CN115511492A - Transaction monitoring method, system and related device - Google Patents

Transaction monitoring method, system and related device Download PDF

Info

Publication number
CN115511492A
CN115511492A CN202211200781.XA CN202211200781A CN115511492A CN 115511492 A CN115511492 A CN 115511492A CN 202211200781 A CN202211200781 A CN 202211200781A CN 115511492 A CN115511492 A CN 115511492A
Authority
CN
China
Prior art keywords
party
service
connection
supervisor
monitoring
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211200781.XA
Other languages
Chinese (zh)
Inventor
平庆瑞
张一锋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhongchao Credit Card Industry Development Co ltd
China Banknote Printing and Minting Group Co Ltd
Original Assignee
Zhongchao Credit Card Industry Development Co ltd
China Banknote Printing and Minting Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhongchao Credit Card Industry Development Co ltd, China Banknote Printing and Minting Group Co Ltd filed Critical Zhongchao Credit Card Industry Development Co ltd
Priority to CN202211200781.XA priority Critical patent/CN115511492A/en
Publication of CN115511492A publication Critical patent/CN115511492A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/27Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/36Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes
    • G06Q20/367Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes involving electronic purses or money safes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/36Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes
    • G06Q20/367Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes involving electronic purses or money safes
    • G06Q20/3674Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes involving electronic purses or money safes involving authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3821Electronic credentials
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3825Use of electronic signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3829Payment protocols; Details thereof insuring higher security of transaction involving key management
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q40/00Finance; Insurance; Tax strategies; Processing of corporate or income taxes
    • G06Q40/04Trading; Exchange, e.g. stocks, commodities, derivatives or currency exchange

Landscapes

  • Business, Economics & Management (AREA)
  • Engineering & Computer Science (AREA)
  • Accounting & Taxation (AREA)
  • Finance (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Databases & Information Systems (AREA)
  • Development Economics (AREA)
  • Economics (AREA)
  • Marketing (AREA)
  • Technology Law (AREA)
  • Computing Systems (AREA)
  • Data Mining & Analysis (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The application provides a transaction monitoring method, which comprises the following steps: determining a service party under surveillance and establishing a DID connection relation; establishing SSI proxy access connection based on DID connection relation, and initiating a real-time monitoring access request to the service party based on SSI proxy connection after the service party confirms the identity of the monitoring party of the connection requester; and monitoring and collecting transaction service data of the service party through the SSI agent. When monitoring transaction, the method needs to connect a safe, private and licensed SSI agent to the service side system, and introduces real-time supervision in the transaction link, so that compliance check is transferred to the business after the compliance check is engaged, the problem that the check cannot catch up with payment is solved, and the transaction can be supervised and easily supervised. The application also provides a transaction monitoring method, a transaction monitoring system, a computer readable storage medium and an electronic device, which have the beneficial effects.

Description

Transaction monitoring method, system and related device
Technical Field
The present application relates to the field of blockchains, and in particular, to a transaction monitoring method, system and related device.
Background
Currently, online banking and instant payment are popular with customers, and speed and irreversibility are the main features of instant payment, which raise concerns about risk runaway-many banks have little control over their compliance in real-time transaction processing.
Compliance checking by institutions, which mainly involve batch classification of transactions at the end of each working day and compliance screening by compliance software, supports checking to see if a known type of violation has occurred with a customer, and is a typical post-mortem mechanism. Under the background of instant payment, based on an online service and an instant transfer system, a customer can complete a series of operations of opening an account, transferring funds and closing the account online within a few hours, and the traditional compliance check cannot be executed in time and gives an early warning to risks.
Rule-based compliance inspection is a one-dimensional screening standard, which often results in a large number of false positives, and deletion of any inspection rule may bring about a huge risk.
To access real-time transaction data, traditional data visitors (business parties) establish data centers at their corporate premises, purchase and maintain physical hardware, and manage connections between system providers and their own data centers. With the change of the supervision requirement, the rules of the compliance check are continuously expanded, and the compliance software needs to be continuously and iteratively upgraded, which bring high compliance cost and pressure to the business side.
Any independent business party cannot provide effective risk identification based on big data analysis due to insufficient data coverage. Although the third-party cloud service provider can provide a technical architecture for data summarization, the third-party cloud service provider has great difficulty in obtaining business data due to challenges in data monopoly and data security protection, and data interaction between different manufacturer systems is still difficult to achieve.
Disclosure of Invention
The application aims to provide a transaction monitoring method, a transaction monitoring system, a computer readable storage medium and electronic equipment, which can realize implementation data detection of a monitoring party and a business party and avoid transaction risks caused by compliance check lag.
In order to solve the above technical problem, the present application provides a transaction monitoring method, including:
determining a service party under supervision and establishing a DID connection relation;
establishing SSI proxy connection based on the DID connection relation, and initiating a real-time monitoring access request to the service party based on the SSI proxy connection after the service party confirms the identity of a monitoring party of a connection requester;
and collecting and monitoring transaction service data of the service party through the SSI agent.
Optionally, before determining the managed service party, the method further includes:
the monitoring party obtains a distributed digital identity wallet;
creating supervisor distributed digital identity DID information according to the distributed digital identity wallet, and submitting the supervisor distributed digital identity DID information to a supervision management organization;
after the supervision and management mechanism confirms the requester identity corresponding to the supervisor distributed digital identity DID information, uplink registering the supervisor distributed digital identity DID information to a distributed digital identity book; the distributed digital identity account book is managed by the supervision and management mechanism and supports the access of the supervision party and the service party.
Optionally, after the uplink registration of the distributed digital identity DID information of the monitoring party to the distributed digital identity ledger, the method further includes:
the business party locally installs the distributed digital identity wallet and the identity agent application to determine the DID information of the business party identity;
the service side initiates a service filing request based on DID registration to the monitoring side, and establishes DID connection based on double-party relationship DID between the identity agent application and the identity agent of the monitoring side;
the service party submits the DID information of the service party identity to the supervisor through the DID connection;
after passing the identity verification of the service party, the supervisor approves the service filing request of the service party, and the supervisor signs and submits a request for registering the DID of the service party to the uplink so as to store the DID of the service party into the distributed digital identity book.
Optionally, after determining the managed service party, the method further includes:
the supervisor receives a registration and record request of the business party and sends a connection invitation to the business party as a first response of the registration and record request; the connection invitation comprises a supervisor DID, a connection ID, a random number and a URL address for receiving the DID connection request;
after the business side receives the connection invitation and creates business side relation DID by using a local digital identity wallet, initiating a DID connection request to the URL address in the supervisor connection invitation;
the supervisor receives the DID connection request sent by the service party, where the DID connection request includes: a service party relation DID and a signature of the connection invitation information by using a private key corresponding to the service party relation DID;
verifying the service party relationship DID information and the decrypted invitation information in the connection request, storing the service party relationship DID to the local of a supervisor after the verification is successful, creating a supervisor relationship DID matched with the relationship DID by using the identity wallet, and feeding back the supervisor relationship DID to the service party;
and the service party receives a DID connection request response of the supervisor, verifies the relation DID of the supervisor, stores the relation DID to the local of the service party after the verification is successful, and completes the creation of the DID relation between the service party and the supervisor.
Optionally, initiating a real-time monitoring access request to the service party based on the SSI proxy connection to obtain an access authorization to the service party includes:
the SSI agent of the supervisor requests to establish DID connection with the SSI agent of the service party;
the business side confirms whether the relation DID corresponding to the supervisor exists in the relation record of the business side through the relation record;
if yes, the service party verifies that the connection requester is the supervisor party through challenge response authentication based on the relation DID, and if the authentication is successful, the DID connection with the supervisor party is established;
the service party receives and processes the data access request from the DID connection channel.
Optionally, before collecting and monitoring transaction service data of the service party by the SSI agent, the method further includes:
the service side SSI proxy receives a service access request sent by the monitoring side SSI proxy and forwards the service access request to a service side system;
the service side system responds to the service access request, returns corresponding service data, and the service side SSI agent encrypts the service data by using a relation DID key of the supervisor and returns the service data to the SSI agent of the supervisor so as to execute the step of collecting and monitoring the transaction service data of the service side through the SSI agent.
Optionally, before collecting and monitoring transaction service data of the service party by the SSI agent, the method further includes:
establishing a certificate template containing the data structure standard of the supervision transaction service, and issuing the certificate template on a distributed digital identity account book; the business party organizes the transaction business data into a corresponding verifiable certificate according to a certificate template on the account book and returns the verifiable certificate to the supervisor, so that the supervisor is supported to carry out automatic verification.
The present application further provides a transaction monitoring system, comprising:
the relation establishing module is used for determining a managed business party and establishing a DID connection relation;
the connection access module is used for establishing SSI proxy connection based on the DID connection relation, and initiating a real-time monitoring access request to the service party based on the SSI proxy connection after the service party confirms the identity of a monitoring party of a connection requester;
and the service monitoring module is used for collecting and monitoring the transaction service data of the service party through the SSI agent.
The present application also provides a computer-readable storage medium having stored thereon a computer program which, when being executed by a processor, carries out the steps of the method as set forth above.
The present application further provides an electronic device, which includes a memory and a processor, where the memory stores a computer program, and the processor implements the steps of the method when calling the computer program in the memory.
The application provides a transaction monitoring method, which comprises the following steps: determining a service party under supervision and establishing a DID connection relation; establishing SSI access connection based on DID connection relation, and initiating a real-time monitoring access request to the service party based on SSI proxy connection after the service party confirms the identity of the monitoring party of the connection requester; and collecting and monitoring transaction service data of the service party through the SSI agent.
When monitoring the transaction, the method needs to connect a safe, private and licensed SSI agent to the service side system, and introduces real-time supervision in the transaction link, so that the compliance check is transferred to the business after the compliance check is engaged, the problem that the check cannot catch up with the payment is solved, and the transaction can be supervised and easily supervised.
The application also provides a transaction monitoring method, a transaction monitoring system, a computer-readable storage medium and an electronic device, which have the beneficial effects and are not described herein again.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the embodiments or the prior art descriptions will be briefly described below, it is obvious that the drawings in the following description are only the embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of a transaction monitoring method according to an embodiment of the present application;
FIG. 2 is a schematic diagram of a specific application structure of a real-time transaction monitoring method;
fig. 3 is a schematic structural diagram of a transaction monitoring system according to an embodiment of the present disclosure.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without making any creative effort belong to the protection scope of the present application.
Referring to fig. 1, fig. 1 is a flowchart of a transaction monitoring method according to an embodiment of the present application, the method including:
s101: determining a service party under supervision and establishing a DID connection relation;
s102: establishing SSI access connection based on DID connection relation, and initiating a real-time monitoring access request to the service party based on SSI proxy connection after the service party confirms the identity of the monitoring party of the connection requester;
s103: collecting and monitoring transaction service data of the service party through the SSI agent
The following description will be made for the authentication process before the transaction monitoring is performed by the monitoring party and the service party:
firstly, identity authentication of a monitoring party:
before determining the managed service party, the following steps can be included:
firstly, the monitoring party acquires a distributed digital identity wallet;
secondly, creating distributed digital identity DID (distributed identity) information of a supervisor according to the distributed digital identity wallet, and submitting the DID information of the supervisor to a supervision management organization;
and thirdly, after the supervision management mechanism confirms the requester identity corresponding to the distributed digital identity DID information of the supervisor, uplink registering the distributed digital identity DID information of the supervisor to a distributed digital identity book.
The distributed digital identity account book is managed by the supervision and management mechanism and supports the access of the supervision party and the business party
Before deploying real-time supervision from a supervisor to a business party, the authenticity of the supervisor needs to be ensured first, endorsement authentication by a supervision and management organization is usually required, and a related mechanism capable of discovering and verifying identity is provided.
Specifically, the administrative service executor, i.e. the administrator, who has passed online or offline authentication downloads the distributed digital identity wallet and the agent from the networked computer or server providing the administrative service, creates the distributed digital identity, and submits the administrator identity DID information and other credential information (e.g. business registration information) to the administrative authority, and requests the administrative authority to verify its identity and submit registration and public information about the digital identity, where the DID information may be DID Doc (DID & pk). The supervision and administration organization provides an agent identity registration (request is signed by the supervisor) request for an approved supervisor, and in order to ensure that the identity can be found and cannot be tampered, distributed digital identity information of the supervisor is usually registered on a distributed digital identity book or a block chain, and information registration confirmation is completed through a consensus node. The distributed digital identity account book can adopt an open license management or private license mode, is maintained by a supervision and management organization and other parties, and supports supervision and business party access.
Accordingly, for the business party, it should also be subject to corresponding business party compliance certification. The business party develops external business and can firstly carry out identity authentication of the legal person main body. Then, the service party needs to record the service to the supervisor, which may specifically include the following steps:
firstly, the service party installs the distributed digital identity wallet and the identity agent application locally to determine DID information of the identity of the service party;
secondly, the service party initiates a service filing request based on DID registration to the monitoring party and establishes DID connection based on the DID of both sides relationship between the identity agent application and the identity agent of the monitoring party;
thirdly, the service party submits the DID information of the service party identity to the supervisor through the DID connection;
and fourthly, after the identity of the service party is verified, the supervisor approves the service filing request of the service party, and the supervisor signs and submits a request for uplink registration of the DID of the service party so as to deposit the DID of the service party to the distributed digital identity account book.
It should be noted that after receiving the registration record request of the service party, the supervisor generally needs to first create a DID relationship with the service party and perform a DID connection based on the DID relationship, which specifically includes the following processes:
firstly, a supervisor receives a registration and record request of a service party and sends a connection invitation to the service party as a first response of the registration and record request; the connection invitation comprises a supervisor DID, a connection ID, a random number and a URL address for receiving the DID connection request;
secondly, after the business side receives the connection invitation and establishes business side relation DID by using a local digital identity wallet, a DID connection request is sent to a URL address in the supervisor connection invitation;
thirdly, the supervisor receives the DID connection request sent by the service party, and the DID connection request comprises: a service party relation DID and a signature of the connection invitation information by using a private key corresponding to the service party relation DID;
fourthly, verifying the DID information of the business party relationship and the decrypted invitation information in the connection request, storing the DID of the business party relationship to the local supervision party after the verification is successful, creating a DID of the supervision party relationship matched with the DID of the relationship by using the identity wallet, and feeding back the DID of the supervision party;
and fifthly, the service party receives a DID connection request response of the supervisor, verifies the relation DID of the supervisor, stores the relation DID to the local of the service party after the verification is successful, and completes the DID relation establishment of the service party and the supervisor.
It should be noted that mutual authentication of both parties is involved in the process of creating DID relationships. In the practical application process of the application, the one-way authentication of the service party by the monitoring party can be realized, the two-way authentication of the service party and the monitoring party can also be realized, and the two-way authentication is beneficial to the mutual identity determination of the two parties so as to ensure that the service transaction data is not leaked and has data safety. One possible mutual authentication process in creating DID relationships is as follows:
firstly, a supervision party initiates DID connection invitation to a service party:
the service side manages the service to be monitored and should apply for and record the service to the monitoring side. For the supervised party who proposes the supervision record, the supervising party sends a DID connection request to the supervising party, and the DID connection request should be considered to include the following information:
supervisor DID (should be consistent with the information it publishes on the distributed digital identity ledger);
a connection ID;
receiving a URL of a DID connection request;
challenge value (as a random number, for supporting one-time use)
After the DID connection request is coded according to the standard Base 64URL, the DID connection request is sent (out-of-band transmission) to a service party in the forms of e-mail, short message or website two-dimensional code and the like;
secondly, the business side receives the DID connection invitation, constructs a private business side relation peerDID @ A and B and a related key pair by using a local wallet, is only used for the current relation connection, and submits the following information to the supervisor through a connection request:
a connection ID;
the private key of the created peerDID @ A: B is used for signing the challenge value to generate a response value;
b and related public key information, the supervised business system accesses the entry address, and the like.
The information is encrypted based on the DID public key of the supervisor (obtained from a distributed digital identity book) and then returned to the connection request acceptance address in the connection invitation.
The supervisor receives a DID connection request sent by the service party, decrypts the DID connection request by using a DID private key of the supervisor, verifies a challenge response based on the received peerDID @ A: B public key, and stores the peerDID @ A: B to the SSI agent of the supervisor after the success confirmation is confirmed. Thereafter, the supervisor establishes the relation peerDID @ B: A corresponding to the supervisor for connection response. Similarly, in order to avoid man-in-the-middle attack, the returned supervisor connection request response is signed by the private key of the supervisor relationship peerDID @ B: A and is returned after being encrypted by the public key of the opposite relationship peerDID @ A: B.
The relation DID and the key which are mutually authenticated by the monitoring party and the service party are respectively stored in the SSI agents of the monitoring party and the service party.
In addition, after the supervisor and the service party complete the DID relationship creation process, a two-way connection based on DID authentication can be established to exchange the voucher data.
The credential data exchange can be used to realize the identity verification of the applicant by the monitoring party, such as the identity verification and DID verification of the docket legal person submitted by the applicant. In addition, the monitoring party shall perform the verification of other related qualifications in an online and offline manner according to the business scope of the applicant.
For the approved service party, the supervisor registered on the distributed digital identity book is responsible for submitting DID information of the service party identity, which may be a DID Doc (DID, public key, and service system entry point address) information uplink, as required.
Before the monitoring access of the service party system is realized by the monitoring party, the DID connection with the service party needs to be established first based on the previously established DID relationship, and the method can comprise the following steps:
the SSI agent of the supervisor requests to establish DID connection with the SSI agent of the service party;
the business side confirms whether the relation DID corresponding to the supervisor exists in the relation record of the business side through the relation record;
if yes, the service party confirms that the connection requester is the supervisor through challenge response authentication based on the relation DID, and if the authentication is successful, DID connection with the supervisor is established;
based on the established DID connection, the supervisory party can initiate data access to the supervised business party according to the address of the supervisory recorded business system, the business party responds to the data access request, calls the corresponding API to collect the data, and feeds the data back to the supervisory party based on the DID connection.
In order to ensure the data transmission security, the data should be encrypted based on an encryption key obtained by negotiation between a business party relationship DID private key and a supervisor relationship DID public key. After the management side SSI agent obtains the response data through decryption, the data can be forwarded to a related system for automatic data check, and the check content comprises data format and data validity.
For data which do not relate to strict privacy protection requirements, the data can be directly collected to a data lake of a supervision background, and supervision big data analysis and inspection are supported. The data write security can be realized through a traditional client/server security mode or a DID point-to-point secure communication mode.
Referring to fig. 2, fig. 2 is a schematic diagram of a specific application structure of a real-time transaction monitoring method, in fig. 2, a transaction server collects transaction data of each POS and serves as a business party, a monitoring agent 1 and a monitoring agent 2 both serve as monitoring parties, and the monitoring agent 1 and the monitoring agent 2 both need to perform DID connection-based secure communication with the transaction server, i.e., DID com shown in fig. 2, but the roles of the two are different. The supervision agency 2 is used to collect and check the data of the transaction server and upload it to the data lake, and the supervision agency 1 is used to perform an Anti-Money Laundering (Anti-AML) check local to the business system.
The following is a description of the application of the supervising agent 1 of fig. 2 as a supervising party:
in addition to accessing data in real time for proper monitoring, the monitoring party may also need to perform real-time checks for specific transactions, assess the status of violations for intervention, and prevent fraud and financial crimes. Since such checks typically involve business sensitive information or user private information of the business party, the following steps may be taken: the machine-readable and machine-executable compliance check script is transmitted to the business party through the supervision agent, and is supported to carry out local check, and the check result is returned in a way which can be verified by the supervision party. In order to avoid a malicious attacker from transmitting a counterfeit compliance script or compliance code to acquire improper information, the request and downloading of the compliance script or the compliance code are carried out based on DID connection established by a supervisor and a service party, and the security, non-repudiation and integrity of script information in the downloading process can be realized based on public and private key negotiation encryption, sender private key signature and MAC check calculation of the two parties.
When detecting a transaction, the embodiment of the application needs to connect a safe, private and licensed SSI agent to the service party system, and introduces real-time supervision in the transaction link to transfer compliance check to the business after the compliance check is engaged, so that the problem that the check cannot catch up with payment is solved, and the transaction can be supervised and easily supervised.
In order to achieve an automated check of the monitoring data, a standardized definition of the data structure should be considered to support machine-readable and verifiable. As a preferred embodiment, before collecting and monitoring transaction service data of a service party by an SSI agent, a verifiable credential data template containing a monitoring type transaction service data structure standard is established, and the templates are published on a distributed digital identity book; the business party organizes the transaction data into a corresponding verifiable certificate according to a certificate template on the account book and returns the verifiable certificate to the supervisor so as to support the supervisor to carry out automatic verification.
Specifically, the supervisor should explicitly define and publish the fine-grained data that needs to be acquired (existing standards may also be adopted). The defined regulatory audit data (based on a combination of several of them) is published on a distributed digital identity book in the form of a verifiable credential template, ensuring that any changes required with respect to the regulatory audit data are accessible to the various regulatory and business parties in a timely manner. A Verifiable Credentials template (veriable Credentials Schema) is a machine-readable definition of a set of attribute data types and formats for credential claims that facilitates standardization and machine-automated inspection of regulatory data.
The credential templates are not specifically specified or limited in content herein. The specification of the credential template may be performed with reference to the W3C verifiable financial model specification.
In addition to data from real-time transaction processes, the regulatory back-end can aggregate access to large amounts of fine-grained, structured and unstructured data through other approaches, establish a single view of all internal and external data sources of the financial institution, and processing such data through automated modeling, analysis and visualization is critical to improving the effectiveness of macro and micro judicious regulation.
In order to achieve the goal, the cooperative relationship needs to be effectively expanded among different supervision cloud service platforms. Similarly, point-to-point credible connection can be established between different supervision cloud services and other cloud agent services based on a DID mode, data sharing is carried out on the premise of complying with the corresponding data protection principle, the visual analysis of global data is realized, or machine learning based on data protection is carried out, and a risk identification model is optimized. Considering that the supervision cloud service is coordinated in a cluster mode, an n-wise DID connection relation meeting the requirement is established. By providing the cloud deployment-based supervision service, the burden and cost of business parties are reduced, and the agility of compliance response is improved.
The financial monitoring engine constructed in the way can work across one or more industry monitoring server clusters, the deployment of the hybrid cloud model can quickly adapt to the requirements of new challenges or continuously changing monitoring environments, and extensible financial dynamic monitoring is realized, so that related organizations obtain good business agility and the benefits brought by big data analysis.
In the embodiment, the supervision party is directly introduced into the service system of the service party to participate in the transaction, so that the supervision real-time performance is greatly improved. Meanwhile, the supervisor and the service party perform DID authentication before SSI connection, mutual trust relationship is established, and data interaction security is higher than that of a third-party software supplier.
Meanwhile, the credible management based on the distributed identity has the characteristics of flattening and flexible expansion, supports the combination change of the monitoring party and the service party, and can support the requirement of fast adapting to new service challenges and continuously changing monitoring environments.
In the following, the transaction monitoring system provided in the embodiment of the present application is introduced, and the transaction monitoring system described below and the transaction monitoring method described above may be referred to correspondingly.
Referring to fig. 3, fig. 3 is a schematic structural diagram of a transaction monitoring system according to an embodiment of the present application, where the system includes:
the relation establishing module is used for determining a service party under supervision and establishing a DID connection relation;
the connection access module is used for establishing SSI proxy connection based on the DID connection relation, and initiating a real-time monitoring access request to the service party based on the SSI proxy connection after the service party confirms the identity of a monitoring party of a connection requester;
and the service monitoring module is used for collecting and monitoring the transaction service data of the service party through the SSI agent.
Based on the above embodiment, as a preferred embodiment, the method further includes:
the supervisor registers the module, is used for obtaining the distributed digital identity wallet;
creating supervisor distributed digital identity DID information according to the distributed digital identity wallet, and submitting the supervisor distributed digital identity DID information to a supervision management organization; after the supervision management mechanism confirms the requester identity corresponding to the supervisor distributed digital identity DID information, uplink-registering the supervisor distributed digital identity DID information to a distributed digital identity book; the distributed digital identity account book is managed by the supervision and management mechanism and supports the access of the supervision party and the service party.
Based on the above embodiment, as a preferred embodiment, the method further includes:
the service side record module is applied to a service side and used for locally installing the distributed digital identity wallet and the identity agent application and determining DID information of the identity of the service side; initiating a DID registration-based service filing request to the supervisor, and establishing DID connection based on the bilateral relation DID between the identity agent application and the supervisor identity agent; submitting the DID information of the identity of the service party to the supervisor through the DID connection;
and the record response module is applied to a supervisor and used for approving the business record request of the business party after the identity of the business party is verified, and the supervisor signs and submits the request for registering the business party DID to the uplink so as to store the business party identity DID into the distributed digital identity account book.
Based on the above embodiment, as a preferred embodiment, the method further includes:
the DID connection invitation module of the monitoring party is applied to the monitoring party and used for receiving the registration and record request of the service party and sending a connection invitation to the service party as a first response of the registration and record request; the connection invitation comprises a supervisor DID, a connection ID, a random number and a URL address for receiving the DID connection request;
a service party DID connection request module applied to a service party and used for initiating a DID connection request to the URL address in the supervisor connection invitation after the service party receives the connection invitation and utilizes a local digital identity wallet to create a service party relation DID
A DID connection response module of the supervisor, which is applied to the supervisor and used for receiving the DID connection request sent by the service side, wherein the DID connection request includes: a service party relation DID and a signature of the connection invitation information by using a private key corresponding to the service party relation DID; verifying the business party relation DID information and the decrypted invitation information in the connection request, storing the business party relation DID to the local supervisor after the verification is successful, creating a supervisor relation DID matched with the relation DID by using the identity wallet, and feeding back the supervisor relation DID to the business party;
and the DID relation confirmation module is applied to a service party and used for receiving a DID connection request response of the supervisor, verifying the relation DID of the supervisor, storing the relation DID to the local part of the service party after the verification is successful, and finishing the creation of the DID relation between the service party and the supervisor.
Based on the above embodiment, as a preferred embodiment, the method further includes:
the certificate template configuration module is used for establishing a certificate template containing the standard of the data structure of the supervision transaction service and issuing the certificate template on a distributed digital identity account book; the business party organizes the transaction business data into a corresponding verifiable certificate according to a certificate template on the account book and returns the verifiable certificate to the supervisor, so that the supervisor is supported to carry out automatic verification.
The present application also provides a computer readable storage medium having stored thereon a computer program which, when executed, may implement the steps provided by the above-described embodiments. The storage medium may include: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The present application further provides an electronic device, which may include a memory and a processor, where the memory stores a computer program, and when the processor calls the computer program in the memory, the steps provided in the foregoing embodiments may be implemented. Of course, the electronic device may also include various network interfaces, power supplies, and the like.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. For the system provided by the embodiment, the description is relatively simple because the system corresponds to the method provided by the embodiment, and the relevant points can be referred to the description of the method part.
The principles and embodiments of the present application are explained herein using specific examples, which are provided only to help understand the method and the core idea of the present application. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.
It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises the element.

Claims (10)

1. A transaction monitoring method, comprising:
determining a service party under supervision and establishing a DID connection relation;
establishing SSI proxy connection based on the DID connection relation, and initiating a real-time monitoring access request to the service party based on the SSI proxy connection after the service party confirms the identity of a monitoring party of a connection requester;
and collecting and monitoring transaction service data of the service party through the SSI agent.
2. The transaction monitoring method of claim 1, wherein prior to determining the managed business party, further comprising:
the supervising party acquires a distributed digital identity wallet;
creating supervisor distributed digital identity DID information according to the distributed digital identity wallet, and submitting the supervisor distributed digital identity DID information to a supervision management organization;
after the supervision management mechanism confirms the requester identity corresponding to the supervisor distributed digital identity DID information, uplink-registering the supervisor distributed digital identity DID information to a distributed digital identity book; the distributed digital identity book is managed by the supervision and management mechanism and supports the access of the supervision party and the service party.
3. The transaction monitoring method of claim 2, wherein after the policer distributed Digital Identity (DID) information is uplink registered to a distributed digital identity book, further comprising:
the business party locally installs the distributed digital identity wallet and the identity agent application to determine the DID information of the business party identity;
the service party initiates a service filing request based on DID registration to the monitoring party and establishes DID connection based on the bilateral relationship DID between the identity agent application and the identity agent of the monitoring party;
the service party submits the service party identity DID information to the supervisor through the DID connection;
and after the identity of the service party is verified, the supervisor approves the service filing request of the service party, and the supervisor signs and submits a request for uplink registration of the DID of the service party so as to deposit the DID of the service party to the distributed digital identity book.
4. The transaction monitoring method of claim 1, after determining the managed business party, further comprising:
the supervisor receives a registration and record request of the business party and sends a connection invitation to the business party as a first response of the registration and record request; the connection invitation comprises a supervisor DID, a connection ID, a random number and a URL address for receiving the DID connection request;
after the business side receives the connection invitation and creates business side relation DID by using a local digital identity wallet, initiating a DID connection request to the URL address in the supervisor connection invitation;
the supervisor receives the DID connection request sent by the service party, where the DID connection request includes: a service party relation DID and a signature of the connection invitation information by using a private key corresponding to the service party relation DID;
verifying the service party relationship DID information and the decrypted invitation information in the connection request, storing the service party relationship DID to the local of a supervisor after the verification is successful, creating a supervisor relationship DID matched with the relationship DID by using the identity wallet, and feeding back the supervisor relationship DID to the service party;
and the service party receives a DID connection request response of the supervisor, verifies the relation DID of the supervisor, stores the relation DID to the local part of the service party after the verification is successful, and completes the creation of the DID relation between the service party and the supervisor.
5. The transaction monitoring method of claim 1 or 4, wherein initiating a real-time monitoring access request to the service party based on the SSI proxy connection to obtain access authorization to the service party comprises:
the SSI agent of the monitoring party requests to establish DID connection with the SSI agent of the service party;
the business side confirms whether the relation DID corresponding to the supervisor exists in the relation record of the business side through the relation record;
if yes, the service party verifies that the connection requester is the supervisor party through challenge response authentication based on the relation DID, and if the authentication is successful, the DID connection with the supervisor party is established;
the service party receives and processes the data access request from the DID connection channel.
6. The transaction monitoring method as claimed in claim 1, wherein before collecting and monitoring transaction traffic data of the service party by the SSI agent, further comprising:
the service side SSI proxy receives a service access request sent by the monitoring side SSI proxy and forwards the service access request to a service side system;
the service side system responds to the service access request, returns corresponding service data, and the service side SSI agent encrypts the service data by using a relation DID key of the supervisor and returns the service data to the SSI agent of the supervisor so as to execute the step of collecting and monitoring the transaction service data of the service side through the SSI agent.
7. The transaction monitoring method of claim 1, wherein prior to collecting and monitoring transaction traffic data of the business party by the SSI agent, further comprising:
establishing a certificate template containing the data structure standard of the supervision transaction service, and issuing the certificate template on a distributed digital identity book; the business party organizes the transaction business data into a corresponding verifiable certificate according to a certificate template on the account book and returns the verifiable certificate to the supervisor, so that the supervisor is supported to carry out automatic verification.
8. A transaction monitoring system, comprising:
the relation establishing module is used for determining a service party under supervision and establishing a DID connection relation;
the connection access module is used for establishing SSI proxy connection based on the DID connection relation, and initiating a real-time monitoring access request to the service party based on the SSI proxy connection after the service party confirms the identity of a monitoring party of a connection requester;
and the service monitoring module is used for collecting and monitoring the transaction service data of the service party through the SSI agent.
9. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the transaction monitoring method according to any one of claims 1 to 7.
10. An electronic device comprising a memory having a computer program stored therein and a processor which, when invoked by the computer program in the memory, carries out the steps of the transaction monitoring method according to any one of claims 1 to 7.
CN202211200781.XA 2022-09-29 2022-09-29 Transaction monitoring method, system and related device Pending CN115511492A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211200781.XA CN115511492A (en) 2022-09-29 2022-09-29 Transaction monitoring method, system and related device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211200781.XA CN115511492A (en) 2022-09-29 2022-09-29 Transaction monitoring method, system and related device

Publications (1)

Publication Number Publication Date
CN115511492A true CN115511492A (en) 2022-12-23

Family

ID=84508230

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211200781.XA Pending CN115511492A (en) 2022-09-29 2022-09-29 Transaction monitoring method, system and related device

Country Status (1)

Country Link
CN (1) CN115511492A (en)

Similar Documents

Publication Publication Date Title
EP3788523B1 (en) System and method for blockchain-based cross-entity authentication
US11025435B2 (en) System and method for blockchain-based cross-entity authentication
US11038670B2 (en) System and method for blockchain-based cross-entity authentication
KR101780636B1 (en) Method for issuing certificate information and blockchain-based server using the same
KR101799343B1 (en) Method for using, revoking certificate information and blockchain-based server using the same
US10885501B2 (en) Accredited certificate issuance system based on block chain and accredited certificate issuance method based on block chain using same, and accredited certificate authentication system based on block chain and accredited certificate authentication method based on block chain using same
KR101661933B1 (en) Ccertificate authentication system and method based on block chain
AU2021206913A1 (en) Systems and methods for distributed data sharing with asynchronous third-party attestation
CN105243313B (en) For the method whenever confirmed to verifying token
CN108541318A (en) For authorizing the client terminal device, server unit and the access control system that access
US20130061055A1 (en) Apparatus and Methods for Providing Scalable, Dynamic, Individualized Credential Services Using Mobile Telephones
US20150047003A1 (en) Verification authority and method therefor
CN108830733A (en) A kind of information processing method, block scm cluster and system
EP1738239A1 (en) Secure messaging system
CN110535648A (en) Electronic certificate is generated and verified and key controlling method, device, system and medium
JP2002536732A (en) How to operate infrastructure and applications for encryption-supported services
CN112037068A (en) Resource transfer method, system, device, computer equipment and storage medium
CN103489104A (en) Security payment method and system
CN111460457A (en) Real estate property registration supervision method, device, electronic equipment and storage medium
JP2023535013A (en) Quantum secure payment system
CN113515756B (en) High-credibility digital identity management method and system based on block chain
TWI618008B (en) Transaction fee negotiation for currency remittance
KR100349888B1 (en) PKI system for and method of using micro explorer on mobile terminals
CN115099800A (en) Block chain based method and device for transferring poor asset data
CN115511492A (en) Transaction monitoring method, system and related device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination