CN115185963A

CN115185963A - Risk identification strategy updating method, device, equipment and computer readable medium

Info

Publication number: CN115185963A
Application number: CN202210731439.6A
Authority: CN
Inventors: 郑晶; 魏志文; 曹聿玮; 樊雅君
Original assignee: Perfect World Beijing Software Technology Development Co Ltd
Current assignee: Perfect World Beijing Software Technology Development Co Ltd
Priority date: 2022-06-24
Filing date: 2022-06-24
Publication date: 2022-10-14

Abstract

The application relates to a method, a device, equipment and a computer readable medium for updating a risk identification policy. The method comprises the following steps: under the condition that a first business event in a business system is judged to be a first suspicious risk event based on a first risk identification strategy, acquiring data containing a second business event which is judged to have no suspicious risk previously in a target time period as first test-back data, wherein the target time period is earlier than a time point of judging the first business event to be the first suspicious risk event; determining a specific second business event matched with the target characteristics of the first suspicious risk event in the first test data, and judging the specific second business event as a second suspicious risk event with suspicious risk again; and updating the first risk identification strategy by using the second suspicious risk event and the target characteristics to obtain a second risk identification strategy. The method and the device solve the technical problem that the wind control system is poor in attack recognition capability on early-stage feature dispersion.

Description

Risk identification policy updating method, device, equipment and computer readable medium

Technical Field

The present application relates to the field of wind control technologies, and in particular, to a method, an apparatus, a device, and a computer readable medium for updating a risk identification policy.

Background

Risk control refers to the risk manager taking various measures and methods to eliminate or reduce the various possibilities of occurrence of a risk event, or the risk controller reducing the losses incurred when a risk event occurs. Nowadays, a wind control system widely exists in each service system, and is used for protecting driving and navigating safe operation of the service system. The wind control system generally judges real-time requests based on rules, after a business wind control system is built and is in butt joint with business, business requests needing to be judged request wind control interfaces according to convention (classified according to business according to scenes), and a rule engine of the wind control system judges the risk level of the current request and returns the risk level to the business.

At present, in the related technology, a wind control system cannot identify all attack requests, so that many conditions of missed judgment and erroneous judgment exist, and particularly for the attack requests with dispersed early-stage features, the identification capability is worse, and manual intervention is often needed.

Aiming at the problem that the wind control system has poor capability of identifying early-stage feature-dispersed attacks, no effective solution is provided at present.

Disclosure of Invention

The application provides a method, a device, equipment and a computer readable medium for updating a risk identification strategy, which aim to solve the technical problem that a wind control system has poor capability of identifying early-stage feature-dispersed attacks.

According to an aspect of an embodiment of the present application, there is provided a method for updating a risk identification policy, including:

under the condition that a first business event in a business system is judged to be a first suspicious risk event based on a first risk identification strategy, acquiring data containing a second business event which is judged to have no suspicious risk previously in a target time period as first test-back data, wherein the target time period is earlier than a time point of judging the first business event to be the first suspicious risk event;

determining a specific second business event matched with the target characteristics of the first suspicious risk event in the first test data, and judging the specific second business event as a second suspicious risk event with suspicious risk again; and (c) a second step of,

and updating the first risk identification strategy by using the second suspicious risk event and the target characteristics to obtain a second risk identification strategy.

Optionally, the discriminating, based on the first risk identification policy, the first business event in the business system as the first suspicious risk event includes at least one of the following ways:

under the condition that the identification mark carried in the first service request for generating the first service event is identified to be inconsistent with the identification mark used historically and stored in the database, determining the identification mark as a suspicious risk characteristic, and judging the first service event as a first suspicious risk event;

under the condition that the number of the account numbers associated with the identification identifier carried in the first service request in the current risk identification period is greater than or equal to a target number threshold value, determining the identification identifier as a suspicious risk characteristic, and judging the first service event as a first suspicious risk event;

under the condition that the first characteristic of the first business event is identified to be matched with the risk characteristic stored in the preset case base, determining the first characteristic as a suspicious risk characteristic, and judging the first business event as a first suspicious risk event;

the identification mark comprises at least one of a hardware equipment identification mark, a mobile phone number, a number attribution and an internet protocol address.

Optionally, before obtaining data in a target time period containing a second business event previously judged as being free of suspicious risk as first test-back data, the method further comprises determining the target time period as follows:

determining the activity starting time of the business activity to which the first business event belongs, and determining the range from the activity starting time to the current time as a target time period; and/or the presence of a gas in the gas,

determining a discrimination type for discriminating the first business event as a first suspicious risk event;

determining the range from the starting time of the current risk identification period to the current time as a target time period under the condition that the discrimination type is a threshold discrimination type;

and under the condition that the discrimination type is the feature discrimination type, determining the occurrence cycle of the associated event of the first suspicious risk event, taking the occurrence time point of the first suspicious risk event as the latest node of the current occurrence cycle, and determining the time period from the earliest node to the latest node of the current occurrence cycle as the target time period.

Optionally, the first suspected risk event includes a suspected risk feature, and the determining the target time period further includes:

determining a second feature that is in the first suspected risk event with the suspected risk feature as an associated risk feature;

determining the earliest time that the associated risk features occur in other business events;

the range from the earliest time to the current time is determined as the target time period.

Optionally, determining in the first test-back data a particular second business event that matches the target characteristic of the first suspected risk event comprises:

determining suspicious risk characteristics of a first suspicious risk event identified by a first risk identification strategy as target characteristics, and determining a second business event with the same target characteristics in the first test data as a specific second business event; and/or the presence of a gas in the gas,

and determining the suspicious risk characteristics and other characteristics in the first suspicious risk event as associated risk characteristics to serve as target characteristics, and determining the second business event with the target characteristics in the first test data as a specific second business event.

Optionally, after re-discriminating the specific second business event as a second suspicious risk event having a suspicious risk, the method further comprises:

and adding the suspicious risk characteristics, the associated risk characteristics and the event characteristics of the second suspicious risk event into a preset case library so as to take the suspicious risk characteristics, the associated risk characteristics and the event characteristics of the second suspicious risk event as basic data for analyzing the attack behavior.

Optionally, after obtaining the second risk identification policy, the method further includes:

performing risk identification on the second return test data based on a second risk identification strategy, wherein the second return test data and the first return test data are not completely overlapped;

counting the accuracy and the missing rate of the second risk identification strategy on the suspicious risk event;

and under the condition that the accuracy of the second risk identification strategy is less than or equal to the accuracy of the first risk identification strategy and/or the rate of missing judgment of the second risk identification strategy is greater than or equal to the rate of missing judgment of the first risk identification strategy, continuously updating the second risk identification strategy by using the second suspicious risk event and the target characteristics, and verifying the accuracy and the rate of missing judgment of the suspicious risk event identified by the updated second risk identification strategy again by using the second retest data until the verification is passed.

Optionally, after determining that the second risk identification policy verification passes, the method further comprises:

and replacing the first risk identification strategy with a second risk identification strategy in the production environment, so as to judge a third business event as a third suspicious risk event with suspicious risk under the condition that the second risk identification strategy identifies the third business event with characteristic matching relation with the first suspicious risk event and/or the second suspicious risk event.

According to another aspect of the embodiments of the present application, there is provided an apparatus for updating a risk identification policy, including:

the data acquisition module is used for acquiring data which contains a second business event which is previously judged to have no suspicious risk in a target time period as first test-back data under the condition that a first business event in a business system is judged to be a first suspicious risk event based on a first risk identification strategy, wherein the target time period is earlier than a time point at which the first business event is judged to be the first suspicious risk event;

the event backtesting module is used for determining a specific second business event matched with the target characteristic of the first suspicious risk event in the first backtesting data and judging the specific second business event as a second suspicious risk event with suspicious risk; and the number of the first and second groups,

and the strategy updating module is used for updating the first risk identification strategy by utilizing the second suspicious risk event and the target characteristics to obtain a second risk identification strategy.

According to another aspect of the embodiments of the present application, there is provided an electronic device, including a memory, a processor, a communication interface, and a communication bus, where the memory stores a computer program executable on the processor, and the memory and the processor communicate with each other through the communication bus and the communication interface, and the processor implements the steps of the method when executing the computer program.

According to another aspect of embodiments of the present application, there is also provided a computer readable medium having non-volatile program code executable by a processor, the program code causing the processor to perform the above-mentioned method.

Compared with the related art, the technical scheme provided by the embodiment of the application has the following advantages:

the method comprises the steps that under the condition that a first business event in a business system is judged to be a first suspicious risk event based on a first risk identification strategy, data containing a second business event which is judged to have no suspicious risk in the prior time period are obtained to serve as first test-back data, wherein the target time period is earlier than the time point of judging the first business event to be the first suspicious risk event; determining a specific second business event matched with the target characteristics of the first suspicious risk event in the first test data, and judging the specific second business event as a second suspicious risk event with suspicious risk again; and updating the first risk identification strategy by using the second suspicious risk event and the target characteristics to obtain a second risk identification strategy. According to the method and the system, under the condition that the first business event is found to be the suspicious risk event based on the first risk identification strategy, the retrieval data can be called, the business event is analyzed in the retrieval data, the second business event having a characteristic matching relation with the first business event is found out, the first risk identification strategy is updated by utilizing the second business event and the matched characteristics, the suspicious risk event which cannot be identified by the first risk identification strategy can be identified by utilizing the second risk identification strategy, and the technical problem that the wind control system has poor attack identification capability on early-stage characteristic dispersion is solved.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present application and together with the description, serve to explain the principles of the application.

In order to more clearly illustrate the technical solutions in the embodiments or related technologies of the present application, the drawings needed to be used in the description of the embodiments or related technologies will be briefly described below, and it is obvious for those skilled in the art to obtain other drawings without any creative effort.

Fig. 1 is a hardware environment diagram of an optional risk identification policy update method according to an embodiment of the present application;

fig. 2 is a schematic flowchart of an update method of an optional risk identification policy according to an embodiment of the present application;

FIG. 3 is a block diagram of an alternative risk identification policy updating apparatus according to an embodiment of the present application;

fig. 4 is a schematic structural diagram of an updating apparatus for an optional risk identification policy according to an embodiment of the present application.

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.

In the following description, suffixes such as "module", "component", or "unit" used to denote elements are used only for the convenience of description of the present application, and have no specific meaning in themselves. Thus, "module" and "component" may be used in a mixture.

In the related art, the wind control system cannot identify all attack requests, so that many conditions of missed judgment and erroneous judgment exist, and particularly for the attack requests with dispersed early-stage features, the identification capability is poorer, and manual intervention is often needed.

To solve the problems mentioned in the background, according to an aspect of the embodiments of the present application, an embodiment of an update method of a risk identification policy is provided.

Alternatively, in the embodiment of the present application, the method for updating the risk identification policy may be applied to a hardware environment formed by the terminal 101 and the server 103 as shown in fig. 1. As shown in fig. 1, a server 103 is connected to a terminal 101 through a network, and may be configured to provide services (such as a risk identification service, a backtesting service, a risk identification policy verification service, a risk identification policy generation and update service, and the like) for the terminal or a client installed on the terminal, and a database 105 may be configured on the server or independent from the server, and is configured to provide a data storage service for the server 103, where the network includes but is not limited to: wide area network, metropolitan area network, or local area network, and the terminal 101 includes but is not limited to a PC, a cell phone, a tablet computer, and the like.

The method for updating the risk identification policy in the embodiment of the present application may be executed by the server 103, or may be executed by both the server 103 and the terminal 101, as shown in fig. 2, the method may include the following steps:

step S202, under the condition that a first business event in a business system is judged to be a first suspicious risk event based on a first risk identification strategy, acquiring data containing a second business event which is judged to have no suspicious risk previously in a target time period as first test-back data, wherein the target time period is earlier than a time point of judging the first business event to be the first suspicious risk event;

step S204, determining a specific second business event matched with the target characteristics of the first suspicious risk event in the first test back data, and judging the specific second business event as a second suspicious risk event with suspicious risk; and the number of the first and second groups,

step S206, updating the first risk identification strategy by using the second suspicious risk event and the target characteristics to obtain a second risk identification strategy.

Through the steps S202 to S206, in the case that the first business event is found to be a suspicious risk event based on the first risk identification policy, the application may find out the specific second business event having a feature matching relationship with the first business event by retrieving the measured data and analyzing the second business event in the measured data, and update the first risk identification policy by using the specific second business event and the matched features, so that the suspicious risk event that cannot be identified by the first risk identification policy can be identified by using the second risk identification policy, and the technical problem that the wind control system has poor capability of identifying the early-stage feature-dispersed attacks is solved.

The early stage feature-dispersed attack means that an illegal behavior suspicious person does not show obvious attack behaviors in the early stage, but gradually shows attack behaviors with aggregative features in the later stage, for example, when the illegal behavior suspicious person registers a plurality of accounts, different devices are used for registration, the wind control system judges all the registration events as normal events, when the illegal behavior suspicious person carries out the attack behaviors in the later stage, a plurality of accounts are logged on the target device in a short time, when the number of the logged accounts exceeds a discrimination threshold value of one day, the wind control system judges the login events exceeding the discrimination threshold value as first suspicious risk events, and then the target device is found to be the feature that the illegal behavior suspicious person carries out an attack means, namely, the target device is determined as suspicious risk features. According to the technical scheme, other events related to the target equipment are found out from the retest data, such as a login event which uses the target equipment and does not exceed a discrimination threshold and a registration event which uses a registered account of the target equipment, and the target account which logs in the target equipment can also be determined as suspicious risk characteristics, so that other events related to the target account, such as the registration event of the target account (possibly registered by other equipment), are further found out, the events are re-discriminated as second suspicious risk events, whether other abnormalities exist in the suspicious risk events or not is analyzed, whether the account which logs in the target equipment, an IP address which is related to the target equipment, a mobile phone number and the like are related risk characteristics related to the suspicious risk characteristics or not is determined, and finally the first risk identification strategy is updated by using the second suspicious risk events, the suspicious risk characteristics and the related risk characteristics to obtain the second risk identification strategy, so that an attack behavior which appears in the previous period can be identified by using the second risk identification strategy, and if an illegal behavior person uses the target equipment to perform registration operation and login operation on the second day, the suspicious risk characteristics can immediately discriminate the suspicious risk event as a third suspicious risk event. If the account marked as the associated risk feature is logged in by the suspicious personnel of the illegal behavior by using other equipment, the wind control system can immediately judge the corresponding event as a third suspicious risk event.

In the technical solution provided in step S202, the first service event may be a registration event, a login event, a payment event, a refund time, a participation event of a pull-up activity, an invitation event, an assistance event, and the like. The target time period is an acquisition range of the retest data determined after the wind control system identifies the first suspicious risk event.

first, when recognizing that an identification mark carried in a first service request generating a first service event is inconsistent with a historical identification mark stored in a database, determining the identification mark as a suspicious risk feature, and judging the first service event as a first suspicious risk event.

In the embodiment of the application, the service event is generated by a user sending a service request to a service system. The identification mark comprises at least one of a hardware equipment identification mark, a mobile phone number, a number attribution and an internet protocol address, namely under the condition that the equipment number in the first service event is inconsistent with the historical used equipment number stored in the database, the event is determined to be requested by the user on the non-use equipment; determining that a user requests the event in a different place under the condition that the IP address in the first service event is inconsistent with the historically used IP address stored in the database; under the condition that the mobile phone number in the first service event is inconsistent with the historically used mobile phone number stored in the database, determining that the user uses an unusual mobile phone number to request the event; and under the condition that the number attribution of the mobile phone number in the first service event is inconsistent with the number attribution of the historical used number stored in the database, determining that the user requests the event in a different place. At the moment, the wind control system judges the first service event with the abnormal condition as a first suspicious risk event, and determines the used identification as a suspicious risk characteristic.

And secondly, under the condition that the number of the account numbers which are associated with the identification marks carried in the first service request in the current risk identification period is larger than or equal to the target number threshold value, determining the identification marks as suspicious risk characteristics, and judging the first service event as a first suspicious risk event.

In the embodiment of the application, the risk identification period is a period in which the wind control system resets the threshold condition, if it is specified that more than 20 login accounts are abnormal in the same device in one day, 19 accounts are logged in the target device today, all the 19 login events are judged to be normal events, 19 accounts are logged in the target device in the next day are also judged to be normal events, and if 21 accounts are logged in the target device in the same day, when the 21 st account is logged in, the current login event is judged to be a first suspicious risk event, and the used identification (such as the device number of the target device) is determined to be suspicious risk characteristics.

Thirdly, under the condition that the first characteristic of the first business event is identified to be matched with the risk characteristic stored in the preset case base, the first characteristic is determined to be a suspicious risk characteristic, and the first business event is judged to be the first suspicious risk event.

In the embodiment of the application, the preset case library stores risk features of suspicious risk events identified by the wind control system, the wind control system can compare the business events with the risk features in the preset case library during further identification, and if the first features of the first business events are identified to be matched with the risk features stored in the preset case library, the first features can be determined as suspicious risk features, and the first business events are judged as first suspicious risk events.

In this embodiment of the application, other determination conditions may also be set, for example, if the account number associated with the same device is greater than 40, the device is abnormal, at this time, the device does not count in the identification period, but does not count until the identification period is zero, and if the total number of the account numbers associated with the same device exceeds the threshold, the device is determined to be abnormal.

In this embodiment of the application, the risk identification policy may include a single condition or a combination of multiple conditions, where the determination condition may be a threshold determination type, and if the number of accounts logged in by one device in one day is greater than 20, the determination condition may be an abnormality, or may be a feature determination type, and if some specific fields occur, the abnormality may be determined.

After the first business event is determined as the first suspicious risk event, in order to find out a specific second business event having a feature matching relationship with the first suspicious risk event from second business events previously determined as being without suspicious risk, an acquisition range of the first test data, that is, the target time period, needs to be determined first. The scope of the first review data is related to the type of the first suspected risk event and the activity to which the first review data pertains, as described below.

and under the condition that the discrimination type is the feature discrimination type, determining the occurrence cycle of the associated event of the first suspicious risk event, taking the occurrence time of the first suspicious risk event as the latest node of the current occurrence cycle, and determining the time period from the earliest node to the latest node of the current occurrence cycle as the target time period.

In this embodiment, the business activities may include various promotion activities (such as paying attention to a merchant to receive a coupon from a media account), update activities (such as update registration of a community group buying application, new game reservation registration, and the like), popularization activities, public service activities, and the like. If the first business event is caused by a certain business activity, determining the range from the activity starting time of the business activity to which the first business event belongs to the current time as the target time period.

In the embodiment of the application, for the threshold discrimination type, a range from the starting time of the current risk identification period to the current time may be determined as the target time period. If the judging condition triggered by the first suspicious risk event is that the number of the accounts logged in the same equipment in one day exceeds 20, and the first suspicious risk event monitors that the target equipment logs in the 21 st account at the moment, determining the time period from the zero point of the day to the current moment as the acquisition range of the retest data after judging according to the judging condition. For the feature judgment type, whether the first suspicious risk event has a correlation event or not is firstly seen, the occurrence cycle of the correlation event is determined under the condition that the correlation event exists, the occurrence time point of the first suspicious risk event is used as the latest node of the current occurrence cycle, and the time period from the earliest node to the latest node of the current occurrence cycle is determined as the target time period. For example, the payment event and the refund event are correlated events, the refund event is only allowed to be performed within 24 hours after the payment event occurs, and if the wind control system finds an abnormality in the current refund event, it needs to reverse the 24 hours as a starting point to obtain the test data.

Optionally, the scope of acquisition of the back test data may also be determined starting from the suspected risk features and other features of the first suspected risk event. Specifically, a second feature in the first suspicious risk event together with the suspicious risk features is determined as an associated risk feature; determining the earliest time that the associated risk feature occurs in other business events; the range from the earliest time to the current time is determined as the target time period. The other business events include a second business event, and after determining the associated risk profile, a range from an earliest time to a current time at which the associated risk profile occurs in the second business event may be determined as the target time period. If the suspicious risk characteristic of the first suspicious risk event is the device number AAA, and the associated risk characteristics include the account number BBB, the mobile phone number CCC, and the like, the earliest time of occurrence of these several events is considered, and if the device number AAA earliest occurs in the registration event 1, the registration event 1 occurs one month ago, the account number BBB earliest occurs in the registration event 2 (registration generates the account number BBB), the registration event 2 occurs two months ago, the mobile phone number CCC earliest occurs in the registration event 3, and the registration event 3 occurs three months ago, the occurrence time of the registration event 3 to the current time is determined as the acquisition range of the retest data. This approach may be applicable to events of the above-described threshold discrimination type and feature discrimination type, and may be particularly applicable to a case where there is no associated event for the first suspicious risk event in the feature discrimination type.

In this embodiment of the application, the first test data may include second business events identified as being without suspicious risk in the target time period, so that a specific second business event having a feature matching relationship with the first suspicious risk event can be found out more quickly and more specifically when the test is performed. And all business events generated in the target time period can be included, so that when the updated second risk identification strategy is checked, the identification result of the updated second risk identification strategy can be better compared with the identification result of the first risk identification strategy, and whether the first risk identification strategy is replaced by the second risk event identification strategy or not can be determined.

And (4) after the retest data is acquired according to the target time period, retest can be carried out.

and determining the risk characteristics and other characteristics in the first suspicious risk event as associated risk characteristics to serve as target characteristics, and determining a second business event with the target characteristics in the first test data as a specific second business event.

In the embodiment of the present application, when some business events occur, the suspicious risk characteristic does not show an abnormality yet and is not marked as the suspicious risk characteristic (for example, the number of account numbers logged in a single day by a device is still less than a determination threshold), so the retest is to find out an event that has the suspicious risk characteristic but does not show an abnormality in the previous period. In other words, in this embodiment of the application, the purpose of backtesting is to find out a specific second service event having a feature matching relationship with the first suspicious risk event, where the feature matching relationship is matched with a target feature, the target feature includes a suspicious risk feature identified by the first risk identification policy in the first suspicious risk event, and may also include other associated risk features that are the same as the suspicious risk feature in the first suspicious risk event as well, if the first suspicious risk event is that a user logs in an account BBB on an apparatus AAA using a mobile phone number CCC, a determination condition that an account BBB logged in the same apparatus one day is abnormal and the account BBB is just the 21 st account logged in the apparatus AAA one day, at this time, the first risk identification policy determines the apparatus AAA as the suspicious risk feature of the first suspicious risk event, and determines the mobile phone number CCC and the account BBB as the associated risk features of the apparatus AAA. And when the retest data is judged again, determining the business event with the suspicious risk characteristic and/or the associated risk characteristic as a specific second business event.

In the embodiment of the application, in order to analyze the attack behavior of the illegal behavior suspicious personnel more accurately and more comprehensively, the identified suspicious risk characteristics, associated risk characteristics and event characteristics of the second suspicious risk event can be added into a preset case library, so that the suspicious risk characteristics, associated risk characteristics and/or event characteristics of the second suspicious risk event are used as basic data for analyzing the attack behavior, and meanwhile, comparison data is provided when the wind control system identifies other business events. In practice, one skilled in the art may select some or all of the suspicious risk features, the associated risk features, and the event features of the second suspicious risk event according to different services to perform the analysis of the attack behavior.

In the technical solution provided in step S206, the first risk identification policy is updated by using the second suspected risk event and the target feature, and on the basis of the first risk identification policy, a new rule is generated and added to the first risk identification policy by using the suspected risk feature, the associated risk feature, and/or a feature in the second suspected risk event as a screening condition. And if the suspicious risk characteristics are equipment AAA, the associated risk characteristics are account BBB and mobile phone CCC, and the second suspicious risk event has characteristic DDD, generating a new rule by taking the characteristics as a screening field and adding the new rule into the first risk identification strategy to obtain a second risk identification strategy.

Optionally, after the second risk identification policy is obtained, the second risk identification policy needs to be checked to determine whether the second risk identification policy meets the online requirement, and the method further includes:

step 1, risk identification is carried out on second retest data based on a second risk identification strategy, wherein the second retest data and the first retest data are not completely overlapped;

step 2, counting the accuracy and the missing rate of the second risk identification strategy on the suspicious risk event;

step 3, carrying out; and under the condition that the accuracy of the second risk identification strategy is less than or equal to the accuracy of the first risk identification strategy and/or the rate of missing judgment of the second risk identification strategy is greater than or equal to the rate of missing judgment of the first risk identification strategy, continuously updating the second risk identification strategy by using the second suspicious risk event and the target characteristics, and verifying the accuracy and the rate of missing judgment of the suspicious risk event identified by the updated second risk identification strategy again by using the second retest data until the verification is passed.

In the embodiment of the present application, the second retest data may not be completely overlapped with the first retest data, may not be overlapped with time, or may not be overlapped with data, for example, the second retest data may be data that is not completely overlapped with the first retest data before the current time point, and preferably, may not be overlapped with any, that is, the second retest data may be data that is obtained after the last retest (the retest when the related event a is found to be abnormal after the event B is abnormal) to the current time point, so that it has the greatest significance to perform the inspection on the second risk identification policy by using the second retest data.

In the embodiment of the application, the second risk identification strategy is determined to pass the inspection under the condition that the accuracy of the second risk identification strategy is greater than that of the first risk identification strategy and the judgment missing rate of the second risk identification strategy is less than that of the first risk identification strategy.

In the embodiment of the present application, the calculation of the accuracy may be: the number of true exceptions over the total number of identified exceptions in the exceptions identified by the current rule. The calculation of the miss rate may be: the number of unidentified exceptions is proportional to the number of true exceptions in the backtest data.

In the embodiment of the application, if the accuracy of the second risk identification strategy is higher than that of the first risk identification strategy and the rate of missing judgment of the second risk identification strategy is lower than that of the first risk identification strategy, the second risk identification strategy is determined to meet the online requirement, the second risk identification strategy passes the inspection, otherwise, the inspection fails, and the second risk identification strategy needs to be updated by continuously utilizing the second suspicious risk event and the target characteristics until the inspection passes. In practical application, the second risk identification policy has a larger accuracy than the first risk identification policy, and more events are determined to be risky because the second risk identification policy has a larger determination range than the first risk identification policy, for example, the first risk identification policy can determine that 100 events have risks among 1000 events, and the second risk identification policy can determine that 200 events have risks among 1000 events, so that the limitation on the accuracy of the second risk identification policy can be properly relaxed in practical application, and if the accuracy of the first risk identification policy is 95% and the accuracy of the second risk identification policy is 90%, the second risk identification policy can also be used online, that is, the accuracy of the second risk identification policy can be allowed to be slightly lower than the accuracy of the first risk identification policy.

In the embodiment of the application, the updating of the first risk identification strategy not only adds more detailed screening rules for the suspicious risk characteristics, the associated risk characteristics and the second suspicious risk events, but also eliminates the characteristics containing misjudgment events in the first risk identification strategy, thereby further improving the accuracy of the second risk identification strategy and reducing the misjudgment rate.

In the embodiment of the application, after the second risk identification strategy is on line, the attack behavior with dispersed early-stage features can be identified by using the second risk identification strategy.

Further, the present application also provides a risk identification method for a business event, so as to determine a first suspicious risk event in an update scheme of the risk identification policy, that is, to complete a process of determining the first business event in the business system as the first suspicious risk event based on the first risk identification policy, specifically: and evaluating the risk level of each business event, determining suspicious risk characteristics in the business event through the genetic map and the characteristic incidence relation, and judging the business event as the first suspicious risk event under the condition that the risk level of the business event reaches the set risk level according to the suspicious risk characteristics. The risk identification method of the business event is described in detail below.

The risk identification method of the business event can comprise the following steps:

step 1, acquiring a service event generated by a service system in a production environment, wherein the service event is generated after a target object sends a service request to the service system, and the service system is used for providing a service of a target service for the target object;

step 2, extracting event characteristics of the business events, and constructing a gene map of the target business with the event characteristics as gene composition elements, wherein the gene map is used for expressing the characteristic incidence relation between the business events of the target business;

step 3, determining suspicious risk characteristics of the target service based on the genetic map and the characteristic association relation; and (c) a second step of,

and 4, determining the risk level of the business event according to the suspicious risk characteristics.

In the embodiment of the application, after a user sends a service request to a service system, the service system responds to the service request to create a corresponding task, the task is a service event, if the user sends a registration request to the service system, a registration event is generated, if the user sends a login request to the service system, a login event is generated, if the user sends a participation request of a pull-new activity to the service system, a participation event with the same property as the registration event is generated, and if the user sends a power-assisted request of the pull-new activity to the service system, a power-assisted event to an inviter is generated. The business system is used for providing registration service, login service, recharge service, new activity service and the like for the user. The production environment may be a working environment in which the business system is operated online.

Optionally, the extracting the event features of the service event, and constructing the genetic map of the target service with the event features as genetic elements includes:

step 1, determining the event type of a business event, and extracting the characteristic field forming the business event.

In the embodiment of the application, the service request has different request types, such as a registration request, a login request, a participation request, an assistance request and the like, and correspondingly, the service event also has different event types, namely a registration event, a login event, a recharge event, a participation event, an assistance event to present an event and the like. Different types of events may have the same characteristic fields, such as device number, mobile phone number, IP address, account number, and so on.

The construction of the genetic map of the target service is to perform joint analysis on the characteristics of a plurality of service events of the target service, so as to mine the characteristic association relationship among the service events of the target service, such as that a plurality of account numbers are registered in one equipment number, an account number is registered in a plurality of equipment, a plurality of IP addresses, and the like.

And 2, respectively determining a field name matched with the event type for each characteristic field at the field naming node corresponding to each characteristic field, wherein the characteristic fields of the same category correspond to the same field naming node, and the field naming node is used for determining the definitions of the characteristic fields of the same category in different service events.

In the embodiment of the present application, definitions of feature fields of the same category in different service events may be determined at the field naming node, that is, a field name matching an event type is determined for each feature field, for example, in a registration event, a feature field device number may be named as a registered device number, in a registration event, a device number may be named as a registered device number, and in a charging event, a device number may be named as a charging device number. The device numbers such as the registered device number, the login device number, the recharging device number and the like are related to the same category, namely the device number category, and similarly, the device numbers related to the mobile phone numbers can be related to the mobile phone numbers, the IP addresses related to the IP addresses can be related to the IP addresses, and the account numbers related to the account numbers can be related to the account numbers.

And 3, constructing a gene map of the target service based on the field names and the field values of the characteristic fields, wherein the event characteristics comprise event types, the field names of the characteristic fields and the field values of the characteristic fields.

In the embodiment of the present application, in order to enable the genetic map to represent the feature association relationship between the service events of the target service, the feature field of the service event may be divided into a core field and an association field, the core field represents the core feature of the service event, and the association field represents the feature having the association relationship with the core feature. When the genetic map is constructed, all the characteristics of the service events with the same core characteristics (namely the core characteristics represented by the core field and the associated characteristics represented by the associated field) are merged, coexistence and difference are obtained, and finally the genetic map reflecting the characteristic association relationship among the events can be constructed according to all the occurred service events of the target service. The following describes in detail a technical scheme for constructing a genetic map of a target service based on field names and field values of feature fields.

Optionally, constructing the genetic map of the target service based on the field names and the field values of the feature fields comprises:

step 1, dividing the characteristic field of each business event into a core field and an associated field according to the core field name and the associated field name which are specified for each business event in advance.

In the embodiment of the application, the designation of the core field and the associated field may be set according to the specific situation of the service event, for example, in the registration event, the device number is designated as the core field, the registered device number is the core field name, and the mobile phone number and the account number are designated as the associated field, so that the registered mobile phone number and the account number are the associated field name.

And 2, extracting a plurality of target business events with the same field value of the core field.

In the embodiment of the present application, if the specified core field is a device number, there are the following events: in the event I, the device A + the mobile phone number B registers an account B; in the event II, the equipment C + the mobile phone number D registers an account D; and thirdly, if the device A + the mobile phone number D logs in the account D, the field values of the core fields of the matched event I and the event III are completely consistent (both are the device A), the event I and the event III are determined as target service events with characteristics to be combined, and the event 2 is independently used as a target event.

And 3, merging the core fields with the same field values in the target business events, and adding the merged core fields, the field values of the core fields, all other associated fields and the corresponding field values to the same gene cluster.

In the embodiment of the application, merging the core fields with the same field value as the event three, means that only one of the same field values is reserved when adding the core fields to one gene cluster, and all the other associated fields and the corresponding field values are added to the same gene cluster.

And 4, establishing connection between the associated fields with the same field value in different gene clusters.

In the embodiment of the application, connections can be established between associated fields with the same field value in a plurality of gene clusters, and the connection form can be an intersection solving manner, or other connection manners, such as connection.

And step 5, determining the map formed by the plurality of gene clusters as a gene map.

The gene map in the embodiment of the application is composed of a plurality of gene clusters, and service events and characteristics of a plurality of services are integrated, so that the gene map is used as the basis of characteristic analysis.

If there are multiple core fields specified, a genetic map can be generated according to the following logic.

Optionally, constructing the genetic map of the target service based on the field name and the field value of the feature field further comprises:

step 1, dividing a characteristic field of each business event into a core field and an associated field according to a core field name and an associated field name which are specified for each business event in advance;

step 2, determining the priority of each core field under the condition that a plurality of core fields exist in the same service event;

step 3, comparing the field values of the core fields among a plurality of service events in sequence according to the priority;

step 4, determining a plurality of service events with the priority greater than or equal to the target priority and the same field value of the core field as target service events;

step 5, merging the core fields with the same field value in the target business event, and adding the merged core fields, the field values of the core fields, all other associated fields and corresponding field values to the same gene cluster;

step 6, establishing connection between related fields with the same field value in different gene clusters;

and 7, determining a map formed by a plurality of gene clusters as a gene map.

If there are a plurality of specified core fields, a gene map can be generated according to the following logic.

step 2, distributing weight to each core field under the condition that a plurality of core fields exist in the same service event;

step 3, comparing the field values of the core fields among a plurality of business events;

step 4, accumulating the weights corresponding to the core fields with the same field value to obtain the similarity of the core fields;

step 5, determining a plurality of service events with the core field similarity greater than or equal to a target threshold value as target service events;

step 6, merging the core fields with the same field value in the target business event, and adding the merged core fields, the field values of the core fields, all other associated fields and corresponding field values to the same gene cluster;

step 7, establishing connection between the associated fields with the same field value in different gene clusters;

and 8, determining a map formed by a plurality of gene clusters as a gene map.

In this embodiment of the application, if the specified device number, the mobile phone number, and the account number are core fields, the corresponding weight is assigned to 0.5, 0.3, and 0.2, and the target threshold is 0.5, the cases that the specified device number, the mobile phone number, and the account number can be added to the same gene cluster include: the device numbers are consistent, the device numbers + the mobile phone numbers are consistent, and the device numbers + the account numbers are consistent, but the device numbers and the account numbers are consistent and can not be added to the same gene cluster. The weight and the target threshold of the core field can be configured according to the requirements of actual services.

Furthermore, the service request, the service event, the characteristic field and the constructed gene cluster can be stored in a database after being associated.

In the embodiment of the application, the finally obtained gene map can be displayed in two dimensions or three dimensions, wherein the three-dimensional gene map can be obtained by taking the characteristic fields in the gene map as points and taking the correlation among the characteristics as edges. In the three-dimensional gene map, the larger and denser the cluster, the higher the probability that the core features of the cluster are suspicious risk features, so that the technical scheme of the application can visually display the feature composition and the suspicious risk features of the target service after the gene map is constructed, thereby improving the decision efficiency and the decision accuracy of a decision maker.

Optionally, determining suspicious risk characteristics of the target service based on the genetic profile and the characteristic association relationship comprises:

step 1, determining the number of field values of each characteristic field of each gene cluster in a gene map, wherein the number of the field values is the number of the field values corresponding to the characteristic fields.

In the embodiment of the present application, there may be a device a, a device B, and a device C in a gene cluster, and the number of fields of the "device number" feature field of the gene cluster is 3.

And 2, sequentially extracting the characteristic fields according to the preset sequencing priority of the plurality of characteristic fields, and sequencing the plurality of gene clusters in the sequence from large field value number to small field value number of the characteristic fields.

And 3, selecting the target gene cluster before the target sequencing position from the sequencing result.

And 4, under the condition that the number of the field values of the core field in the target gene cluster is greater than or equal to the first number threshold of the corresponding category, determining the field value of the core field as the suspicious risk characteristic of the target business in the target gene cluster.

In the embodiment of the present application, the target sorting position may be set according to actual requirements, for example, 10.

In the embodiment of the present application, the core field may be specified from the above feature fields as a main analysis object. If the device number and the account number are designated as core fields, corresponding number thresholds can be set for the device number and the account number respectively. And in the case that the number of fields of the core field is greater than or equal to the first number threshold of the corresponding category, determining the field value of the core field as a suspicious risk feature of the target business in the target gene cluster, and if the number of field values of the device number is greater than 10 (the number of devices contained in the gene cluster is greater than 10), determining all the device numbers in the gene cluster as suspicious risk features.

In the embodiment of the application, in order to enable the suspicious risk features to be more accurately positioned, the range of the suspicious risk features can be narrowed based on the feature association relation among the business events represented by the genetic map.

Optionally, after selecting a target gene cluster before the target ranking position from the ranking result, determining the suspicious risk feature of the target service based on the gene map and the feature association relationship further includes:

step 1, in a target gene cluster, counting the number of field values of associated fields having characteristic association relation with core fields for each core field.

In the embodiment of the present application, the core field indicates the core feature of the service event, and the association field indicates the feature having an association relationship with the core feature. Taking the device number as a core field and the account number and the mobile phone number as an association field as examples, when counting that [ 1000 account numbers associated with the registration relationship of the device a ], it indicates that 1000 account numbers are registered on the device a, that is, it is known that 1000 registration events occur on the device a. And counting 1000 mobile phone numbers associated with the registration relationship of the equipment A, wherein the 1000 mobile phone numbers are registered on the equipment A.

And 2, acquiring all field values of the associated fields under the condition that the number of the field values of the associated fields is greater than or equal to the second number threshold of the corresponding categories.

In the embodiment of the present application, taking the second number threshold of the mobile phone numbers associated with the same device as 100 as an example, if [ 1000 mobile phone numbers associated with the registration relationship of the device a ] are counted, all mobile phone numbers associated with the device a are obtained.

And 3, dividing the field value into a plurality of value fragments.

In the embodiment of the present application, the dividing of the field value into multiple value segments is to find out similar features, for example, the dividing of the eleven-digit mobile phone number into three value segments, which are the first to third digits, the fourth to seventh digits, and the eighth to eleventh digits, respectively.

And 4, sequencing the value segments according to the sequence of the occurrence times of each value segment from large to small.

In the embodiment of the application, after the field value is divided into a plurality of value fragments, the value fragments are sequenced in the descending order of the occurrence frequency of each value fragment, and the sequenced fields include but are not limited to a mobile phone number attribution, an equipment number, an account number, an IP address and the like.

And 5, selecting a target value segment before the target sequencing position from the sequencing result, and determining the target value segment and the associated core field as suspicious risk characteristics of the target business in the target gene cluster.

In this embodiment of the present application, when the number of fields in a certain associated field associated with a core field is large, it indicates that the core field is abnormal, for example, 1000 accounts are registered on one device. And for the value fragments with excessive occurrence times, the value fragments can also be determined as suspicious risk characteristics, and if the value fragments of the illegal action suspicious personnel use a large number of mobile phone numbers of the 170 number segment for registration, the technical scheme of the application can find out the suspicious risk characteristics of the illegal action suspicious personnel using a large number of registered account numbers of the 170 number segment after sequencing the value fragments of the associated fields, so that the attention degree of the characteristics related to the value fragments can be strengthened, and a clear direction is provided for risk identification.

In the embodiment of the present application, the risk level of a business event is determined according to suspicious risk features, specifically, the risk level of the business event may be determined according to the number, type, distribution condition of the suspicious risk features included in the business event, and the influence of the suspicious risk features on business operation, and the like, where the risk level may be general risk, serious risk, high risk, special risk, and the like, and a person skilled in the art also classifies the risk level according to actual conditions, such as a user-defined category name, a classification number, and the like.

Optionally, determining the suspicious risk characteristic of the target service based on the genetic profile and the characteristic association relationship further comprises:

step 1, comparing the field value of the characteristic field of each gene cluster in the gene map with the existing field values in a case library to obtain a comparison result;

and 2, when the similarity of the comparison result is greater than a similarity threshold value, determining the field value of the feature field as the suspicious risk feature of the target service in the target gene map.

In the embodiment of the application, the field value of the characteristic field of each gene cluster can be directly compared with the field values of the existing fields in the case library, so that the suspicious risk characteristics in the current gene cluster are determined according to the similarity of the field values. The similarity of the field values may be the similarity of specific contents of the field values, or the similarity of the number of the field values.

Optionally, the field name comparison and the field value comparison may be further integrated, and when both the field name similarity and the field value similarity satisfy a certain condition, both the field name and the field value satisfying the condition are determined as suspicious risk features in the current gene cluster.

Optionally, the target service and the suspicious risk characteristics of the target service may also be added to the case base, so that the suspicious risk characteristics are used as basic data for the graph analysis of the target service.

In the embodiment of the application, the case base can be continuously updated and upgraded, so that the characteristics of suspicious risks appearing in history are recorded, and basic data are provided for map analysis.

According to another aspect of the embodiments of the present application, as shown in fig. 3, there is provided an apparatus for updating a risk identification policy, including:

the data acquisition module 301 is configured to, in a case that a first business event in a business system is determined as a first suspicious risk event based on a first risk identification policy, acquire, as first test-back data, data including a second business event that is previously determined as being free of a suspicious risk within a target time period, where the target time period is earlier than a time point at which the first business event is determined as the first suspicious risk event;

the event backtesting module 303 is configured to determine, in the first backtesting data, a specific second business event that matches the target feature of the first suspicious risk event, and redetermine the specific second business event as a second suspicious risk event that has a suspicious risk; and the number of the first and second groups,

a policy update module 305, configured to update the first risk identification policy with the second suspected risk event and the target feature to obtain a second risk identification policy.

It should be noted that the data obtaining module 301 in this embodiment may be configured to execute the step S202 in this embodiment, the event backtesting module 303 in this embodiment may be configured to execute the step S204 in this embodiment, and the policy updating module 305 in this embodiment may be configured to execute the step S206 in this embodiment.

It should be noted here that the modules described above are the same as the examples and application scenarios implemented by the corresponding steps, but are not limited to the disclosure of the above embodiments. It should be noted that the modules described above as a part of the apparatus may operate in a hardware environment as shown in fig. 1, and may be implemented by software or hardware.

Optionally, the apparatus for updating the risk identification policy further includes a risk discrimination module, configured to discriminate the first business event in the business system as the first suspicious risk event based on the first risk identification policy according to at least one of the following manners:

Optionally, the apparatus for updating the risk identification policy further includes a backtesting range determining module, configured to:

Optionally, the backtesting range determining module is further configured to:

Optionally, the event backtesting module is specifically configured to:

Optionally, the apparatus for updating a risk identification policy further includes a data warehousing module, configured to:

and adding the suspicious risk characteristics, the associated risk characteristics and the event characteristics of the second suspicious risk event into a preset case library so as to take the suspicious risk characteristics, the associated risk characteristics and the event characteristics of the second suspicious risk event as basic data for analyzing the attack behavior. In practice, one skilled in the art may select some or all of the suspicious risk features, the associated risk features, and the event features of the second suspicious risk event according to different services to perform the analysis of the attack behavior.

Optionally, the apparatus for updating risk identification policy further includes a policy checking module, configured to:

performing risk identification on the second testing data based on a second risk identification strategy, wherein the second testing data and the first testing data are not completely overlapped;

counting the accuracy and the missing rate of the second risk identification strategy on the suspicious risk events;

and under the condition that the accuracy of the second risk identification strategy is less than or equal to the accuracy of the first risk identification strategy and/or the failure rate of the second risk identification strategy is greater than or equal to the failure rate of the first risk identification strategy, continuously updating the second risk identification strategy by using the second suspicious risk event and the target characteristics, and verifying the accuracy and the failure rate of the suspicious risk event identified by the updated second risk identification strategy again by using the second retest data until the second risk identification strategy passes the verification.

Optionally, the apparatus for updating risk identification policy further includes a policy online module, configured to:

According to another aspect of the embodiments of the present application, an electronic device is provided, as shown in fig. 4, and includes a memory 401, a processor 403, a communication interface 405, and a communication bus 407, where a computer program operable on the processor 403 is stored in the memory 401, the memory 401 and the processor 403 communicate with each other through the communication interface 405 and the communication bus 407, and the steps of the method are implemented when the processor 403 executes the computer program.

The memory and the processor in the electronic equipment are communicated with the communication interface through the communication bus. The communication bus may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc.

The Memory may include a Random Access Memory (RAM) or a non-volatile Memory (non-volatile Memory), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.

The Processor may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the Integrated Circuit may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, a discrete Gate or transistor logic device, or a discrete hardware component.

There is also provided, in accordance with yet another aspect of an embodiment of the present application, a computer program product or computer program comprising computer instructions stored in a computer-readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions to cause the computer device to perform the steps of any of the embodiments described above.

Optionally, in an embodiment of the present application, a computer readable medium is configured to store program code for the processor to perform the following steps:

determining a specific second business event matched with the target characteristics of the first suspicious risk event in the first test-back data, and judging the specific second business event as a second suspicious risk event with suspicious risk; and the number of the first and second groups,

Optionally, the specific examples in this embodiment may refer to the examples described in the above embodiments, and this embodiment is not described herein again.

When the embodiments of the present application are specifically implemented, reference may be made to the above embodiments, and corresponding technical effects are achieved.

It is to be understood that the embodiments described herein may be implemented in hardware, software, firmware, middleware, microcode, or any combination thereof. For a hardware implementation, the Processing units may be implemented within one or more Application Specific Integrated Circuits (ASICs), digital Signal Processors (DSPs), digital Signal Processing Devices (DSPDs), programmable Logic Devices (PLDs), field Programmable Gate Arrays (FPGAs), general purpose processors, controllers, micro-controllers, microprocessors, other electronic units configured to perform the functions described herein, or a combination thereof.

For a software implementation, the techniques described herein may be implemented by means of units performing the functions described herein. The software codes may be stored in a memory and executed by a processor. The memory may be implemented within the processor or external to the processor.

Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.

In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the modules is merely a logical division, and in actual implementation, there may be other divisions, for example, multiple modules or components may be combined or integrated into another system, or some features may be omitted, or not implemented. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.

The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solutions of the embodiments of the present application, which are essential or part of the technical solutions contributing to the prior art, may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a U disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk. It is noted that, in this document, relational terms such as "first" and "second," and the like, may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising a … …" does not exclude the presence of another identical element in a process, method, article, or apparatus that comprises the element.

The above description is merely exemplary of the present application and is presented to enable those skilled in the art to understand and practice the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims

1. A method for updating risk identification policy, comprising:

2. The method of claim 1, wherein the discriminating the first business event in the business system as the first suspicious risk event based on the first risk identification policy comprises at least one of:

under the condition that an identification mark carried in a first service request for generating the first service event is identified to be inconsistent with an identification mark used historically and stored in a database, determining the identification mark as a suspicious risk characteristic, and judging the first service event as the first suspicious risk event;

determining the identification identifier as the suspicious risk feature and judging the first business event as the first suspicious risk event when the identification identifier carried in the first business request is identified that the number of the account numbers associated with the identification identifier in the current risk identification period is greater than or equal to a target number threshold;

under the condition that the first characteristic of the first business event is identified to be matched with the risk characteristic stored in a preset case base, determining the first characteristic as the suspicious risk characteristic, and judging the first business event as the first suspicious risk event;

3. The method of claim 1, wherein prior to obtaining data within a target time period that includes a second traffic event previously identified as not at risk of suspicion as first test-back data, the method further comprises determining the target time period as follows:

determining the activity starting time of the business activity to which the first business event belongs, and determining the range from the activity starting time to the current time as the target time period; and/or the presence of a gas in the gas,

determining a type of discrimination that discriminates the first business event as the first suspicious risk event;

determining the range from the starting time of the current risk identification period to the current time as the target time period under the condition that the discrimination type is a threshold discrimination type;

and under the condition that the discrimination type is a feature discrimination type, determining the occurrence cycle of the event associated with the first suspicious risk event, taking the occurrence time point of the first suspicious risk event as the latest node of the current occurrence cycle, and determining the time period from the earliest node to the latest node of the current occurrence cycle as the target time period.

4. The method of claim 1, wherein the first suspected risk event includes a suspected risk feature, and wherein determining the target time period further comprises:

determining a second feature in the first suspect risk event that is the same as the suspect risk feature as an associated risk feature;

determining an earliest time that the associated risk feature occurs in other business events;

determining a range of the earliest time to the current time as the target time period.

5. The method of claim 1, wherein determining in the first test-back data a particular second business event that matches the target feature of the first suspected risk event comprises:

determining suspicious risk characteristics of the first suspicious risk event identified by the first risk identification policy as the target characteristics, and determining the second business event having the same target characteristics in the first test-back data as the specific second business event; and/or the presence of a gas in the gas,

determining, as the target feature, the risk-associated feature that is associated with the suspected risk feature and other features in the first suspected risk event, and determining, as the particular second business event, the second business event in the first test-back data that has the target feature.

6. The method of claim 5, wherein after said reconsidering said particular second business event as a second suspected risk event at suspected risk, the method further comprises:

and adding the suspicious risk characteristics, the associated risk characteristics and the event characteristics of the second suspicious risk event into a preset case library so as to take the suspicious risk characteristics, the associated risk characteristics and the event characteristics of the second suspicious risk event as basic data for analyzing attack behaviors.

7. The method of any one of claims 1 to 6, wherein after obtaining the second risk identification policy, the method further comprises:

performing risk identification on second testing data based on the second risk identification strategy, wherein the second testing data and the first testing data are not completely overlapped;

and under the condition that the accuracy of the second risk identification strategy is less than or equal to the accuracy of the first risk identification strategy, and/or the rate of missing judgment of the second risk identification strategy is greater than or equal to the rate of missing judgment of the first risk identification strategy, continuously updating the second risk identification strategy by using the second suspicious risk event and the target characteristics, and verifying the accuracy and the rate of missing judgment of the updated second risk identification strategy for identifying the suspicious risk event again by using the second retest data until the verification is passed.

8. An apparatus for updating a risk identification policy, comprising:

and the strategy updating module is used for updating the first risk identification strategy by using the second suspicious risk event and the target characteristics to obtain a second risk identification strategy.

9. A risk identification policy updating device comprising a memory, a processor, a communication interface and a communication bus, wherein the memory stores a computer program operable on the processor, and the memory and the processor communicate via the communication bus and the communication interface, wherein the processor implements the steps of the method according to any one of claims 1 to 7 when executing the computer program.

10. A computer-readable medium having non-volatile program code executable by a processor, wherein the program code causes the processor to perform the method of any of claims 1 to 7.