough, and a large amount of manpower is consumed.
Disclosure of Invention
The application provides a method, a device, equipment and a storage medium for identifying and processing malicious orders, and aims to solve the problem of low identification accuracy of the malicious orders.
In order to solve the technical problem, the application adopts a technical scheme that: the method for identifying and processing the malicious order comprises the following steps: acquiring IP address, contact telephone, receiving address and behavior data when a user places an order; inputting the behavior data into a pre-trained behavior analysis prediction model to obtain the probability that the behavior data is abnormal behavior, wherein the behavior analysis prediction model is obtained by training according to historical malicious order data in a group user sample prepared in advance; when the probability exceeds a preset probability threshold value, whether the IP address, the contact telephone and the receiving address are abnormal or not is analyzed based on a preset rule; when the IP address, the contact telephone and the receiving address have more than one dimension abnormity, marking the order as a malicious order and blacking out the user; and when the IP address, the contact telephone and the receiving address are normal, the order is marked with a suspicious label.
As a further improvement of the present application, after obtaining the probability that the behavior data is an abnormal behavior, the method further includes: when the probability does not exceed a preset probability threshold, analyzing whether the IP address, the contact telephone and the receiving address are abnormal or not based on a preset rule; when two or more dimensions in the IP address, the contact telephone and the receiving address are abnormal, the order is marked as a malicious order and the user is blacked out; and when one dimension among the IP address, the contact telephone and the receiving address is abnormal, the order is marked with a suspicious label.
As a further improvement of the present application, after placing the suspicious label on the order, the method further includes: counting the number of orders with suspicious labels in all historical orders of the user; when the order quantity exceeds the preset order quantity, the order is marked as a malicious order and the user is blacked out.
As a further improvement of the present application, analyzing the IP address based on a preset rule includes: matching the IP address with historical IP addresses in historical order data of all users to determine the number of users who have placed orders by using the IP address; when the number of the users exceeds the preset number of the users, the IP address is marked as abnormal; when the number of users does not exceed the preset number of users, the hierarchical relation of the IP address is analyzed, and when the IP address is confirmed to use the proxy, the IP address is marked as abnormal.
As a further improvement of the present application, analyzing the contact call based on the preset rule includes: matching the contact telephone with a virtual number segment acquired from an operator in advance to confirm whether the contact telephone is a virtual number or not; if so, the contact call is marked as abnormal.
As a further improvement of the present application, analyzing the shipping address based on a preset rule includes: judging whether the receiving address receives a historical normal order or not; if not, according to the map data, when the receiving address does not meet the preset receiving address condition, the receiving address is marked as abnormal.
As a further improvement of the present application, after placing the suspicious label on the order, the method further includes: and (4) converting the order into manual checking, and blacking the user when the manual checking result is a malicious order.
In order to solve the above technical problem, another technical solution adopted by the present application is: the utility model provides an identification and processing apparatus of malicious order form, includes: the acquisition module is used for acquiring the IP address, the contact telephone, the receiving address and the behavior data when the user places an order; the prediction module is used for inputting the behavior data into a pre-trained behavior analysis prediction model to obtain the probability that the behavior data is abnormal behavior, and the behavior analysis prediction model is obtained by training according to historical malicious order data in a group user sample prepared in advance; the multidimensional analysis module is used for analyzing whether the IP address, the contact telephone and the receiving address are abnormal or not based on a preset rule when the probability exceeds a preset probability threshold; the first processing module is used for marking the order as a malicious order and blacking out the user when more than one dimension of the IP address, the contact telephone and the receiving address is abnormal; and the second processing module is used for marking the order with a suspicious label when the IP address, the contact telephone and the receiving address are normal.
In order to solve the above technical problem, the present application adopts another technical solution that: there is provided a computer device comprising a processor, a memory coupled to the processor, having stored therein program instructions which, when executed by the processor, cause the processor to carry out the steps of the method of identifying and processing malicious orders as defined in any of the above.
In order to solve the above technical problem, the present application adopts another technical solution that: there is provided a storage medium storing program instructions capable of implementing the malicious order identification and processing method. The beneficial effect of this application is: the method for identifying and processing the malicious order firstly predicts the abnormal probability of the behavior data when the user places the order by combining the behavior analysis prediction model with the behavior data which is easy to identify the abnormal operation, analyzes the order by three dimensions of an IP address, a contact telephone and a receiving address when the probability exceeds a preset probability threshold, and directly confirms whether the order is the abnormal order or not when the three dimensions are abnormal, thereby realizing the malicious order identification mode which mainly comprises the behavior data when the user places the order, takes the IP address, the contact telephone and the receiving address as the auxiliary, greatly improving the identification accuracy of the malicious order, and marking suspicious labels on the order when the three dimensions are not abnormal, facilitating the user to check and check the orders quickly, and finally realizing the blacking treatment of the user who has placed the malicious order, preventing its malicious disturbance.
Drawings
FIG. 1 is a flowchart illustrating a method for identifying and processing malicious orders according to a first embodiment of the present invention;
FIG. 2 is a functional block diagram of an apparatus for identifying and processing malicious orders according to an embodiment of the present invention;
FIG. 3 is a schematic structural diagram of a computer device according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a storage medium according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The terms "first", "second" and "third" in this application are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implying any indication of the number of technical features indicated. Thus, a feature defined as "first," "second," or "third" may explicitly or implicitly include at least one of the feature. In the description of the present application, "plurality" means at least two, e.g., two, three, etc., unless explicitly specifically limited otherwise. All directional indications (such as up, down, left, right, front, and rear … …) in the embodiments of the present application are only used to explain the relative positional relationship between the components, the movement, and the like in a specific posture (as shown in the drawings), and if the specific posture is changed, the directional indication is changed accordingly. Furthermore, the terms "include" and "have," as well as any variations thereof, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements listed, but may alternatively include other steps or elements not listed, or inherent to such process, method, article, or apparatus.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the application. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is explicitly and implicitly understood by one skilled in the art that the embodiments described herein can be combined with other embodiments.
Fig. 1 is a flowchart illustrating a method for identifying and processing a malicious order according to an embodiment of the present invention. It should be noted that the method of the present invention is not limited to the flow sequence shown in fig. 1 if the results are substantially the same. As shown in fig. 1, the method comprises the steps of:
step S101: and acquiring the IP address, the contact telephone, the receiving address and the behavior data when the user places the order.
Specifically, after the user places an order on the shopping platform, the platform records relevant data information of the order placed by the user, wherein the relevant data information comprises but is not limited to an IP address, a contact telephone, a receiving address and behavior data, and the behavior data comprises the quantity of order commodities, the order payment time, the order payment mode, the order refund operation and the like. It should be understood that, in general, the behavior data of the user when placing the order can greatly determine whether the operation of the user includes malicious orders, and therefore, in this embodiment, the behavior data of the user when placing the order is taken as the main determination standard, and the determination effect of the IP address, the contact phone, and the receiving address is relatively small, for example, the user may inadvertently fill in a wrong contact phone or a wrong address, but the user does not want to place a malicious order, and therefore, the determination based on the behavior data and the determination based on the IP address, the contact phone, and the receiving address are taken as secondary determination standards to comprehensively analyze the determination based on the behavior data and the determination based on the IP address, the contact phone, and the receiving address to determine whether the order is a malicious order. Step S102: and inputting the behavior data into a pre-trained behavior analysis prediction model to obtain the probability that the behavior data is abnormal behavior, wherein the behavior analysis prediction model is obtained by training according to historical malicious order data in a group user sample prepared in advance.
It should be noted that the behavior analysis prediction model is obtained by training according to historical malicious order data in a group user sample prepared in advance. Preferably, the behavior analysis prediction model is constructed based on a two-classification model, and the probability of abnormal behavior and the probability of normal behavior are obtained by analyzing the behavior data. The common binary classification model includes a logistic regression algorithm, a k-nearest neighbor algorithm, a decision tree algorithm, a support vector machine algorithm and a naive bayes algorithm, and the binary classification model of the embodiment is implemented based on any one of the algorithms, and the embodiment is not limited.
Further, analyzing the IP address based on a preset rule includes:
1.1, matching the IP address with historical IP addresses in historical order data of all users to determine the number of users who have placed orders by using the IP address.
And 1.2, when the number of the users exceeds the preset number of the users, marking the IP address as abnormal.
And 1.3, when the number of the users does not exceed the preset number of the users, resolving the hierarchical relation of the IP addresses and marking the IP addresses as abnormal when the IP addresses use the agents.
Specifically, when analyzing the IP address dimension, first obtaining historical order data of all users, obtaining historical IP addresses in the historical order data, and matching all the historical IP addresses with the current IP address, so as to find a target user corresponding to the historical IP address that is the same as the current IP address, it should be noted that the target user needs to place a certain number of orders at the IP address, and obtain the number of users of the target user from statistics. And when the number of the users does not exceed the preset number, further analyzing the IP addresses, analyzing the hierarchical relationship of the IP addresses and the physical addresses corresponding to the IP addresses, and analyzing whether the hierarchical relationship of the physical addresses is formal and reasonable or not, for example, if the users access the IP addresses abroad in the IP hierarchy at home, the behavior of issuing the order by the hackers in batches is very likely.
Further, analyzing the contact call based on the preset rule, comprising:
2.1, matching the contact telephone with the virtual number segment acquired from the operator in advance to confirm whether the contact telephone is a virtual number.
And 2.2, if yes, marking the dimension of the contact telephone as abnormal.
Specifically, the mobile phone number is used as a contact way when the user receives express delivery, and is a condition that the user can normally answer a call and give an order maliciously, the user can register an account number by using a virtual number to give an order, and the method is characterized in that the user can only receive short messages and cannot answer the call, and the virtual number can be identified by acquiring a virtual number section from an operator.
Furthermore, the phishing mobile phone number blacklist can be obtained through other wind control channels, and when the contact phone in the mobile phone number blacklist is used for ordering, the dimension abnormity of the contact phone can be considered.
It should be noted that, in some embodiments, the virtual dialing system may also be used to make a call to the contact phone directly, where if the contact phone is normally connected, the contact phone is normal, and if the contact phone cannot be connected, the contact phone is abnormal.
Further, analyzing the shipping address based on the preset rule, comprising:
and 3.1, judging whether the receiving address receives a historical normal order.
And 3.2, if not, according to the map data, when the receiving address does not meet the preset receiving address condition, marking the receiving address as abnormal.
It should be noted that the preset shipping address condition is preset, for example, the preset shipping address condition includes at least one of a cell address, an office building address, a factory address, and a warehouse address.
Specifically, after a receiving address is obtained, a historical receiving address in historical order information is inquired, so that whether the receiving address receives a normal order or not is confirmed, if yes, the dimension of the receiving address is considered to be normal, if not, the receiving address is a new address, whether the receiving address meets preset receiving address conditions or not is confirmed according to map data, for example, whether the address is a normal house address or an office address or not is confirmed, if yes, the receiving address is marked to be normal, and if not, the receiving address is marked to be abnormal. Step S103: and when the probability exceeds a preset probability threshold value, analyzing whether the IP address, the contact telephone and the receiving address are abnormal or not based on a preset rule. When the IP address, the contact telephone and the receiving address have more than one dimension abnormity, executing the step S104; when the IP address, the contact phone, and the shipping address are all normal, step S105 is performed.
Specifically, when the probability that the behavior data is abnormal exceeds a preset probability threshold, it indicates that the probability of a malicious order is high at present, and at this time, in order to increase the identification accuracy, further analysis and judgment are performed on an IP address, a contact phone number, and a receiving address of the order, so as to determine whether the order is a malicious order. When there is an anomaly of more than one dimension among the IP address, the contact phone, and the shipping address, the probability that the order is a malicious order is further increased, and therefore, step S104 is performed to mark the order as a malicious order. When the IP address, the contact phone number, and the receiving address are all normal, although the probability of a malicious order in the order is further improved, the possibility that the order is a potentially malicious order cannot be excluded, and therefore step S105 is performed to mark the order with a suspicious tag.
Further, in some embodiments, after step S102, the method further includes: and when the probability does not exceed a preset probability threshold value, analyzing whether the IP address, the contact telephone and the receiving address are abnormal or not based on a preset rule. When two or more dimensions of the IP address, the contact telephone and the receiving address are abnormal, executing the step S104; when there is a dimensional anomaly in the IP address, the contact phone, and the shipping address, step S105 is performed.
Specifically, when the probability does not exceed the preset probability threshold, although the probability of predicting an abnormal behavior from the behavior data of the user is low, the possibility that the order is a malicious order cannot be excluded. Therefore, the IP address, the contact phone number, and the receiving address are further determined, and when two or more dimensions of the IP address, the contact phone number, and the receiving address are abnormal, the dimension of the abnormality is too large, and therefore, the possibility that the order is a malicious order is high, and therefore, step S104 is performed to mark the order as a malicious order. When there is a dimensional abnormality in the IP address, the contact phone, and the shipping address, it is not possible to exclude the possibility that the order is a malicious order, and therefore step S105 is performed to tag the order with a suspicious tag.
In this embodiment, it should be understood that the order may be regarded as a normal order only when the probability of the abnormal behavior predicted according to the behavior data is lower than the preset probability threshold and the IP address, the contact phone, and the receiving address are all normal.
Step S104: mark the order as a malicious order and blacken out the user.
Step S105: the order is tagged with a suspicious label. Further, for some customer orders, if the order is a malicious order, the identification difficulty of the malicious order is high, the data in the historical orders may be used as a further reference to improve the identification accuracy of the malicious order, and therefore, in some embodiments, after step S105, the method further includes:
and 4.1, counting the number of orders which are marked with suspicious labels in all historical orders of the user.
It should be noted that all the order records of the user need to be saved.
And 4.2, when the order quantity exceeds the preset order quantity, marking the order as a malicious order, and adding the user to a preset blacklist.
Specifically, when a suspicious label is marked on an order currently placed by a user, all historical orders of the user are obtained, all historical orders marked with the suspicious label are screened out from all historical orders, the order quantity is counted, whether the order quantity exceeds a preset order quantity is judged, if yes, the user is proved to have placed suspicious orders for many times, and the possibility that the user may place a malicious order is high, so that the order currently placed by the user is marked as the malicious order, and the user is blacked.
Further, in order to improve the accuracy of malicious order identification, in some embodiments, after step S105, the method further includes: and (4) converting the order into manual checking, and blacking the user when the manual checking result is a malicious order.
Specifically, when the current order is identified as the order on which the suspicious label is placed, the order is manually checked, the rich work experience of the staff is used for judging, so that the potential malicious order in the suspicious order is identified, and when the manual check result is the malicious order, the user is blackened.
Further, in some embodiments, the step of marking the order as a malicious order and blacking out the user may further be:
and marking the order as a malicious order, and pulling the IP address, the contact telephone and the receiving address corresponding to the order into a corresponding blacklist.
And the IP address, the contact phone and the receiving address are all preset with corresponding blacklists and are used for recording the IP address, the contact phone and the receiving address of the malicious order. Therefore, after the order is received, the blacklist can be judged from the four dimensions of the ID information, the IP address, the contact telephone and the receiving address of the user, and when one item exists in the blacklist, the order is directly marked as a malicious order.
The method for identifying and processing the malicious order of the embodiment of the invention firstly predicts the abnormal probability of the behavior data when the user places the order by combining the behavior analysis prediction model with the behavior data which is easy to identify the abnormal operation, analyzes the order by three dimensions of the IP address, the contact telephone and the receiving address when the probability exceeds the preset probability threshold value, and directly confirms whether the order is the abnormal order or not when the three dimensions are abnormal, thereby realizing the malicious order identification mode which takes the behavior data of the user when placing the order as the main and takes the IP address, the contact telephone and the receiving address as the auxiliary, greatly improving the identification accuracy of the malicious order, and when the three dimensions are not abnormal, marking suspicious labels on the order, facilitating the user to check and check the orders quickly, and finally realizing the blacking treatment of the user who has placed the malicious order, preventing its malicious disturbance. Fig. 2 is a functional block diagram of a malicious order identification and processing apparatus according to an embodiment of the present invention. As shown in fig. 2, the malicious order identification and processing apparatus 50 includes an obtaining module 51, a predicting module 52, a multidimensional analyzing module 53, a first processing module 54, and a second processing module 55.
An obtaining module 51, configured to obtain an IP address, a contact phone number, a receiving address, and behavior data when a user places an order;
the prediction module 52 is configured to input the behavior data into a pre-trained behavior analysis prediction model to obtain a probability that the behavior data is an abnormal behavior, where the behavior analysis prediction model is obtained by training according to historical malicious order data in a group user sample prepared in advance;
a multidimensional analysis module 53, configured to analyze whether the IP address, the contact phone, and the receiving address are abnormal based on a preset rule when the probability exceeds a preset probability threshold;
the first processing module 54 is configured to mark the order as a malicious order and blacken the user when the IP address, the contact phone, and the receiving address have one or more dimension exceptions;
and the second processing module 55 is used for marking the order with a suspicious label when the IP address, the contact telephone and the receiving address are normal.
Optionally, after the predicting module 52 performs an operation of inputting the behavior data into a behavior analysis prediction model trained in advance to obtain a probability that the behavior data is an abnormal behavior, the multidimensional analysis module 53 is further configured to: when the probability does not exceed a preset probability threshold, analyzing whether the IP address, the contact telephone and the receiving address are abnormal or not based on a preset rule; the first processing module 54 is further configured to: when two or more dimensions of the IP address, the contact telephone and the receiving address are abnormal, the order is marked as a malicious order; the second processing module 55 is further configured to mark the order with a suspicious tag when there is a dimension anomaly in the IP address, the contact phone, and the receiving address.
Optionally, after the second processing module 55 performs the operation of tagging the order with the suspicious label, it is further configured to: counting the number of orders with suspicious labels in all historical orders of the user; and when the order quantity exceeds the preset order quantity, marking the order as a malicious order, and adding the user to a preset blacklist.
Optionally, the multidimensional analysis module 53 performs an operation of analyzing the IP address based on a preset rule, which specifically includes: matching the IP address with historical IP addresses in historical order data of all users to determine the number of users who have placed orders by using the IP address; when the number of the users exceeds the preset number of the users, the IP address is marked as abnormal; when the number of users does not exceed the preset number of users, the hierarchical relation of the IP address is analyzed, and when the IP address is confirmed to use the proxy, the IP address is marked as abnormal.
Optionally, the multidimensional analysis module 53 performs an operation of analyzing the contact call based on a preset rule, which specifically includes: matching the contact telephone with a virtual number segment acquired from an operator in advance to confirm whether the contact telephone is a virtual number or not; if so, the contact call is marked as abnormal.
Optionally, the multidimensional analysis module 53 performs an operation of analyzing the shipping address based on a preset rule, which specifically includes: judging whether the receiving address receives a historical normal order or not; if not, according to the map data, when the receiving address does not meet the preset receiving address condition, the receiving address is marked as abnormal.
Optionally, after the second processing module 55 performs the operation of tagging the order with the suspicious label, it is further configured to: and (4) converting the order into manual checking, and blacking the user when the manual checking result is a malicious order.
For other details of the technical solution implemented by each module in the identification and processing device for malicious orders in the above embodiments, reference may be made to the description of the identification and processing method for malicious orders in the above embodiments, and details are not repeated here.
It should be noted that, in the present specification, the embodiments are all described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments may be referred to each other. For the device-like embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
Referring to fig. 3, fig. 3 is a schematic structural diagram of a computer device according to an embodiment of the present invention. As shown in fig. 3, the computer device 60 includes a processor 61 and a memory 62 coupled to the processor 61, wherein the memory 62 stores program instructions, and the program instructions, when executed by the processor 61, cause the processor 61 to execute the steps of the method for identifying and processing malicious orders according to any of the embodiments described above.
The processor 61 may also be referred to as a CPU (Central Processing Unit). The processor 61 may be an integrated circuit chip having signal processing capabilities. The processor 61 may also be a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
Referring to fig. 4, fig. 4 is a schematic structural diagram of a storage medium according to an embodiment of the invention. The storage medium of the embodiment of the present invention stores program instructions 71 capable of implementing all the methods described above, where the program instructions 71 may be stored in the storage medium in the form of a software product, and include several instructions to enable a computer device (which may be a personal computer, a server, or a network device) or a processor (processor) to execute all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, or computer equipment, such as a computer, a server, a mobile phone, and a tablet.
In the several embodiments provided in the present application, it should be understood that the disclosed computer apparatus, device and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, a division of a unit is merely a logical division, and an actual implementation may have another division, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit. The above embodiments are merely examples and are not intended to limit the scope of the present disclosure, and all modifications, equivalents, and flow charts using the contents of the specification and drawings of the present disclosure or those directly or indirectly applied to other related technical fields are intended to be included in the scope of the present disclosure.
Claims (10)
1. A method for identifying and processing a malicious order is characterized by comprising the following steps:
acquiring related data information of a user order, wherein the related data information comprises an IP address, a contact telephone, a receiving address and behavior data;
inputting the behavior data into a pre-trained behavior analysis prediction model to obtain the probability that the behavior data is abnormal behavior, wherein the behavior analysis prediction model is obtained by training according to historical malicious order data in a group user sample prepared in advance;
when the probability exceeds a preset probability threshold value, analyzing whether the IP address, the contact telephone and the receiving address are abnormal or not based on a preset rule;
when more than one dimension of the IP address, the contact telephone and the receiving address is abnormal, marking the order as a malicious order and blacking out the user;
and when the IP address, the contact telephone and the receiving address are normal, printing a suspicious label on the order.
2. The malicious order identification and processing method according to claim 1, wherein after obtaining the probability that the behavior data is an abnormal behavior, the method further comprises:
when the probability does not exceed the preset probability threshold, analyzing whether the IP address, the contact telephone and the receiving address are abnormal or not based on the preset rule;
when two or more dimensions of the IP address, the contact telephone and the receiving address are abnormal, marking the order as a malicious order and blacking out the user;
and when one dimension among the IP address, the contact telephone and the receiving address is abnormal, marking the order with a suspicious label.
3. The malicious order identification and processing method according to claim 1 or 2, wherein after the order is labeled with a suspicious tag, the method further comprises:
counting the number of orders with suspicious labels in all historical orders of the user;
and when the order quantity exceeds a preset order quantity, marking the order as a malicious order and blacking out the user.
4. The malicious order identification and processing method according to claim 1 or 2, wherein the analyzing the IP address based on the preset rule comprises:
matching the IP address with historical IP addresses in historical order data of all users to determine the number of users who have placed orders by using the IP address;
when the number of the users exceeds the preset number of the users, the IP address is marked as abnormal;
when the number of the users does not exceed the preset number of the users, analyzing the hierarchical relation of the IP address and marking the IP address as abnormal when confirming that the IP address uses the proxy.
5. The malicious order identification and processing method according to claim 1 or 2, wherein the analyzing the contact call based on the preset rule comprises:
matching the contact telephone with a virtual number segment acquired from an operator in advance to confirm whether the contact telephone is a virtual number or not;
if yes, the contact telephone is marked as abnormal.
6. The malicious order identification and processing method according to claim 1 or 2, wherein the analyzing the shipping address based on the preset rule comprises:
judging whether the receiving address receives a historical normal order or not;
if not, according to the map data, when the receiving address does not meet the preset receiving address condition, the receiving address is marked as abnormal.
7. The malicious order identification and processing method according to claim 1 or 2, wherein after the order is labeled with a suspicious tag, the method further comprises:
and converting the order into manual checking, and blacking the user when the manual checking result is a malicious order.
8. An apparatus for identifying and processing malicious orders, comprising:
the system comprises an acquisition module, a storage module and a processing module, wherein the acquisition module is used for acquiring related data information of a user order, and the related data information comprises an IP address, a contact telephone, a receiving address and behavior data;
the prediction module is used for inputting the behavior data into a pre-trained behavior analysis prediction model to obtain the probability that the behavior data is abnormal behavior, and the behavior analysis prediction model is obtained by training according to historical malicious order data in a group user sample prepared in advance;
the multidimensional analysis module is used for analyzing whether the IP address, the contact telephone and the receiving address are abnormal or not based on a preset rule when the probability exceeds a preset probability threshold;
the first processing module is used for marking the order as a malicious order and blacking out the user when more than one dimension of the IP address, the contact telephone and the receiving address is abnormal;
and the second processing module is used for marking the order with a suspicious label when the IP address, the contact telephone and the receiving address are normal.
9. A computer device comprising a processor, a memory coupled to the processor, the memory having stored therein program instructions which, when executed by the processor, cause the processor to carry out the steps of the method of identifying and processing a malicious order according to any of claims 1 to 7.
10. A storage medium storing program instructions capable of implementing the method for identifying and processing malicious orders according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111525100.2A CN114331593A (en) | 2021-12-14 | 2021-12-14 | Malicious order identification and processing method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111525100.2A CN114331593A (en) | 2021-12-14 | 2021-12-14 | Malicious order identification and processing method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114331593A true CN114331593A (en) | 2022-04-12 |
Family
ID=81049856
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111525100.2A Pending CN114331593A (en) | 2021-12-14 | 2021-12-14 | Malicious order identification and processing method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114331593A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116934418A (en) * | 2023-06-15 | 2023-10-24 | 广州淘通科技股份有限公司 | Abnormal order detection and early warning method, system, equipment and storage medium |
-
2021
- 2021-12-14 CN CN202111525100.2A patent/CN114331593A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116934418A (en) * | 2023-06-15 | 2023-10-24 | 广州淘通科技股份有限公司 | Abnormal order detection and early warning method, system, equipment and storage medium |
| CN116934418B (en) * | 2023-06-15 | 2024-03-19 | 广州淘通科技股份有限公司 | Abnormal order detection and early warning method, system, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108960691B (en) | Method and device for determining article stock for server system | |
| US9521104B2 (en) | Outgoing communications inventory | |
| CN110751497A (en) | Commodity replenishment method and device | |
| CN110874778A (en) | Abnormal order detection method and device | |
| US20140279291A1 (en) | Systems and methods for communicating to a computing device information associated with the replenishment status of a retail item | |
| CN111401777B (en) | Enterprise risk assessment method, enterprise risk assessment device, terminal equipment and storage medium | |
| CN101183307A (en) | Method and system for mapping gui widgets | |
| CN110807080A (en) | Commodity coding method and device | |
| CN109685421A (en) | A kind of commodity inventory control method, apparatus, storage medium and terminal | |
| CN114331593A (en) | Malicious order identification and processing method, device, equipment and storage medium | |
| CN114116802A (en) | Data processing method, device, equipment and storage medium of Flink computing framework | |
| CN110807050B (en) | Performance analysis method, device, computer equipment and storage medium | |
| CN108629467B (en) | Sample information processing method and system | |
| CN112131479A (en) | Data processing method, device, equipment and storage medium | |
| CN113837617A (en) | Anti-bill-swiping risk management method and device | |
| CN110955581A (en) | Online software abnormity warning method and device, electronic equipment and storage medium | |
| CN114723554B (en) | Abnormal account identification method and device | |
| CN110619546A (en) | Implementation scheme for solving high throughput of directional ticket issuing | |
| CN113793093B (en) | Track query display method, track query display equipment and readable storage medium | |
| CN113052604A (en) | Object detection method, device, equipment and storage medium | |
| CN108268775A (en) | A kind of Web leak detection methods, device, electronic equipment and storage medium | |
| CN114612113A (en) | Method and related device for creating clues | |
| CN111667208B (en) | Method, device, equipment and medium for controlling storage of articles | |
| CN113034076A (en) | Logistics carrying object recommendation method and device, electronic equipment and storage medium | |
| Wang et al. | A reliable cardinality estimation for missing tags over a noisy channel |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |