CN115082078A - User abnormal behavior detection method and device, electronic equipment and storage medium - Google Patents

User abnormal behavior detection method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN115082078A
CN115082078A CN202210849208.5A CN202210849208A CN115082078A CN 115082078 A CN115082078 A CN 115082078A CN 202210849208 A CN202210849208 A CN 202210849208A CN 115082078 A CN115082078 A CN 115082078A
Authority
CN
China
Prior art keywords
transaction
information
processing
client
behavior
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210849208.5A
Other languages
Chinese (zh)
Inventor
刘赛
陈惠梅
边露
李积宏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202210849208.5A priority Critical patent/CN115082078A/en
Publication of CN115082078A publication Critical patent/CN115082078A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4016Transaction verification involving fraud or risk level assessment in transaction processing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Business, Economics & Management (AREA)
  • Theoretical Computer Science (AREA)
  • Accounting & Taxation (AREA)
  • General Physics & Mathematics (AREA)
  • Artificial Intelligence (AREA)
  • Computational Linguistics (AREA)
  • Strategic Management (AREA)
  • Finance (AREA)
  • Health & Medical Sciences (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computer Security & Cryptography (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • General Business, Economics & Management (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • General Health & Medical Sciences (AREA)
  • Molecular Biology (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

The invention discloses a method and a device for detecting abnormal user behaviors, electronic equipment and a storage medium. Wherein, the method comprises the following steps: acquiring transaction information of a user account; processing the transaction information to obtain characteristic information; establishing an anomaly detection model by using historical transaction information, and processing the characteristic information by using the anomaly detection model to obtain a processing result; and determining whether the transaction behavior of the user account is abnormal or not based on the processing result. The invention solves the technical problems that the existing user behavior abnormity detection model is high in training cost and has an overfitting phenomenon.

Description

User abnormal behavior detection method and device, electronic equipment and storage medium
Technical Field
The invention relates to the technical field of information security, in particular to a method and a device for detecting abnormal user behavior, electronic equipment and a storage medium.
Background
With the widespread of electronic banking channels such as internet banking and mobile banking, more and more customers become users of mobile banking including remote areas, and tens of thousands of electronic banking transactions are occurring every moment. Along with this, the security problem in the field of electronic banking, especially the transaction related to account transfer, is more important to ensure the security.
In the prior art, in order to ensure the safety of account-moving transaction, the main stream safety measures adopted include: the security means such as payment password, face recognition, cipher device, etc. and the measure of setting payment limit, etc. are used to ensure the security of electronic banking account transaction, but these measures can effectively ensure the normal operation of banking business, but the model training cost of user portrait is high, and the multi-layer neural network algorithm generally has overfitting phenomenon.
In view of the above problems, no effective solution has been proposed.
Disclosure of Invention
The embodiment of the invention provides a method and a device for detecting abnormal user behaviors, electronic equipment and a storage medium, which are used for at least solving the technical problems that the existing user behavior abnormal detection model is high in training cost and has an overfitting phenomenon.
According to an aspect of the embodiments of the present invention, there is provided a method for detecting abnormal user behavior, including: acquiring transaction information of a user account; processing the transaction information to obtain characteristic information; establishing an anomaly detection model by using historical transaction information, and processing the characteristic information by using the anomaly detection model to obtain a processing result; and determining whether the transaction behavior of the user account is abnormal or not based on the processing result.
Optionally, the obtaining transaction information of the user account includes: a transaction action in response to the user account; acquiring client position information and client equipment information used by the user account; acquiring transaction frequency information, transaction time information and transaction amount information corresponding to the transaction behaviors; and acquiring Internet protocol address information corresponding to the transaction behavior.
Optionally, before the processing the transaction information to obtain the feature information, the method further includes: determining whether a client access anomaly exists based on the client location information, the client device information and the internet protocol address information; and determining whether the client transaction abnormity exists or not based on the transaction time information and the transaction amount information.
Optionally, the processing the transaction information to obtain feature information includes: under the condition that the client access abnormity is determined, determining a client access abnormity rate and a client access time offset based on the transaction information; under the condition that the client-side transaction abnormity exists, determining the client-side transaction abnormity rate based on the transaction information, and recording the transaction frequency information and the transaction amount information; and determining the client access abnormal rate, the client access time offset, the client transaction abnormal rate, the transaction frequency information and the transaction amount information as the characteristic information.
Optionally, establishing an anomaly detection model by using historical transaction information includes: acquiring historical transaction information stored in a database, wherein the historical transaction information comprises: risk transaction information and normal transaction information; processing the risk transaction information to obtain risk transaction characteristic information, and processing the normal transaction information to obtain normal transaction characteristic information; and establishing the abnormal detection model by adopting a single-layer neural network based on the risk transaction characteristic information and the normal transaction characteristic information.
Optionally, processing the feature information by using the anomaly detection model to obtain a processing result, where the processing result includes: and inputting the characteristic information into the abnormality detection model to obtain the processing result with the range of 0 to 1.
Optionally, the determining whether the transaction behavior of the user account is abnormal based on the processing result includes: if the value range of the processing result is within the range of 0 to 0.5, determining that the transaction behavior of the user account is normal; and if the value range of the processing result is within the interval of 0.5 to 1, determining that the transaction behavior of the user account is abnormal.
According to another aspect of the embodiments of the present invention, there is also provided a device for detecting abnormal user behavior, including: the acquisition module is used for acquiring the transaction information of the user account; the first processing module is used for processing the transaction information to obtain characteristic information; the second processing module is used for establishing an abnormality detection model by adopting historical transaction information and processing the characteristic information by adopting the abnormality detection model to obtain a processing result; and the determining module is used for determining whether the transaction behavior of the user account is abnormal or not based on the processing result.
According to another aspect of the embodiments of the present invention, there is also provided a computer-readable storage medium, which stores a plurality of instructions, the instructions being adapted to be loaded by a processor and to execute any one of the above-mentioned user abnormal behavior detection methods.
According to another aspect of the embodiments of the present invention, there is also provided an electronic device, including one or more processors and a memory, where the memory is used to store one or more programs, and when the one or more programs are executed by the one or more processors, the one or more processors are enabled to implement any one of the above-mentioned user abnormal behavior detection methods.
In the embodiment of the invention, the transaction information of the user account is acquired; processing the transaction information to obtain characteristic information; establishing an anomaly detection model by using historical transaction information, and processing the characteristic information by using the anomaly detection model to obtain a processing result; based on the processing result, whether the transaction behavior of the user account is abnormal or not is determined, the purpose of analyzing the user behavior to improve the security of the user transaction is achieved, the technical effects of combining non-sensitive information data of dimensions such as equipment and transaction behavior, establishing a user security behavior portrait and calculating the risk degree of the client transaction behavior are achieved, and the technical problems that an existing user behavior abnormity detection model is high in training cost and has an overfitting phenomenon are solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
FIG. 1 is a flow chart of a user abnormal behavior detection method according to an embodiment of the present invention;
FIG. 2 is a schematic overall flow chart of an alternative anomaly detection according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of an alternative neural network architecture in accordance with embodiments of the present invention;
fig. 4 is a schematic structural diagram of a user abnormal behavior detection apparatus according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of an alternative electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example 1
In accordance with an embodiment of the present invention, there is provided an embodiment of a method for user anomalous behavior detection, it being noted that the steps illustrated in the flowchart of the figure may be performed in a computer system such as a set of computer executable instructions and that, although a logical ordering is shown in the flowchart, in some cases, the steps illustrated or described may be performed in an order different than here.
Fig. 1 is a flowchart of a user abnormal behavior detection method according to an embodiment of the present invention, as shown in fig. 1, the method includes the following steps:
step S102, acquiring transaction information of a user account;
step S104, processing the transaction information to obtain characteristic information;
step S106, establishing an abnormality detection model by using historical transaction information, and processing the characteristic information by using the abnormality detection model to obtain a processing result;
step S108, based on the processing result, determining whether the transaction behavior of the user account is abnormal.
In the embodiment of the present invention, the execution main body of the user abnormal behavior detection method provided in the above steps S102 to S106 is a behavior abnormal detection system, and from the perspective of user behavior analysis, the user security behavior portrait is established by combining non-sensitive information data of dimensions such as used equipment and transaction behaviors, and combining a neural network algorithm, and individual user behaviors are analyzed, so as to calculate the risk degree of the client transaction behaviors, especially dynamic account type transactions, and perform more checking requirements on high-risk transactions, so as to improve the security of the user transactions.
As an alternative embodiment, as shown in the overall flow diagram of anomaly detection shown in fig. 2, when detecting that a transaction action occurs in an account of a target user, the system obtains transaction information of the user account; processing the transaction information to obtain characteristic information; processing the characteristic information by adopting the anomaly detection model to obtain a processing result; and determining whether the transaction behavior of the user account is abnormal or not based on the processing result. If the transaction behavior is abnormal, immediately terminating the transaction behavior and sending notification information to a target user; if the transaction behavior is not abnormal, normal electronic bank transaction operation is carried out.
As an optional embodiment, the acquiring transaction information of the user account includes: a transaction activity in response to the user account; acquiring client position information and client equipment information used by the user account; acquiring transaction frequency information, transaction time information and transaction amount information corresponding to the transaction behaviors; and acquiring Internet protocol address information corresponding to the transaction behavior.
It should be noted that, acquiring the transaction information of the user account is a client information acquisition process, and some client information may be acquired through various clients and application programs running on the mobile phone under the condition of acquiring corresponding permissions, where the client information includes the transaction information. In the embodiment of the invention, the client login information in different places, the client login information in non-use, the transfer behavior time and money amount information, the IP address information and the like are selected as the transaction information.
In an optional embodiment, before the processing the transaction information to obtain the feature information, the method further includes: determining whether a client access anomaly exists based on the client location information, the client device information and the internet protocol address information; and determining whether the client transaction abnormity exists or not based on the transaction time information and the transaction amount information.
Optionally, before the transaction information is processed to obtain the feature information, preprocessing the acquired original information, where the preprocessing includes operations such as screening, removing dirty data, and supplementing data. After preprocessing the collected original data, determining whether client access abnormity exists according to the client position information, the client equipment information and the Internet protocol address information, and determining whether client transaction abnormity exists according to the transaction time information and the transaction amount information.
It should be noted that, the client accesses the anomaly, that is, whether the geographic location when logging in or accessing the client (transaction client) is different from the historical logging-in location; the client transaction abnormity is that whether the time of the current transaction or the transaction amount has a larger difference with the historical transaction time or the transaction amount.
In an optional embodiment, the processing the transaction information to obtain the feature information includes: under the condition that the client access abnormity is determined, determining a client access abnormity rate and a client access time offset based on the transaction information; under the condition that the client-side transaction abnormity is determined, determining the client-side transaction abnormity rate based on the transaction information, and recording the transaction frequency information and the transaction amount information; and determining the client access abnormal rate, the client access time offset, the client transaction abnormal rate, the transaction frequency information and the transaction amount information as the characteristic information.
As an optional embodiment, in a case that it is determined that the client access abnormality and/or the client transaction abnormality exist, the preprocessed transaction information is calculated to obtain the characteristic information, and the characteristic information is input into the abnormality detection model.
It should be noted that, according to the collected transaction information, in the embodiment of the present invention, the following calculation features are selected as the feature information: a client access exception rate, the client access time offset, the client transaction exception rate, the transaction frequency information, and the transaction amount information.
Optionally, the client access abnormal rate, that is, the remote/non-shared client access rate, selects a login behavior in unit time as an object, and the calculation formula is as follows:
Figure BDA0003754213350000061
optionally, the transaction frequency information, i.e. the transfer behavior frequency, is the number of transfer behaviors in a unit time period, and the unit (times); the transaction amount information is the transfer amount, unit (ten thousand yuan).
Optionally, the client access time offset is an average value of log-in client time in unit time, and a calculation formula is as follows:
Figure BDA0003754213350000062
optionally, the transaction exception rate of the client, that is, the ratio of the number of abnormal logins to the total number of logins in unit time, is calculated according to the following formula:
Figure BDA0003754213350000063
it should be noted that, a case where there is one of behaviors, such as association of a plurality of pieces of registration information with the IP, association of a plurality of pieces of registration information with the device, and inconsistency between the home location of the used registered mobile phone number and the current registered IP, may be regarded as an abnormal case.
In an alternative embodiment, the anomaly detection model is established using historical transaction information, comprising: acquiring historical transaction information stored in a database, wherein the historical transaction information comprises: risk transaction information and normal transaction information; processing the risk transaction information to obtain risk transaction characteristic information, and processing the normal transaction information to obtain normal transaction characteristic information; and establishing the abnormal detection model by adopting a single-layer neural network based on the risk transaction characteristic information and the normal transaction characteristic information.
In the embodiment of the present application, a model based on a single-layer neural network is adopted, such as a schematic neural network structure shown in fig. 3, where the neural network structure is divided into an input layer, a hidden layer and an output layer. The input layer is the input parameter, and the output layer is the output parameter, typically plus a transfer function. The hidden layer is a layer in the neural network except the input layer and the output layer, and is used for converting the content of the input layer into the content of the output layer, serving as the output of the input layer and the input of the output layer, and serving as a core layer for training the neural network. The number of layers and the number of nodes of the hidden layer have a decisive influence on the performance of the neural network, and the more the number of the layers and the number of the nodes, the better the number of the nodes are. The scheme uses a neural network comprising a hidden layer, namely an input layer, a hidden layer and an output layer to realize the establishment of the model.
It should be noted that, regarding the determination of the number of nodes in the hidden layer: for a single hidden layer neural network with 5 nodes as input and 1 node as output, the number of hidden layer nodes can be generally set to be 2-12. Regarding the determination of the network transfer function in the hidden layer, in the embodiment of the present invention, a commonly used Sigmoid function is selected as the transfer function of the model, that is:
Figure BDA0003754213350000071
in an embodiment of the present application, historical transaction information stored in a database is obtained, where the historical transaction information includes: risk transaction information and normal transaction information; processing the risk transaction information to obtain risk transaction characteristic information, and processing the normal transaction information to obtain normal transaction characteristic information; and establishing the abnormal detection model by adopting a single-layer neural network based on the risk transaction characteristic information and the normal transaction characteristic information.
Optionally, a scoring database may be established, to obtain risky data for existing electronic banking and financial transaction cases, and the risky data is marked as 1 and the normal data is marked as 0 by combining the existing normal user data without clear transaction risk. And dividing the obtained data set according to the proportion of 8 to 2 of the training set and the verification set, namely using 80% of the data for model training and 20% for model verification. And training the model by an error inverse propagation algorithm until the MSE (mean square error) of the convergence setting training result is less than 0.01, namely stopping training when the final error is less than 0.01. And generating a final model after training.
In an optional embodiment, processing the feature information by using the anomaly detection model to obtain a processing result includes: inputting the characteristic information into the abnormality detection model to obtain the processing result with a range of 0 to 1.
In an optional embodiment, the determining whether there is an abnormality in the transaction behavior of the user account based on the processing result includes: if the value range of the processing result is within the range of 0 to 0.5, determining that the transaction behavior of the user account is normal; and if the value range of the processing result is within the interval of 0.5 to 1, determining that the transaction behavior of the user account is abnormal.
As an optional embodiment, the feature information is input into the anomaly detection model, after passing through the anomaly detection model, a result of the corresponding mapping is a value range of a Sigmoid function, and is compressed in a (0, 1) interval, the closer the output result is to 0, the safer the transaction is represented, and the closer to 1, the more dangerous the transaction is represented.
Optionally, the processing result with the value range of 0 to 0.5 may be determined as normal transaction behavior; and determining the processing result with the value range within the range of 0.5 to 1 as the transaction behavior abnormity.
According to the embodiment of the invention, on the premise of not relating to user privacy, the user behavior is contrasted and analyzed by combining the portrait, so that the security of bank transaction is improved. The single-layer network has the characteristics of low training cost, difficult overfitting phenomenon and good application to the scenes of user behaviors, can well fit the characteristics of the user behaviors, can combine and select the expansibility of the characteristics according to the actual service requirements, and can be suitable for different service scenes.
Example 2
Fig. 4 is a schematic structural diagram of a user abnormal behavior detection apparatus according to an embodiment of the present application, and as shown in fig. 4, the user abnormal behavior detection apparatus includes: an acquisition module 40, a first processing module 42, a second processing module 44, and a determination module 46, wherein:
the acquisition module 40 is used for acquiring the transaction information of the user account;
the first processing module 42 is configured to process the transaction information to obtain feature information;
the second processing module 44 is configured to establish an anomaly detection model by using historical transaction information, and process the feature information by using the anomaly detection model to obtain a processing result;
and the determining module 46 is used for determining whether the transaction behavior of the user account is abnormal or not based on the processing result.
The user abnormal behavior detection device provided by the embodiment of the application acquires the transaction information of a user account; processing the transaction information to obtain characteristic information; establishing an anomaly detection model by using historical transaction information, and processing the characteristic information by using the anomaly detection model to obtain a processing result; based on the processing result, whether the transaction behavior of the user account is abnormal or not is determined, the purpose of analyzing the user behavior to improve the security of the user transaction is achieved, the technical effects of combining the non-sensitive information data of dimensions such as equipment and transaction behavior, establishing a user security behavior portrait and calculating the risk degree of the client transaction behavior are achieved, and the technical problems that an existing user behavior abnormality detection model is high in training cost and has an overfitting phenomenon are solved.
The user abnormal behavior detection device comprises a processor and a memory, the obtaining module 40, the first processing module 42, the second processing module 44, the determining module 46 and the like are stored in the memory as program units, and the processor executes the program units stored in the memory to realize corresponding functions.
The processor comprises a kernel, and the kernel calls the corresponding program unit from the memory. One or more than one kernel can be set, and the training and predicting speed of the convolutional neural network is accelerated by adjusting kernel parameters.
The memory may include volatile memory in a computer readable medium, Random Access Memory (RAM) and/or nonvolatile memory such as Read Only Memory (ROM) or flash memory (flash RAM), and the memory includes at least one memory chip.
An embodiment of the present invention provides a computer-readable storage medium, on which a program is stored, where the program, when executed by a processor, implements the above-mentioned user abnormal behavior detection method.
The embodiment of the invention provides a processor, which is used for running a program, wherein the abnormal user behavior detection method is executed when the program runs.
As shown in fig. 5, an embodiment of the present invention provides an electronic device, where the electronic device 10 includes a processor, a memory, and a program stored in the memory and executable on the processor, and the processor executes the program to implement the following steps: acquiring transaction information of a user account; processing the transaction information to obtain characteristic information; establishing an anomaly detection model by using historical transaction information, and processing the characteristic information by using the anomaly detection model to obtain a processing result; and determining whether the transaction behavior of the user account is abnormal or not based on the processing result.
Optionally, the processor executes the program to implement the following steps: acquiring client position information and client equipment information used by the user account; acquiring transaction frequency information, transaction time information and transaction amount information corresponding to the transaction behaviors; and acquiring Internet protocol address information corresponding to the transaction behavior.
Optionally, the processor implements the following steps when executing the program: determining whether a client access anomaly exists based on the client location information, the client device information and the internet protocol address information; and determining whether the client transaction abnormity exists or not based on the transaction time information and the transaction amount information.
Optionally, the processor executes the program to implement the following steps: under the condition that the client access abnormity is determined, determining a client access abnormity rate and a client access time offset based on the transaction information; under the condition that the client-side transaction abnormity is determined, determining the client-side transaction abnormity rate based on the transaction information, and recording the transaction frequency information and the transaction amount information; and determining the client access abnormal rate, the client access time offset, the client transaction abnormal rate, the transaction frequency information and the transaction amount information as the characteristic information.
Optionally, the processor executes the program to implement the following steps: acquiring historical transaction information stored in a database, wherein the historical transaction information comprises: risk transaction information and normal transaction information; processing the risk transaction information to obtain risk transaction characteristic information, and processing the normal transaction information to obtain normal transaction characteristic information; and establishing the abnormal detection model by adopting a single-layer neural network based on the risk transaction characteristic information and the normal transaction characteristic information.
Optionally, the processor executes the program to implement the following steps: inputting the characteristic information into the abnormality detection model to obtain the processing result with a range of 0 to 1.
Optionally, the processor executes the program to implement the following steps: if the value range of the processing result is within the range of 0 to 0.5, determining that the transaction behavior of the user account is normal; and if the value range of the processing result is within the interval of 0.5 to 1, determining that the transaction behavior of the user account is abnormal.
The present application further provides a computer program product adapted to perform a program for initializing the following method steps when executed on a data processing device: acquiring transaction information of a user account; processing the transaction information to obtain characteristic information; establishing an anomaly detection model by using historical transaction information, and processing the characteristic information by using the anomaly detection model to obtain a processing result; and determining whether the transaction behavior of the user account is abnormal or not based on the processing result.
Optionally, when executed on a data processing device, is adapted to perform a procedure for initializing the following method steps: acquiring client position information and client equipment information used by the user account; acquiring transaction frequency information, transaction time information and transaction amount information corresponding to the transaction behaviors; and acquiring Internet protocol address information corresponding to the transaction behavior.
Optionally, the program, when executed on a data processing device, is adapted to perform a procedure for initializing the following method steps: determining whether a client access anomaly exists based on the client location information, the client device information and the internet protocol address information; and determining whether the client transaction abnormity exists or not based on the transaction time information and the transaction amount information.
Optionally, the program, when executed on a data processing device, is adapted to perform a procedure for initializing the following method steps: under the condition that the client access abnormity is determined, determining a client access abnormity rate and a client access time offset based on the transaction information; under the condition that the client-side transaction abnormity is determined, determining the client-side transaction abnormity rate based on the transaction information, and recording the transaction frequency information and the transaction amount information; and determining the client access abnormal rate, the client access time offset, the client transaction abnormal rate, the transaction frequency information and the transaction amount information as the characteristic information.
Optionally, when executed on a data processing device, is adapted to perform a procedure for initializing the following method steps: acquiring historical transaction information stored in a database, wherein the historical transaction information comprises: risk transaction information and normal transaction information; processing the risk transaction information to obtain risk transaction characteristic information, and processing the normal transaction information to obtain normal transaction characteristic information; and establishing the abnormal detection model by adopting a single-layer neural network based on the risk transaction characteristic information and the normal transaction characteristic information.
Optionally, the program, when executed on a data processing device, is adapted to perform a procedure for initializing the following method steps: inputting the characteristic information into the abnormality detection model to obtain the processing result with a range of 0 to 1.
Optionally, the program, when executed on a data processing device, is adapted to perform a procedure for initializing the following method steps: if the value range of the processing result is within the range of 0 to 0.5, determining that the transaction behavior of the user account is normal; and if the value range of the processing result is within the interval of 0.5 to 1, determining that the transaction behavior of the user account is abnormal.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). The memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in the process, method, article, or apparatus that comprises the element.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The above are merely examples of the present application and are not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.

Claims (10)

1. A user abnormal behavior detection method is characterized by comprising the following steps:
acquiring transaction information of a user account;
processing the transaction information to obtain characteristic information;
establishing an anomaly detection model by adopting historical transaction information, and processing the characteristic information by adopting the anomaly detection model to obtain a processing result;
and determining whether the transaction behavior of the user account is abnormal or not based on the processing result.
2. The method of claim 1, wherein the obtaining transaction information of the user account comprises:
transaction activity in response to the user account;
acquiring client position information and client equipment information used by the user account;
acquiring transaction frequency information, transaction time information and transaction amount information corresponding to the transaction behaviors;
and acquiring Internet protocol address information corresponding to the transaction behavior.
3. The method of claim 2, wherein prior to said processing said transaction information to obtain characterizing information, said method further comprises:
determining whether a client access anomaly exists based on the client location information, the client device information and the internet protocol address information;
and determining whether the client transaction abnormity exists or not based on the transaction time information and the transaction amount information.
4. The method of claim 3, wherein processing the transaction information to obtain characteristic information comprises:
determining a client access anomaly rate and a client access time offset based on the transaction information if the client access anomaly is determined to exist;
under the condition that the client-side transaction abnormity is determined, determining the client-side transaction abnormity rate based on the transaction information, and recording the transaction frequency information and the transaction amount information;
and determining the client access abnormal rate, the client access time offset, the client transaction abnormal rate, the transaction frequency information and the transaction amount information as the characteristic information.
5. The method of claim 1, wherein using historical transaction information to build an anomaly detection model comprises:
obtaining historical transaction information stored in a database, wherein the historical transaction information comprises: risk transaction information and normal transaction information;
processing the risk transaction information to obtain risk transaction characteristic information, and processing the normal transaction information to obtain normal transaction characteristic information;
and establishing the abnormal detection model by adopting a single-layer neural network based on the risk transaction characteristic information and the normal transaction characteristic information.
6. The method of claim 5, wherein processing the feature information using the anomaly detection model to obtain a processing result comprises:
and inputting the characteristic information into the anomaly detection model to obtain the processing result of which the value range is within the range of 0 to 1.
7. The method of claim 6, wherein determining whether there is an anomaly in transaction behavior of the user account based on the processing result comprises:
if the value range of the processing result is within the range of 0 to 0.5, determining that the transaction behavior of the user account is normal;
and if the value range of the processing result is within the interval of 0.5 to 1, determining that the transaction behavior of the user account is abnormal.
8. An abnormal behavior detection apparatus for a user, comprising:
the acquisition module is used for acquiring the transaction information of the user account;
the first processing module is used for processing the transaction information to obtain characteristic information;
the second processing module is used for establishing an abnormality detection model by adopting historical transaction information and processing the characteristic information by adopting the abnormality detection model to obtain a processing result;
and the determining module is used for determining whether the transaction behavior of the user account is abnormal or not based on the processing result.
9. A computer-readable storage medium storing a plurality of instructions adapted to be loaded by a processor and to perform the method of detecting abnormal user behavior of any one of claims 1 to 7.
10. An electronic device comprising one or more processors and memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the user anomalous behavior detection method of any one of claims 1 to 7.
CN202210849208.5A 2022-07-19 2022-07-19 User abnormal behavior detection method and device, electronic equipment and storage medium Pending CN115082078A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210849208.5A CN115082078A (en) 2022-07-19 2022-07-19 User abnormal behavior detection method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210849208.5A CN115082078A (en) 2022-07-19 2022-07-19 User abnormal behavior detection method and device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN115082078A true CN115082078A (en) 2022-09-20

Family

ID=83260315

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210849208.5A Pending CN115082078A (en) 2022-07-19 2022-07-19 User abnormal behavior detection method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN115082078A (en)

Similar Documents

Publication Publication Date Title
KR102138965B1 (en) Account theft risk identification method, identification device, prevention and control system
TWI767879B (en) Computer system-based online transaction risk identification method and device
US9876825B2 (en) Monitoring user authenticity
US7815106B1 (en) Multidimensional transaction fraud detection system and method
CN109063966B (en) Risk account identification method and device
EP2748781B1 (en) Multi-factor identity fingerprinting with user behavior
CN111201528B (en) System and method for integrating network fraud intelligence and payment risk decisions
US20160226901A1 (en) Anomaly Detection Using Adaptive Behavioral Profiles
CN103593609B (en) Trustworthy behavior recognition method and device
WO2019007306A1 (en) Method, device and system for detecting abnormal behavior of user
US10630729B2 (en) Detecting fraudulent logins
CN105913257A (en) System And Method For Detecting Fraudulent Online Transactions
AU2006242555A1 (en) System and method for fraud monitoring, detection, and tiered user authentication
KR102058697B1 (en) Financial fraud detection system by deeplearning neural-network
US11205179B1 (en) System, method, and program product for recognizing and rejecting fraudulent purchase attempts in e-commerce
US11823197B2 (en) Authenticating based on user behavioral transaction patterns
US20200311231A1 (en) Anomalous user session detector
Wiefling et al. Pump up password security! Evaluating and enhancing risk-based authentication on a real-world large-scale online service
US20240089260A1 (en) System and method for graduated deny list
US11900377B2 (en) Authenticating based on behavioral transactional patterns
CN108229964B (en) Transaction behavior profile construction and authentication method, system, medium and equipment
US9723017B1 (en) Method, apparatus and computer program product for detecting risky communications
CN115082078A (en) User abnormal behavior detection method and device, electronic equipment and storage medium
US20230012460A1 (en) Fraud Detection and Prevention System
CN116346433A (en) Method and system for detecting network security situation of power system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination