CN115082071A

CN115082071A - Abnormal transaction account identification method and device and storage medium

Info

Publication number: CN115082071A
Application number: CN202110281947.4A
Authority: CN
Inventors: 周鹏飞; 孙功宇; 杨泽; 王海波
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2021-03-16
Filing date: 2021-03-16
Publication date: 2022-09-20

Abstract

The application discloses a method and a device for identifying an abnormal transaction account and a storage medium. Acquiring transaction flow data of an information source; then, determining a merchant transaction vector corresponding to the transaction account according to the transaction flow data; dividing the transaction account to obtain a seed set and a candidate set; determining the similarity between the merchant transaction vector corresponding to the candidate account and the merchant transaction vector corresponding to the seed account; and screening the candidate set based on the comparison result of the similarity and the risk threshold value to obtain an abnormal transaction account. Therefore, the collaborative filtering process based on the seed set is realized, and as the accounts in the seed set and the accounts in the candidate set have similar transaction merchants, the accounts similar to the accounts in the seed set are determined by vectorizing the transaction merchants, so that the coverage rate of account identification is improved, and the accuracy of account identification is ensured.

Description

Abnormal transaction account identification method and device and storage medium

Technical Field

The present application relates to the field of computer technologies, and in particular, to a method and an apparatus for identifying an abnormal transaction account, and a storage medium.

Background

With the change of consumption concept and the development of online shopping, the use of credit cards is becoming more and more popular. Because every time the credit card is taken out of the bank, a certain commission fee (generally about 1%) needs to be charged, and the card swiping consumption through a sales terminal (such as a pos machine) only needs to charge about 0.4% of the commission fee of a merchant, the profit space generated by the method enables the black product to be fatter on the credit card, and the large cash register causes serious profit loss on the bank.

Generally, the identification process for the account containing a specific transaction operation can be performed based on some statistical variables, that is, a fixed identification rule is formed to identify abnormal card swiping behaviors in a transaction link. Such as: if the transaction accounting ratio of the integer amount of the same card is higher than a certain threshold value, the cash-out behavior can be judged.

However, the account identification process based on the fixed identification rule has low coverage rate, the fixed identification rule cannot completely cover all transaction accounts, and the fixed identification rule is easily avoided by black production personnel, so that the accuracy of identifying abnormal transaction accounts is influenced.

Disclosure of Invention

In view of this, the present application provides an identification method for an abnormal transaction account, which can effectively improve the accuracy of identifying the abnormal transaction account.

A first aspect of the present application provides a method for identifying an abnormal transaction account, which may be applied to a system or a program that includes an identification function of an abnormal transaction account in a terminal device, and specifically includes:

acquiring transaction flow data of a transaction information source to be identified, wherein the transaction flow data comprises a transaction relation between a transaction account and a merchant;

performing transaction behavior representation according to the transaction relationship between the transaction account and the merchant to determine a merchant transaction vector corresponding to the transaction account;

calling a target identifier contained in the transaction flow data to perform cluster identifier matching on the transaction accounts, so as to obtain a seed set and a candidate set based on identifier matching result division, wherein the seed set is a set of a plurality of seed accounts containing the target identifier, the candidate set is a set of a plurality of candidate accounts not containing the target identifier, and the target identifier is used for indicating an account of a target type;

respectively carrying out vector similarity analysis processing on the merchant transaction vectors corresponding to the candidate account and the sub-account so as to determine the similarity between the merchant transaction vector corresponding to the candidate account and the merchant transaction vector corresponding to the seed account;

and performing risk judgment on the transaction accounts in the candidate set based on the comparison result of the similarity and a risk threshold value so as to obtain abnormal transaction accounts related to the target type in the transaction information source to be identified through screening.

Optionally, in some possible implementation manners of the present application, the performing transaction behavior representation according to the transaction relationship between the transaction account and the merchant to determine a merchant transaction vector corresponding to the transaction account includes:

traversing transaction behaviors indicated in a transaction relationship between the transaction account and a merchant to determine a merchant list and an account list in the transaction flow data;

if a transaction action exists between a transaction account in the account list and each merchant in the merchant list, determining that the position identifier of the transaction account is a first character;

if no transaction action exists between the transaction account in the account list and each merchant in the merchant list, determining that the position identifier of the transaction account is a second character;

and determining a merchant transaction vector corresponding to the transaction account according to the combination of the first character and the second character.

Optionally, in some possible implementations of the present application, the traversing transaction behaviors indicated in the transaction relationship between the transaction account and the merchant to determine the merchant list and the account list in the transaction flow data includes:

performing field matching based on input fields in the transaction flow data to sort to obtain a data form;

screening the data table to obtain processing data in response to the setting of a preset time period;

performing data retrieval on the processing data according to a preset field so as to perform standardized processing on the processing data to obtain a target table set for a preset item;

and determining the merchant list and the account list according to the target table.

Optionally, in some possible implementations of the present application, the determining the merchant list and the account list according to the target table includes:

determining a transaction merchant sequence according to the target table;

performing field matching based on input fields in the transaction flow data to obtain a data form through sorting;

and extracting the account identification item in the target table and carrying out account statistics to obtain the account list.

Optionally, in some possible implementations of the present application, the method further includes:

determining transaction object information corresponding to each merchant in the merchant list;

determining the heat value of each merchant in the merchant list based on the transaction object information;

and comparing the threshold value of the commercial tenant according to the popularity value so as to update the commercial tenant list.

extracting transaction amount items in the target table;

acquiring a safety threshold set for a target type;

screening out secure entries in the target table to update the target table based on a size relationship of the security threshold to the transaction amount item.

Optionally, in some possible implementation manners of the present application, the invoking a target identifier included in the transaction flow data to perform identifier matching of a cluster on the transaction account, so as to obtain a seed set and a candidate set based on identifier matching result by division, where the identifier matching includes:

performing item recognition on the seed identification item in the transaction flow data to determine the seed identification item in the transaction flow data, wherein the seed identification item is obtained based on a historical record mark;

identifying the identifier in the seed identifier item to determine a transaction account containing the target identifier in an identification result, and dividing the transaction account containing the target identifier into the seed set;

and identifying the identifier in the seed identifier item to determine the transaction account not containing the target identifier in the identification result, and dividing the transaction account not containing the target identifier into the candidate set.

responding to the progress of identification setting operation, and performing identification setting on a seed identification item to obtain the marked seed identification item;

inputting the marked seed identification item into a verification platform to verify the marked seed identification item;

and if the marked seed identification item passes the verification, updating the seed set and the candidate set.

Optionally, in some possible implementation manners of the present application, the performing vector similarity analysis on the merchant transaction vectors corresponding to the candidate account and the sub-account to determine the similarity between the merchant transaction vector corresponding to the candidate account and the merchant transaction vector corresponding to the seed account includes:

calling a preset formula in response to the completion of the configuration of the seed set;

and sequentially pairing the merchant transaction vectors corresponding to the candidate accounts and the merchant transaction vectors corresponding to the seed accounts based on the preset formula so as to cross-calculate the objects obtained by pairing to obtain the similarity.

determining a user identifier corresponding to the candidate account;

performing account retrieval based on the user identification to obtain a plurality of associated accounts;

determining a similarity of the associated account to the set of seeds account;

and performing transaction risk marking based on the target type on the user identification according to the similarity between the associated account and the seed set account.

Optionally, in some possible implementations of the present application, the performing, according to the similarity between the associated account and the seed set account, a transaction risk tagging based on the target type on the user identifier includes:

determining a transaction occurrence time sequence corresponding to a plurality of the associated accounts;

determining a weighting parameter according to the transaction occurrence time sequence, and weighting the similarity between the associated account and the account in the seed set based on the weighting parameter to obtain a weighting result;

and performing transaction risk marking based on the target type on the user identification based on the weighting result.

Optionally, in some possible implementations of the present application, the transaction flow data is credit card transaction flow data of a bank, and the target type is an account with a risk of credit card cash-out.

A second aspect of the present application provides an apparatus for identifying an abnormal transaction account, including: the system comprises an acquisition unit, a transaction processing unit and a transaction processing unit, wherein the acquisition unit is used for acquiring transaction flow data of a transaction information source to be identified, and the transaction flow data comprises a transaction relation between a transaction account and a merchant;

the determining unit is used for performing transaction behavior representation according to the transaction relation between the transaction account and a merchant so as to determine a merchant transaction vector corresponding to the transaction account;

the dividing unit is used for calling a target identifier contained in the transaction flow data to perform cluster identifier matching on the transaction accounts so as to obtain a seed set and a candidate set based on identifier matching results, wherein the seed set is a set of a plurality of seed accounts containing the target identifier, the candidate set is a set of a plurality of candidate accounts not containing the target identifier, and the target identifier is used for indicating an account of a target type;

the determining unit is further configured to perform vector similarity analysis processing on the merchant transaction vectors corresponding to the candidate account and the sub-account, so as to determine similarity between the merchant transaction vector corresponding to the candidate account and the merchant transaction vector corresponding to the seed account;

and the identification unit is used for carrying out risk judgment on the transaction accounts in the candidate set based on the comparison result of the similarity and a risk threshold value so as to obtain the abnormal transaction accounts related to the target type in the transaction information source to be identified through screening.

Optionally, in some possible implementations of the present application, the determining unit is specifically configured to traverse a transaction behavior indicated in a transaction relationship between the transaction account and a merchant, so as to determine a merchant list and an account list in the transaction flow data;

the determining unit is specifically configured to determine that the location identifier of the transaction account is a first character if a transaction action exists between the transaction account in the account list and each merchant in the merchant list;

the determining unit is specifically configured to determine that the location identifier of the transaction account is a second character if no transaction action exists between the transaction account in the account list and each merchant in the merchant list;

the determining unit is specifically configured to determine, according to the combination of the first character and the second character, a merchant transaction vector corresponding to the transaction account.

Optionally, in some possible implementation manners of the present application, the determining unit is specifically configured to perform field matching based on an input field in the transaction flow data to sort and obtain a data form;

the determining unit is specifically configured to filter the processing data from the data table in response to setting of a preset time period;

the determining unit is specifically configured to perform data retrieval on the processing data according to a preset field, so as to perform standardization processing on the processing data to obtain a target table set for a preset item;

the determining unit is specifically configured to determine the merchant list and the account list according to the target table.

Optionally, in some possible implementations of the present application, the determining unit is specifically configured to determine a transaction merchant sequence according to the target table;

the determining unit is specifically configured to perform field matching based on an input field in the transaction flow data to sort and obtain a data table;

the determining unit is specifically configured to extract the account identification item in the target table and perform account statistics to obtain the account list.

Optionally, in some possible implementation manners of the present application, the determining unit is specifically configured to determine transaction object information corresponding to each merchant in the merchant list;

the determining unit is specifically configured to determine a popularity value of each merchant in the merchant list based on the transaction object information;

the determining unit is specifically configured to perform threshold comparison on the merchants according to the popularity value so as to update the merchant list.

Optionally, in some possible implementations of the present application, the determining unit is specifically configured to extract a transaction amount item in the target table;

the determining unit is specifically configured to acquire a safety threshold set for a target type;

the determining unit is specifically configured to screen out the secure entry in the target table based on a size relationship between the security threshold and the transaction amount item, so as to update the target table.

Optionally, in some possible implementation manners of the present application, the dividing unit is specifically configured to perform item identification on a seed identification item in the transaction flow data to determine the seed identification item in the transaction flow data, where the seed identification item is obtained based on a history mark;

the dividing unit is specifically configured to identify an identifier in the seed identifier item, to determine a transaction account including the target identifier in an identification result, and to divide the transaction account including the target identifier into the seed set;

the dividing unit is specifically configured to identify an identifier in the seed identifier item, to determine a transaction account that does not include the target identifier in the identification result, and to divide the transaction account that does not include the target identifier into the candidate set.

Optionally, in some possible implementation manners of the present application, the dividing unit is specifically configured to perform identifier setting on a seed identifier item in response to performing an identifier setting operation, so as to obtain the marked seed identifier item;

the dividing unit is specifically configured to input the marked seed identification item into a verification platform to verify the marked seed identification item;

the dividing unit is specifically configured to update the seed set and the candidate set if the marked seed identification item passes the verification.

Optionally, in some possible implementation manners of the present application, the determining unit is specifically configured to invoke a preset formula in response to completion of configuration of the seed set;

the determining unit is specifically configured to pair the merchant transaction vectors corresponding to the candidate accounts and the merchant transaction vectors corresponding to the seed accounts in sequence based on the preset formula, so as to perform cross calculation on objects obtained by the pairing to obtain the similarity.

Optionally, in some possible implementation manners of the present application, the identifying unit is specifically configured to determine a user identifier corresponding to the candidate account;

the identification unit is specifically configured to perform account retrieval based on the user identifier to obtain a plurality of associated accounts;

the identification unit is specifically configured to determine similarity between the associated account and the account in the seed set;

the identification unit is specifically configured to perform the target-type-based transaction risk tagging on the user identifier according to the similarity between the associated account and the centralized account of the seed.

Optionally, in some possible implementations of the present application, the identification unit is specifically configured to determine a transaction occurrence time sequence corresponding to a plurality of the associated accounts;

the identification unit is specifically configured to determine a weighting parameter according to the transaction occurrence timing sequence, so as to weight the similarity between the associated account and the account in the seed set based on the weighting parameter to obtain a weighting result;

the identification unit is specifically configured to perform the target-type-based transaction risk tagging on the user identifier based on the weighting result.

A third aspect of the present application provides a computer device comprising: a memory, a processor, and a bus system; the memory is used for storing program codes; the processor is configured to execute the method for identifying an anomalous transaction account according to any one of the first aspect or the first aspect, according to instructions in the program code.

A fourth aspect of the present application provides a computer-readable storage medium having stored therein instructions, which, when run on a computer, cause the computer to execute the method for identifying an anomalous transaction account according to the first aspect or any one of the first aspects.

According to an aspect of the application, a computer program product or computer program is provided, comprising computer instructions, the computer instructions being stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions to cause the computer device to perform the method for identifying an anomalous transaction account provided in the first aspect or the various alternative implementations of the first aspect.

According to the technical scheme, the embodiment of the application has the following advantages:

acquiring transaction flow data of a transaction information source to be identified; then, transaction behavior representation is carried out according to the transaction relation between the transaction account and the merchant so as to determine a merchant transaction vector corresponding to the transaction account; calling a target identifier contained in the transaction flow data to perform cluster identifier matching on the transaction accounts, and dividing based on an identifier matching result to obtain a seed set and a candidate set, wherein the seed set is a set of a plurality of seed accounts containing the target identifier, the candidate set is a set of a plurality of candidate accounts not containing the target identifier, and the target identifier is used for indicating an account of a target type; further determining the similarity between the merchant transaction vector corresponding to the candidate account and the merchant transaction vector corresponding to the seed account; and then carrying out risk judgment on the transaction accounts in the candidate set based on the comparison result of the similarity and the risk threshold value so as to obtain abnormal transaction accounts related to the target type in the transaction information source to be identified in a screening mode. Therefore, the collaborative filtering process based on the seed set is realized, and as the accounts in the seed set and the accounts in the candidate set have similar transaction merchants, the accounts similar to the accounts in the seed set are determined by vectorizing the transaction merchants, so that the coverage rate of account identification is improved, and the accuracy of account identification is ensured.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.

FIG. 1 is a network architecture diagram of the operation of an identification system for anomalous transaction accounts;

FIG. 2 is a block diagram illustrating an exemplary process for identifying anomalous transaction accounts according to an embodiment of the present disclosure;

fig. 3 is a flowchart of an identification method for an abnormal transaction account according to an embodiment of the present application;

fig. 4 is a schematic view of a scenario of an identification method for an abnormal transaction account according to an embodiment of the present application;

FIG. 5 is a flow chart of another method for identifying an anomalous transaction account according to an exemplary embodiment of the present disclosure;

fig. 6 is a schematic view of another scenario of an abnormal transaction account identification method according to an embodiment of the present application;

FIG. 7 is a flowchart of another abnormal transaction account identification method according to an embodiment of the present application;

fig. 8 is a schematic view of another scenario of an abnormal transaction account identification method according to an embodiment of the present application;

fig. 9 is a schematic structural diagram of an apparatus for identifying an abnormal transaction account according to an embodiment of the present application;

fig. 10 is a schematic structural diagram of a terminal device according to an embodiment of the present application;

fig. 11 is a schematic structural diagram of a server according to an embodiment of the present application;

fig. 12A is a data sharing system according to an embodiment of the present application;

fig. 12B is a block chain composition according to an embodiment of the present disclosure;

fig. 12C is a schematic diagram of input information of a block link point according to an embodiment of the present disclosure.

Detailed Description

The embodiment of the application provides an identification method of an abnormal transaction account and a related device, which can be applied to a system or a program containing an identification function of the abnormal transaction account in terminal equipment, and transaction flow data of a transaction information source to be identified is obtained; then, transaction behavior representation is carried out according to the transaction relation between the transaction account and the merchant so as to determine a merchant transaction vector corresponding to the transaction account; calling a target identifier contained in the transaction flow data to perform cluster identifier matching on the transaction accounts, and dividing based on an identifier matching result to obtain a seed set and a candidate set, wherein the seed set is a set of a plurality of seed accounts containing the target identifier, the candidate set is a set of a plurality of candidate accounts not containing the target identifier, and the target identifier is used for indicating an account of a target type; further determining the similarity between the merchant transaction vector corresponding to the candidate account and the merchant transaction vector corresponding to the seed account; and further performing risk judgment on the transaction accounts in the candidate set based on the comparison result of the similarity and the risk threshold value so as to obtain abnormal transaction accounts related to the target type in the transaction information source to be identified through screening. Therefore, the collaborative filtering process based on the seed set is realized, and as the accounts in the seed set and the accounts in the candidate set have similar transaction merchants, the accounts similar to the accounts in the seed set are determined by vectorizing the transaction merchants, so that the coverage rate of account identification is improved, and the accuracy of account identification is ensured.

The terms "first," "second," "third," "fourth," and the like in the description and in the claims of the present application and in the drawings described above, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are, for example, capable of operation in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "corresponding" and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

First, some nouns that may appear in the embodiments of the present application are explained.

And (3) registering: the cardholder does not withdraw cash by normal legal procedures (ATM or counter) and cash the funds in the credit line of the card by other means without paying the cash withdrawal fee of the bank.

And (3) presenting individuals with long tails: sporadic, but numerous, cash-out individuals are distributed in the transaction data because cash-out behavior is generally difficult to identify.

And (3) collaborative filtering: and recommending the transaction information of the type corresponding to the transaction characteristics by utilizing the common transaction characteristics.

It should be understood that the method for identifying an abnormal transaction account provided by the present application may be applied to a system or a program that includes an identification function of an abnormal transaction account in a terminal device, such as a financial security platform, specifically, the system for identifying an abnormal transaction account may operate in a network architecture as shown in fig. 1, which is a network architecture diagram of the operation of the system for identifying an abnormal transaction account as shown in fig. 1, as can be seen from the diagram, the system for identifying an abnormal transaction account may provide an identification process of an abnormal transaction account with multiple information sources, that is, statistics is performed in a server through transaction operations at a terminal side to obtain transaction flow data, and the server performs account identification according to the transaction flow data obtained through statistics, so as to obtain an account of a target type; it can be understood that, fig. 1 shows various terminal devices, the terminal devices may be computer devices, in an actual scenario, there may be more or fewer types of terminal devices participating in the process of identifying an abnormal transaction account, the specific number and type are determined according to the actual scenario and are not limited herein, and in addition, fig. 1 shows one server, but in an actual scenario, there may also be participation of multiple servers, and the specific number of servers is determined according to the actual scenario.

In this embodiment, the server may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing basic cloud computing services such as a cloud service, a cloud database, cloud computing, a cloud function, cloud storage, a network service, cloud communication, a middleware service, a domain name service, a security service, a CDN, a big data and artificial intelligence platform, and the like. The terminal may be, but is not limited to, a smart phone, a tablet computer, a laptop computer, a desktop computer, a smart speaker, a smart watch, and the like. The terminal and the server may be directly or indirectly connected through a wired or wireless communication manner, and the terminal and the server may be connected to form a block chain network, which is not limited herein.

It is understood that the above system for identifying an abnormal transaction account may be operated in a personal mobile terminal, for example: the application as a financial security platform can also run on a server, and can also run on a third-party device to provide identification of an abnormal transaction account so as to obtain an identification processing result of the abnormal transaction account of the information source; the specific identification system of the abnormal transaction account may be operated in the above-mentioned device in the form of a program, may also be operated as a system component in the above-mentioned device, and may also be used as one of cloud service programs, and a specific operation mode is determined by an actual scene, which is not limited herein.

Generally, an identification method based on Artificial Intelligence (AI) is a theory, method, technique, and application system that simulates, extends, and expands human Intelligence using a digital computer or a machine controlled by a digital computer, senses the environment, acquires knowledge, and uses the knowledge to obtain the best result. In other words, artificial intelligence is a comprehensive technique of computer science that attempts to understand the essence of intelligence and produce a new intelligent machine that can react in a manner similar to human intelligence. Artificial intelligence is the research of the design principle and the realization method of various intelligent machines, so that the machines have the functions of perception, reasoning and decision making.

The artificial intelligence technology is a comprehensive subject and relates to the field of extensive technology, namely the technology of a hardware level and the technology of a software level. The artificial intelligence infrastructure generally includes technologies such as sensors, dedicated artificial intelligence chips, cloud computing, distributed storage, big data processing technologies, operation/interaction systems, mechatronics, and the like. The artificial intelligence software technology mainly comprises a computer vision technology, a voice processing technology, a natural language processing technology, machine learning/deep learning and the like.

Specifically, the account identification based on artificial intelligence, that is, the identification process for an account containing a specific transaction operation, may be performed based on some statistical variables, that is, fixed identification rules are formed to identify abnormal card swiping behaviors in a transaction link. Such as: if the transaction accounting ratio of the integer amount of the same card is higher than a certain threshold value, the cash-out behavior can be judged.

However, the account identification process based on the fixed identification rule has low coverage rate, cannot completely cover all transaction accounts with the rule, is easy to be avoided by a black-producing person, and affects the accuracy of identification of abnormal transaction accounts.

In order to solve the above problems, the present application provides an identification method for an abnormal transaction account, which is applied to a flow framework for identifying an abnormal transaction account shown in fig. 2, as shown in fig. 2, for an identification flow framework diagram for an abnormal transaction account provided in an embodiment of the present application, a user performs a transaction operation through a terminal, so as to generate a corresponding transaction flow in a server, the server may be a credit card data server in a bank, so that a merchant transaction vector of an account (a user or a bank card) is constructed and marked by adopting a collaborative filtering recommendation idea based on credit card transaction flow data in the bank, and a cash register of a cash register is implemented from a candidate set by calculating an account vector similarity between the candidate set and a seed set, so as to strike a cash register behavior of the credit card.

It can be understood that the method provided by the present application may be a program written as a processing logic in a hardware system, and may also be an identification device of an abnormal transaction account, and the processing logic is implemented in an integrated or external manner. As one implementation manner, the identification device of the abnormal transaction account acquires transaction flow data of a transaction information source to be identified; then, transaction behavior representation is carried out according to the transaction relation between the transaction account and the merchant so as to determine a merchant transaction vector corresponding to the transaction account; calling a target identifier contained in the transaction flow data to perform cluster identifier matching on the transaction accounts, and dividing based on an identifier matching result to obtain a seed set and a candidate set, wherein the seed set is a set of a plurality of seed accounts containing the target identifier, the candidate set is a set of a plurality of candidate accounts not containing the target identifier, and the target identifier is used for indicating an account of a target type; further determining the similarity between the merchant transaction vector corresponding to the candidate account and the merchant transaction vector corresponding to the seed account; and further performing risk judgment on the transaction accounts in the candidate set based on the comparison result of the similarity and the risk threshold value so as to obtain abnormal transaction accounts related to the target type in the transaction information source to be identified through screening. Therefore, the collaborative filtering process based on the seed set is realized, and as the accounts in the seed set and the accounts in the candidate set have similar transaction merchants, the accounts similar to the accounts in the seed set are determined by vectorizing the transaction merchants, so that the coverage rate of account identification is improved, and the accuracy of account identification is ensured.

With reference to the above flow architecture, the following describes a method for identifying an abnormal transaction account in the present application, please refer to fig. 3, where fig. 3 is a flow chart of a method for identifying an abnormal transaction account according to an embodiment of the present application, where the management method may be executed by a terminal, a server, or both, and the embodiment of the present application at least includes the following steps:

301. and acquiring transaction flow data of the transaction information source to be identified.

In this embodiment, the transaction information source to be identified may be an information source with a financial information management function, such as a bank and a network payment platform, that is, the transaction flow data may be credit card transaction flow data of the bank, or may be data in other objects with a financial statistics function, for example: third party payment platform transaction data.

In addition, in this embodiment, the user identifies whether the account is of a target type, where the target type may be an account with a risk of cash withdrawal of a credit card, or may be another account related to relevant transaction characteristics, such as a money laundering account, and the identification of the account with a risk of cash withdrawal of a credit card is taken as an example and is not limited herein.

302. And performing transaction behavior representation according to the transaction relationship between the transaction account and the merchant to determine a merchant transaction vector corresponding to the transaction account.

In this embodiment, the transaction flow data includes a transaction account and a corresponding merchant, and records account number, amount, time, and other elements involved in a transaction process between the transaction account and the merchant, where a transaction relationship is whether a transaction is performed between the transaction account and the merchant, that is, whether a transaction behavior exists, so as to determine a merchant transaction vector corresponding to the transaction account.

Specifically, for the process of determining the merchant transaction vector corresponding to the transaction account, a merchant list and an account list in the transaction flow data may be determined first; if transaction behaviors exist between the transaction account in the account list and each merchant in the merchant list, determining that the position identifier of the transaction account is a first character (for example, 1); if no transaction action exists between the transaction account in the account list and each merchant in the merchant list, determining that the position identifier of the transaction account is a second character (for example, 0); and then, determining a merchant transaction vector corresponding to the transaction account according to the combination of the first character and the second character.

In a possible scenario, as shown in fig. 4, fig. 4 is a schematic view of a scenario of an identification method for an abnormal transaction account according to an embodiment of the present application. Account 1(C1), account 2(C2), and account 3(C3) are shown, and it can be seen that account 1(C1) has trading activity with merchant 2(m2), merchant 3(m3), and merchant 4(m4), then m2, m3, and m4 have corresponding location identifications of 1 (first character), and that m1 has corresponding location identifications of 0 (second character) without trading activity with m 1. So the merchant transaction vector for account 1(C1) is characterized as:

additionally, the transaction merchant vectors for account 2(C2) and account 3(C3) are characterized as:

through the determination of the merchant transaction vector corresponding to the transaction account, the relevance of the account and the merchant transaction dimension is reflected, so that the subsequent collaborative filtering process is facilitated.

It is understood that the form of the first character and the second character in the above embodiments is merely an example, and the specific character representation depends on the actual scene.

Optionally, because the original transaction running water of the bank is input, the data format is non-standardized, and in order to facilitate rapid processing of data, a standardization processing process is required, that is, firstly, the data is sorted based on the input fields in the transaction running water data to obtain a data table; then, in response to the setting of a preset time period (for example, the last 3 months), processing data are screened from the data table; performing standardization processing based on the processing data to obtain a target table set for preset items; and determining a merchant list and an account list according to the target table.

In one possible scenario, the data table contains fields as shown in Table 1.

TABLE 1 original input data field

Then, based on the transaction time, data of K months (preset time period) are screened out, and format standardization is carried out to obtain a table 2 (target table), so that the data extraction efficiency is improved.

TABLE 2 standardized Format field

Optionally, in the transaction running water, the same merchant may relate to the transaction process of multiple objects, and at this time, only one statistic is needed, that is, for the determination of the merchant list, in order to construct the process of the merchant dictionary, the transaction merchant sequence may be determined according to the target table at first; and then, the merchants in the transaction merchant sequence are subjected to duplicate removal processing to obtain a merchant list, so that the data processing amount is reduced.

Optionally, in order to further reduce the data processing amount, data of merchants which may be judged to be normal may be removed, that is, transaction object information corresponding to each merchant in the merchant list is first determined; then, determining the popularity value of each merchant in the merchant list based on the transaction object information; and then, screening the merchants according to the popularity value so as to update the merchant list.

In a possible scene, the popularity value of the merchant is the expression of the transaction occurrence times, and a low-heat merchant and a high-heat merchant can be obtained based on the popularity value of the merchant; therefore, low-heat merchants can be removed, namely merchants with only one credit card transaction, namely merchants without intersection of long tails are removed; and the high-heat commercial tenants can be removed, namely commercial tenants which have transacted by N credit cards are removed, namely normal commercial tenants are removed, so that the data processing amount is reduced, and the identification efficiency is improved.

Optionally, the small amount of running water in the transaction running data can be removed, that is, the transaction amount item in the target table is extracted first; then, a safety threshold set for the target type is obtained; and screening out the security entries in the target table based on the size relation between the security threshold and the transaction amount items so as to update the target table. Namely, the running water with the transaction amount less than M yuan is removed. Such as: the transaction flow rate maliciousness degree of the transaction amount of 100 yuan is low, the flow rate is extremely large, and the calculation amount can be greatly reduced by directly removing the transaction amount.

It is understood that the setting of the specific culling object may be running water that is less than a safety threshold, such as less than 100 yuan; or may be a stream greater than a security threshold, such as for real estate transaction centers that often involve large volume transactions; the method can also be used for flowing water in a certain range, and the specific screening mode is determined by actual scenes.

303. And calling a target identifier contained in the transaction flow data to perform cluster identifier matching on the transaction account so as to obtain a seed set and a candidate set based on identifier matching result division.

In this embodiment, the seed set is a set of a plurality of seed accounts including a target identifier, the candidate set is a set of a plurality of candidate accounts not including the target identifier, and the target identifier is used to indicate an account of a target type; the seed account is marked as the account with the cash register action currently or the cash register action in the history record, and accounts in the candidate set are cooperatively filtered through a transaction network between the seed account and the merchants, so that the accounts similar to the seed account are determined.

Specifically, for the dividing process of the candidate set and the seed set, item identification may be performed on a seed identification item in the transaction flow data first to determine the seed identification item in the transaction flow data, where the seed identification item is obtained based on a history mark; then, the identification in the seed identification item is identified to determine a transaction account containing the target identification in the identification result, and the transaction account containing the target identification is divided into a seed set; and further, the identification in the seed identification item is identified to determine the transaction account which does not contain the target identification in the identification result, and the transaction account which does not contain the target identification is divided into a candidate set.

In one possible scenario, there is an F4 (cash-out seed identification) entry in the target table shown in Table 2, so the users (cards) are divided into a cash-out seed set and a candidate set based on the cash-out seed identification field.

Specifically, as shown in table 3, the accounts are divided into a seed set and a candidate set.

TABLE 3 transaction Account partitioning

Account	Cash register mark	Categorizing categories
			C1
	0	Candidate set
			C2	1	Seed set
C3
		0	Candidate set

Optionally, the cash register identifier may also be manually marked in real time, for example, the cash register account information received in real time is received, and then the identifier setting operation is performed on the corresponding account, that is, the seed identifier item is marked in response to the identifier setting operation; then inputting the marked seed identification item into a verification platform to verify the marked seed identification item; and if the marked seed identification item passes the verification, updating the seed set and the candidate set, thereby realizing the real-time division process and ensuring the accuracy of the seed set.

304. And respectively carrying out vector similarity analysis processing on the merchant transaction vectors corresponding to the candidate account and the sub-account so as to determine the similarity between the merchant transaction vector corresponding to the candidate account and the merchant transaction vector corresponding to the seed account.

In this embodiment, the calculation of the similarity may be performed based on a preset formula, where the preset formula may be a cosine similarity formula, that is, the preset formula is invoked first in response to the completion of the configuration of the seed set; and then sequentially pairing the merchant transaction vectors corresponding to the candidate accounts and the merchant transaction vectors corresponding to the seed accounts based on a preset formula so as to perform cross calculation on the paired objects to obtain the similarity.

Specifically, the cosine similarity formula is as follows:

wherein, A represents the trade vector of the commercial tenant corresponding to the candidate account, and B represents the trade vector of the commercial tenant corresponding to the seed account.

In the scenario shown in fig. 4, based on the seed set and candidate set divided in table 3, the calculation processes for calculating the similarity between C1 and C2 are as follows:

correspondingly, the results of similarity calculation are shown in table 4.

TABLE 4 Account similarity calculation results between seed set and candidate set

305. And performing risk judgment on the transaction accounts in the candidate set based on the comparison result of the similarity and the risk threshold value so as to obtain abnormal transaction accounts related to the target type in the transaction information source to be identified through screening.

In this embodiment, the risk threshold is a similarity threshold that meets the target type, and for example, based on the similarity result obtained in table 4, a cash-out risk user (card) is screened out by using an empirical threshold. Such as: if 0.6 is selected as the similarity threshold for risk determination, only C1 is determined as the cash-out risk in the case of table 4. Thus, C1 is output as an identified cash-out individual, i.e., C1 is an anomalous transaction account.

Through the comparison process, the candidate accounts in the candidate set are sequentially calculated, so that the output result of the cash-out individual is obtained, namely a plurality of abnormal transaction accounts related to the target type in the transaction information source to be identified.

In a possible scenario, if a plurality of seed accounts are available in the seed set, the similarity between the candidate account and each seed account is calculated respectively, an average value is obtained, and the comprehensiveness of the coverage of the identification features is further improved through the setting of the plurality of seed accounts, so that the accuracy of the output of the cash-over individual is ensured.

By combining the embodiment, the transaction flow data of the transaction information source to be identified is acquired; then, transaction behavior representation is carried out according to the transaction relation between the transaction account and the merchant so as to determine a merchant transaction vector corresponding to the transaction account; calling a target identifier contained in the transaction flow data to perform cluster identifier matching on the transaction accounts, and dividing based on an identifier matching result to obtain a seed set and a candidate set, wherein the seed set is a set of a plurality of seed accounts containing the target identifier, the candidate set is a set of a plurality of candidate accounts not containing the target identifier, and the target identifier is used for indicating an account of a target type; further determining the similarity between the merchant transaction vector corresponding to the candidate account and the merchant transaction vector corresponding to the seed account; and further performing risk judgment on the transaction accounts in the candidate set based on the comparison result of the similarity and the risk threshold value so as to obtain abnormal transaction accounts related to the target type in the transaction information source to be identified through screening. Therefore, the collaborative filtering process based on the seed set is realized, and as the accounts in the seed set and the accounts in the candidate set have similar transaction merchants, the accounts similar to the accounts in the seed set are determined by vectorizing the transaction merchants, so that the coverage rate of account identification is improved, and the accuracy of account identification is ensured.

The identification process of the abnormal transaction account of the present application is described below with reference to a scenario of credit card transaction identification. Referring to fig. 5, fig. 5 is a flowchart of another abnormal transaction account identification method according to an embodiment of the present application, where the embodiment of the present application includes at least the following steps:

501. a credit card transaction pipeline is invoked and standardized for a credit card transaction pipeline format.

In this embodiment, the credit card transaction flow may be from a bank database, may also be from a database of an internet payment platform, and may also be a combination of the two, and the specific source is determined by an actual scene.

In addition, the process of standardizing the credit card transaction flow format may only retain the items of card number, merchant name, transaction time, and cash-out seed identification in the credit card transaction flow, thereby facilitating the recall of data.

502. And clipping transaction merchants related in the credit card transaction flow based on the merchant clipping rules.

In this embodiment, the merchant clipping rule may be set based on the popularity value of the merchant, for example, the low-popularity merchant may be rejected, that is, the merchant with only one credit card transaction is rejected, that is, the merchant without intersection of long tails is rejected; and the high-heat commercial tenants can be removed, namely commercial tenants which have transacted by N credit cards are removed, namely normal commercial tenants are removed, so that the data processing amount is reduced, and the identification efficiency is improved.

503. And cutting the transaction flow involved in the credit card transaction flow based on the flow cutting rule.

In this embodiment, the pipelining cutting rule may be set based on different transaction scenarios, for example, for a daily transaction scenario, the pipelining cutting rule may be to screen out a pipelining with a transaction amount of 100 yuan, that is, the pipelining with a transaction amount of 100 yuan is a normal transaction operation, and the possibility that the cash-over process is performed within this value range is small.

In addition, for the scenario of bulk commodity transaction, the pipelining rule may be to screen out the pipelining of the transaction amount within an amount range, for example, the pipelining within the amount range of 1000 + 10000 yuan, because the value of the specific commodity transaction is scoped.

504. And constructing a merchant dictionary according to the cut credit card transaction flow.

In this embodiment, the merchant dictionary is a merchant list, and in a possible scenario, the merchant dictionary is obtained by duplicate removal of the clipped merchant. For example, 3 cardholders have a transaction relationship with the merchant as shown in fig. 4, and assuming that there are only these 3 cardholders, the merchant dictionary obtained after the merchant deduplication is:

505. and determining an account set, and establishing a transaction merchant vector corresponding to each account according to the merchant dictionary.

In this embodiment, the process of determining the transaction merchant vector may be: if the transaction account and the merchant A in the merchant dictionary have transaction behaviors, the position identifier corresponding to the merchant A is 1; otherwise, it is labeled 0.

In the scenario shown in fig. 4, account 1(C1) has trading activity with merchant 2(m2), merchant 3(m3), and merchant 4(m4), then m2, m3, and m4 correspond to location identifiers of 1 (first character), and if there is no trading activity with m1, then m1 corresponds to location identifiers of 0 (second character). So the merchant transaction vector for account 1(C1) is characterized as:

506. the account set is divided to obtain a seed set and a candidate set.

In this embodiment, the process of dividing the account set may be performed based on a cash register identifier in the transaction flow after format standardization, that is, the transaction account with the cash register identifier of 1 is an account in the seed set, and the transaction account with the cash register identifier of 0 is an account in the candidate set.

507. And performing cross calculation on each account in the seed set and the candidate set to obtain a similarity result.

In this embodiment, the process of cross calculation may be a process of calculating cosine similarity, and for the vector representation result in step 506, the process of calculating similarity between account 1(C1) and account 2(C2) is as follows:

508. and judging the cash register risk according to the similarity result, and outputting a risk account.

In this embodiment, an account with a similarity greater than the risk threshold is determined to be a risk account, for example, if the risk threshold is 0.6, then the similarity of 0.667 of the account 1 is greater than 0.6, and therefore the account is marked as a risk account.

In the embodiment shown in fig. 5, the steps may be divided into different functional modules to be performed, for example, a scenario shown in fig. 6, and fig. 6 is a schematic view of another scenario of a method for identifying an abnormal transaction account according to the embodiment of the present application. The figure shows that the data server of the bank transmits transaction flow data to the wind control server periodically (for example, every month), and the wind control server comprises an input preprocessing module, a user vector construction module, a user similarity calculation module and a risk output module, wherein the functions of the modules are shown in table 5, and then the wind control server is the cash register account identified by outputting the current transaction flow data.

TABLE 5 Modular construction of a wind control Server and corresponding functionality

Based on the method, the long-tail cash register individuals which are difficult to identify by bank expert rules can be supplemented and identified, the coverage rate of identifying the credit card cash register is improved, and meanwhile, the cost of the black product bypassing the wind control strategy can be improved.

The above embodiments describe the identification process of transaction account dimensions, but an account generally corresponds to a user, and one user may have multiple accounts closed, so that further cash-out behavior judgment can be performed on the associated accounts. This scenario is explained below. Referring to fig. 7, fig. 7 is a flowchart of another abnormal transaction account identification method according to an embodiment of the present application, where the embodiment of the present application at least includes the following steps:

701. and determining the user identification corresponding to the candidate account.

In this embodiment, the candidate account is an account in a candidate set obtained by dividing the current transaction flow data based on the cash register identifier, and then a user identifier corresponding to the account is determined, for example: identification number, passport number, and the like have unique correspondence.

702. An account retrieval is performed based on the user identification to obtain a plurality of associated accounts.

In this embodiment, the process of retrieving the account is to retrieve whether the user transacts another credit card in a bank database or other financial database, so as to serve as the associated account.

703. Determining similarity of the associated account and the account in the seed set.

In this embodiment, the process of determining the similarity between the associated account and the centralized seed account is to call a transaction flow corresponding to the associated account, extract the transaction information of the merchant in the merchant dictionary corresponding to the centralized seed account from the transaction flow, and further determine a merchant transaction vector and calculate the similarity, where a specific calculation process may refer to step 304 in the embodiment shown in fig. 3, and details are not repeated here.

704. And performing target-type-based transaction risk marking on the user identification according to the similarity between the associated account and the account in the seed set.

In this embodiment, if there is a credit card cashing behavior in each of the plurality of associated accounts of the user, the user is marked, and the used credit cards associated with the user all set corresponding cashing marks, so that the user is prevented from continuing the cashing behavior by using a new credit card.

Optionally, considering variability of user behavior, that is, avoiding marking the user after correcting the cash-out behavior, the cash-out behavior occurring at different time periods may be subjected to weighted calculation, that is, a timing sequence of the transaction occurrence corresponding to the multiple associated accounts is determined; then, weighting the similarity of the associated accounts and the accounts in the seed set according to the transaction occurrence time sequence to obtain a weighting result; and then carrying out transaction risk marking based on the target type on the user identification based on the weighting result. For example, a weighting coefficient of 0.3 is set for the credit card corresponding to more than 1 year old cash-out behavior; 1 the more corresponding credit card of the previous cash register action is set with a weighting coefficient of 0.7, namely, the longer the time is, the lower the weight of the cash register action is, thereby ensuring the accuracy of the transaction risk marking.

In a possible scenario, for a scenario where a user performs a credit card transaction, as shown in fig. 8, fig. 8 is a scenario diagram of another identification method for an abnormal transaction account according to an embodiment of the present application. The figure shows that when a user carries out credit card transaction at a terminal, clicking a confirmation transaction A1 triggers a server to judge cash register identification of an account (or user) with transaction, if the cash register identification is not available, a transaction success A2 is shown, and the transaction is normally carried out; if the cash register mark exists, the risk A3 of the transaction is shown, and the transaction is forbidden.

Based on the method, the long-tail cash register users which are difficult to identify by bank expert rules can be supplemented and identified from the dimensionality of the users, the coverage rate of credit card cash register associated with the identified users is improved, and meanwhile, the method can also improve the cost of black products bypassing the wind control strategy.

In order to better implement the above-mentioned solution of the embodiments of the present application, the following also provides a related apparatus for implementing the above-mentioned solution. Referring to fig. 9, fig. 9 is a schematic structural diagram of an apparatus for identifying an abnormal transaction account according to an embodiment of the present application, where the apparatus 900 includes:

an obtaining unit 901, configured to obtain transaction flow data of a transaction information source to be identified, where the transaction flow data includes a transaction relationship between a transaction account and a merchant;

a determining unit 902, configured to perform transaction behavior representation according to a transaction relationship between the transaction account and a merchant, so as to determine a merchant transaction vector corresponding to the transaction account;

a dividing unit 903, configured to invoke a target identifier included in the transaction flow data to perform cluster identifier matching on the transaction accounts, so as to obtain a seed set and a candidate set based on an identifier matching result through division, where the seed set is a set of multiple seed accounts including the target identifier, the candidate set is a set of multiple candidate accounts not including the target identifier, and the target identifier is used to indicate an account of a target type;

the determining unit 902 is further configured to perform vector similarity analysis processing on the merchant transaction vectors corresponding to the candidate account and the sub-account, respectively, so as to determine similarity between the merchant transaction vector corresponding to the candidate account and the merchant transaction vector corresponding to the seed account;

an identifying unit 904, configured to perform risk judgment on the transaction accounts in the candidate set based on the comparison result between the similarity and a risk threshold, so as to obtain an abnormal transaction account related to the target type in the transaction information source to be identified by screening.

Optionally, in some possible implementations of the present application, the determining unit 902 is specifically configured to traverse transaction behaviors indicated in a transaction relationship between the transaction account and a merchant, so as to determine a merchant list and an account list in the transaction flow data;

the determining unit 902 is specifically configured to determine that the location identifier of the transaction account is a first character if a transaction behavior exists between the transaction account in the account list and each merchant in the merchant list;

the determining unit 902 is specifically configured to determine that the location identifier of the transaction account is a second character if no transaction behavior exists between the transaction account in the account list and each merchant in the merchant list;

the determining unit 902 is specifically configured to determine, according to the combination of the first character and the second character, a merchant transaction vector corresponding to the transaction account.

Optionally, in some possible implementations of the present application, the determining unit 902 is specifically configured to perform field matching based on an input field in the transaction flow data to sort and obtain a data table;

the determining unit 902 is specifically configured to, in response to setting of a preset time period, filter the data table to obtain processing data;

the determining unit 902 is specifically configured to perform data retrieval on the processing data according to a preset field, so as to perform standardization processing on the processing data to obtain a target table set for a preset item;

the determining unit 902 is specifically configured to determine the merchant list and the account list according to the target table.

Optionally, in some possible implementations of the present application, the determining unit 902 is specifically configured to determine a transaction merchant sequence according to the target table;

the determining unit 902 is specifically configured to perform field matching based on an input field in the transaction flow data to sort and obtain a data table;

the determining unit 902 is specifically configured to extract an account identifier in the target table and perform account statistics to obtain the account list.

Optionally, in some possible implementation manners of the present application, the determining unit 902 is specifically configured to determine transaction object information corresponding to each merchant in the merchant list;

the determining unit 902 is specifically configured to determine a popularity value of each merchant in the merchant list based on the transaction object information;

the determining unit 902 is specifically configured to perform threshold comparison on the merchants according to the popularity values, so as to update the merchant list.

Optionally, in some possible implementations of the present application, the determining unit 902 is specifically configured to extract a transaction amount item in the target table;

the determining unit 902 is specifically configured to obtain a safety threshold set for a target type;

the determining unit 902 is specifically configured to screen out the security entry in the target table based on a size relationship between the security threshold and the transaction amount item, so as to update the target table.

Optionally, in some possible implementation manners of the present application, the dividing unit 903 is specifically configured to perform item identification on a seed identification item in the transaction flow data to determine the seed identification item in the transaction flow data, where the seed identification item is obtained based on a history mark;

the dividing unit 903 is specifically configured to identify an identifier in the seed identifier item, to determine a transaction account including the target identifier in an identification result, and divide the transaction account including the target identifier into the seed set;

the dividing unit 903 is specifically configured to identify an identifier in the seed identifier item, to determine a transaction account that does not include the target identifier in the identification result, and divide the transaction account that does not include the target identifier into the candidate set.

Optionally, in some possible implementation manners of the present application, the dividing unit 903 is specifically configured to perform identifier setting on a seed identifier item in response to performing identifier setting operation, so as to obtain the marked seed identifier item;

the dividing unit 903 is specifically configured to input the marked seed identification item into a verification platform to verify the marked seed identification item;

the dividing unit 903 is specifically configured to update the seed set and the candidate set if the marked seed identification item passes the verification.

Optionally, in some possible implementation manners of the present application, the determining unit 902 is specifically configured to invoke a preset formula in response to completion of configuration of the seed set;

the determining unit 902 is specifically configured to pair the merchant transaction vectors corresponding to the candidate accounts and the merchant transaction vectors corresponding to the seed accounts in sequence based on the preset formula, so as to perform cross calculation on objects obtained by the pairing to obtain the similarity.

Optionally, in some possible implementations of the present application, the identifying unit 904 is specifically configured to determine a user identifier corresponding to the candidate account;

the identifying unit 904 is specifically configured to perform account retrieval based on the user identifier to obtain a plurality of associated accounts;

the identifying unit 904 is specifically configured to determine similarity between the associated account and the account in the seed set;

the identifying unit 904 is specifically configured to perform the target-type-based transaction risk tagging on the user identifier according to the similarity between the associated account and the seed set account.

Optionally, in some possible implementations of the present application, the identifying unit 904 is specifically configured to determine a transaction occurrence timing sequence corresponding to a plurality of the associated accounts;

the identifying unit 904 is specifically configured to determine a weighting parameter according to the transaction occurrence timing, so as to weight the similarity between the associated account and the account in the seed set based on the weighting parameter to obtain a weighting result;

the identifying unit 904 is specifically configured to perform the target-type-based transaction risk tagging on the user identifier based on the weighting result.

An embodiment of the present application further provides a terminal device, as shown in fig. 10, which is a schematic structural diagram of another terminal device provided in the embodiment of the present application, and for convenience of description, only a portion related to the embodiment of the present application is shown, and details of the specific technology are not disclosed, please refer to a method portion in the embodiment of the present application. The terminal may be any terminal device including a mobile phone, a tablet computer, a Personal Digital Assistant (PDA), a point of sale (POS), a vehicle-mounted computer, and the like, taking the terminal as the mobile phone as an example:

fig. 10 is a block diagram illustrating a partial structure of a mobile phone related to a terminal provided in an embodiment of the present application. Referring to fig. 10, the cellular phone includes: radio Frequency (RF) circuitry 1010, memory 1020, input unit 1030, display unit 1040, sensor 1050, audio circuitry 1060, wireless fidelity (WiFi) module 1070, processor 1080, and power source 1090. Those skilled in the art will appreciate that the handset configuration shown in fig. 10 is not intended to be limiting and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components.

The following describes each component of the mobile phone in detail with reference to fig. 10:

RF circuit 1010 may be used for receiving and transmitting signals during information transmission and reception or during a call, and in particular, for processing downlink information of a base station after receiving the downlink information to processor 1080; in addition, the data for designing uplink is transmitted to the base station. In general, RF circuit 1010 includes, but is not limited to, an antenna, at least one amplifier, a transceiver, a coupler, a Low Noise Amplifier (LNA), a duplexer, and the like. In addition, the RF circuitry 1010 may also communicate with networks and other devices via wireless communications. The wireless communication may use any communication standard or protocol, including but not limited to global system for mobile communications (GSM), General Packet Radio Service (GPRS), Code Division Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA), Long Term Evolution (LTE), email, Short Message Service (SMS), etc.

The memory 1020 can be used for storing software programs and modules, and the processor 1080 executes various functional applications and data processing of the mobile phone by operating the software programs and modules stored in the memory 1020. The memory 1020 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data (such as audio data, a phonebook, etc.) created according to the use of the cellular phone, and the like. Further, the memory 1020 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device.

The input unit 1030 may be used to receive input numeric or character information and generate key signal inputs related to user settings and function control of the cellular phone. Specifically, the input unit 1030 may include a touch panel 1031 and other input devices 1032. The touch panel 1031, also referred to as a touch screen, may collect touch operations by a user (e.g., operations by a user on or near the touch panel 1031 using any suitable object or accessory such as a finger, a stylus, etc., and spaced touch operations within a certain range on the touch panel 1031) and drive corresponding connection devices according to a preset program. Optionally, the touch panel 1031 may include two parts, namely a touch detection device and a touch controller. The touch detection device detects the touch direction of a user, detects a signal brought by touch operation and transmits the signal to the touch controller; the touch controller receives touch information from the touch sensing device, converts the touch information into touch point coordinates, sends the touch point coordinates to the processor 1080, and can receive and execute commands sent by the processor 1080. In addition, the touch panel 1031 may be implemented by various types such as a resistive type, a capacitive type, an infrared ray, and a surface acoustic wave. The input unit 1030 may include other input devices 1032 in addition to the touch panel 1031. In particular, other input devices 1032 may include, but are not limited to, one or more of a physical keyboard, function keys (such as volume control keys, switch keys, etc.), a track ball, a mouse, a joystick, or the like.

The display unit 1040 may be used to display information input by a user or information provided to the user and various menus of the cellular phone. The display unit 1040 may include a display panel 1041, and optionally, the display panel 1041 may be configured in the form of a Liquid Crystal Display (LCD), an organic light-emitting diode (OLED), or the like. Further, the touch panel 1031 can cover the display panel 1041, and when the touch panel 1031 detects a touch operation on or near the touch panel 1031, the touch operation is transmitted to the processor 1080 to determine the type of the touch event, and then the processor 1080 provides a corresponding visual output on the display panel 1041 according to the type of the touch event. Although in fig. 10, the touch panel 1031 and the display panel 1041 are two separate components to implement the input and output functions of the mobile phone, in some embodiments, the touch panel 1031 and the display panel 1041 may be integrated to implement the input and output functions of the mobile phone.

The handset may also include at least one sensor 1050, such as a light sensor, motion sensor, and other sensors. Specifically, the light sensor may include an ambient light sensor and a proximity sensor, wherein the ambient light sensor may adjust the brightness of the display panel 1041 according to the brightness of ambient light, and the proximity sensor may turn off the display panel 1041 and/or the backlight when the mobile phone moves to the ear. As one of the motion sensors, the accelerometer sensor can detect the magnitude of acceleration in each direction (generally three axes), detect the magnitude and direction of gravity when stationary, and can be used for applications of recognizing gestures of a mobile phone (such as horizontal and vertical screen switching, related games, magnetometer gesture calibration), vibration recognition related functions (such as pedometers and taps), and the like; as for other sensors such as a gyroscope, a barometer, a hygrometer, a thermometer, and an infrared sensor, which can be configured on the mobile phone, the description is omitted here.

Audio circuitry 1060, speaker 1061, microphone 1062 may provide an audio interface between the user and the handset. The audio circuit 1060 can transmit the electrical signal converted from the received audio data to the speaker 1061, and the electrical signal is converted into a sound signal by the speaker 1061 and output; on the other hand, the microphone 1062 converts the collected sound signal into an electrical signal, which is received by the audio circuit 1060 and converted into audio data, which is then processed by the audio data output processor 1080 and then sent to, for example, another cellular phone via the RF circuit 1010, or output to the memory 1020 for further processing.

WiFi belongs to short-distance wireless transmission technology, and the mobile phone can help the user to send and receive e-mail, browse web pages, access streaming media, etc. through the WiFi module 1070, which provides wireless broadband internet access for the user. Although fig. 10 shows the WiFi module 1070, it is understood that it does not belong to the essential constitution of the handset, and may be omitted entirely as needed within the scope not changing the essence of the invention.

The processor 1080 is a control center of the mobile phone, connects various parts of the whole mobile phone by using various interfaces and lines, and executes various functions of the mobile phone and processes data by operating or executing software programs and/or modules stored in the memory 1020 and calling data stored in the memory 1020, thereby integrally monitoring the mobile phone. Optionally, processor 1080 may include one or more processing units; optionally, processor 1080 may integrate an application processor, which primarily handles operating systems, user interfaces, application programs, etc., and a modem processor, which primarily handles wireless communications. It is to be appreciated that the modem processor described above may not be integrated into processor 1080.

The handset also includes a power source 1090 (e.g., a battery) for powering the various components, which may optionally be logically coupled to the processor 1080 via a power management system to manage charging, discharging, and power consumption via the power management system.

Although not shown, the mobile phone may further include a camera, a bluetooth module, etc., which are not described herein.

In the embodiment of the present application, the processor 1080 included in the terminal further has a function of executing the steps of the page processing method.

Referring to fig. 11, fig. 11 is a schematic structural diagram of a server provided in the embodiment of the present application, where the server 1100 may generate large differences due to different configurations or performances, and may include one or more Central Processing Units (CPUs) 1122 (e.g., one or more processors) and a memory 1132, and one or more storage media 1130 (e.g., one or more mass storage devices) storing an application program 1142 or data 1144. Memory 1132 and storage media 1130 may be, among other things, transient storage or persistent storage. The program stored on the storage medium 1130 may include one or more modules (not shown), each of which may include a series of instruction operations for the server. Still further, the central processor 1122 may be provided in communication with the storage medium 1130 to execute a series of instruction operations in the storage medium 1130 on the server 1100.

The server 1100 may also include one or more power supplies 1126, one or more wired or wireless network interfaces 1150, one or more input-output interfaces 1158, and/or one or more operating systems 1141, such as Windows Server, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM, and so forth.

The steps performed by the management apparatus in the above-described embodiment may be based on the server configuration shown in fig. 11.

Also provided in the embodiments of the present application is a computer-readable storage medium, which stores therein instructions for identifying an abnormal transaction account, and when the instructions are executed on a computer, the instructions cause the computer to perform the steps performed by the apparatus for identifying an abnormal transaction account in the method described in the embodiments shown in fig. 3 to 8.

Also provided in an embodiment of the present application is a computer program product including instructions for identifying an anomalous transaction account, which when run on a computer causes the computer to perform the steps performed by the means for identifying an anomalous transaction account in the method as described in the embodiments of fig. 3 to 8.

The embodiment of the present application further provides an identification system of an abnormal transaction account, where the identification system of an abnormal transaction account may include an identification device of an abnormal transaction account in the embodiment described in fig. 9, or a terminal device in the embodiment described in fig. 10, or a server described in fig. 11.

In a possible scenario, the identification method for the abnormal transaction account in the present application is applied to a blockchain device, that is, each transaction account is configured corresponding to the blockchain device, and the blockchain device is a node in a blockchain, which is described below with reference to the accompanying drawings; referring to the data sharing system shown in fig. 12A, the data sharing system 1200 refers to a system for performing data sharing between nodes, the data sharing system may include a plurality of nodes 1201, and the plurality of nodes 1201 may refer to respective clients in the data sharing system. Each node 1201 may receive input information during normal operation and maintain shared data within the data sharing system based on the received input information. In order to ensure information intercommunication in the data sharing system, information connection can exist between each node in the data sharing system, and information transmission can be carried out between the nodes through the information connection. For example, when an arbitrary node in the data sharing system receives input information, other nodes in the data sharing system acquire the input information according to a consensus algorithm, and store the input information as data in shared data, so that the data stored on all the nodes in the data sharing system are consistent.

Each node in the data sharing system has a node identifier corresponding thereto, and each node in the data sharing system may store a node identifier of another node in the data sharing system, so that the generated block is broadcast to the other node in the data sharing system according to the node identifier of the other node in the following. Each node may maintain a node identifier list as shown in the following table, and store the node name and the node identifier in the node identifier list correspondingly. The node identifier may be an IP (Internet Protocol) address and any other information that can be used to identify the node, and table 6 only illustrates the IP address as an example.

TABLE 6 correspondence between node names and node identifiers

Node name	Node identification
		Node
1	117.114.151.174
		Node 2	117.116.189.145
…	…
		Node N	119.123.789.258

Each node in the data sharing system stores one identical blockchain. The block chain is composed of a plurality of blocks, as shown in fig. 12B, the block chain is composed of a plurality of blocks, the starting block includes a block header and a block main body, the block header stores an input information characteristic value, a version number, a timestamp and a difficulty value, and the block main body stores input information; the next block of the starting block takes the starting block as a parent block, the next block also comprises a block head and a block main body, the block head stores the input information characteristic value of the current block, the block head characteristic value of the parent block, the version number, the timestamp and the difficulty value, and the like, so that the block data stored in each block in the block chain is associated with the block data stored in the parent block, and the safety of the input information in the block is ensured.

When each block in the block chain is generated, referring to fig. 12C, when the node where the block chain is located receives the input information, the input information is verified, after the verification is completed, the input information is stored in the memory pool, and the hash tree for recording the input information is updated; and then, updating the updating time stamp to the time when the input information is received, trying different random numbers, and calculating the characteristic value for multiple times, so that the calculated characteristic value can meet the following formula:

SHA256(SHA256(version+prev_hash+merkle_root+ntime+nbits+x))＜TARGET

wherein, SHA256 is a characteristic value algorithm used for calculating a characteristic value; version is version information of the relevant block protocol in the block chain; prev _ hash is a block head characteristic value of a parent block of the current block; merkle _ root is a characteristic value of the input information; ntime is the update time of the update timestamp; nbits is the current difficulty, is a fixed value within a period of time, and is determined again after exceeding a fixed time period; x is a random number; TARGET is a feature threshold, which can be determined from nbits.

Therefore, when the random number meeting the formula is obtained through calculation, the information can be correspondingly stored, and the block head and the block main body are generated to obtain the current block. And then, the node where the block chain is located sends the newly generated blocks to other nodes in the data sharing system where the newly generated blocks are located respectively according to the node identifiers of the other nodes in the data sharing system, the newly generated blocks are verified by the other nodes, and the newly generated blocks are added to the block chain stored in the newly generated blocks after the verification is completed.

It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.

In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.

The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, an abnormal transaction account identification device, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.

The above embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions in the embodiments of the present application.

Claims

1. A method for identifying an abnormal transaction account, comprising:

2. The method according to claim 1, wherein performing transaction behavior representation according to the transaction relationship between the transaction account and the merchant to determine a merchant transaction vector corresponding to the transaction account comprises:

3. The method of claim 2, wherein traversing the transaction behavior indicated in the transaction relationship between the transaction account and the merchant to determine a merchant list and an account list in the transaction flow data comprises:

4. The method of claim 3, wherein determining the merchant list and the account list from the target table comprises:

determining a transaction merchant sequence according to the target table;

5. The method of claim 3, further comprising:

determining the popularity value of each merchant in the merchant list based on the transaction object information;

6. The method of claim 3, further comprising:

extracting transaction amount items in the target table;

acquiring a safety threshold set for a target type;

7. The method of claim 1, wherein invoking the target identifier included in the transaction flow data to perform clustered identifier matching on the transaction account to obtain a seed set and a candidate set based on identifier matching result partitioning, comprises:

8. The method of claim 7, further comprising:

9. The method of claim 1, wherein the performing vector similarity analysis on the merchant transaction vectors corresponding to the candidate account and the sub-account to determine similarity between the merchant transaction vector corresponding to the candidate account and the merchant transaction vector corresponding to the seed account comprises:

10. The method according to any one of claims 1-9, further comprising:

determining a user identifier corresponding to the candidate account;

determining similarity of the associated account and the account in the seed set;

11. The method of claim 10, wherein the target-type-based transaction risk tagging of the user identification according to the similarity of the associated account to the seed set account comprises:

12. The method according to claim 1, wherein the transaction flow data is credit card transaction flow data of a bank, the target type is an account with a risk of credit card cash, and the management method of the network resource is applied to a blockchain device, and the blockchain device is a node in a blockchain.

13. An apparatus for identifying an anomalous transaction account, comprising:

the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring transaction flow data of a transaction information source to be identified, and the transaction flow data comprises a transaction relation between a transaction account and a merchant;

the determining unit is further configured to perform vector similarity analysis processing on the candidate account and the merchant transaction vectors corresponding to the sub-accounts respectively to determine similarity between the merchant transaction vector corresponding to the candidate account and the merchant transaction vector corresponding to the seed account;

14. A computer device, the computer device comprising a processor and a memory:

the memory is used for storing program codes; the processor is configured to execute the method for identifying an anomalous transaction account according to any of claims 1 to 12 according to instructions in the program code.

15. A computer-readable storage medium having stored therein instructions which, when run on a computer, cause the computer to perform the method of identifying anomalous transaction accounts of any one of claims 1 to 12 above.