CN115619411A - Suspicious transaction monitoring method, device, equipment and storage medium - Google Patents
Suspicious transaction monitoring method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN115619411A CN115619411A CN202211309970.0A CN202211309970A CN115619411A CN 115619411 A CN115619411 A CN 115619411A CN 202211309970 A CN202211309970 A CN 202211309970A CN 115619411 A CN115619411 A CN 115619411A
- Authority
- CN
- China
- Prior art keywords
- transaction
- suspicious
- client
- suspicious transaction
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
- G06Q20/401—Transaction verification
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/30—Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
- G06F16/36—Creation of semantic tools, e.g. ontology or thesauri
- G06F16/367—Ontology
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q40/00—Finance; Insurance; Tax strategies; Processing of corporate or income taxes
- G06Q40/04—Trading; Exchange, e.g. stocks, commodities, derivatives or currency exchange
Landscapes
- Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Theoretical Computer Science (AREA)
- Accounting & Taxation (AREA)
- Finance (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Strategic Management (AREA)
- General Business, Economics & Management (AREA)
- Development Economics (AREA)
- Computer Security & Cryptography (AREA)
- Economics (AREA)
- Marketing (AREA)
- Technology Law (AREA)
- Life Sciences & Earth Sciences (AREA)
- Animal Behavior & Ethology (AREA)
- Computational Linguistics (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- General Engineering & Computer Science (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a suspicious transaction monitoring method, a suspicious transaction monitoring device, suspicious transaction monitoring equipment and a suspicious transaction monitoring storage medium. The method comprises the following steps: obtaining transaction customer data, wherein the transaction customer data comprises: the method comprises the following steps that a transaction pipeline corresponding to a transaction client, associated information of the transaction client and a terminal device address corresponding to the transaction client are obtained; and inputting the data of the transaction client into a target model to obtain the probability of the target suspicious transaction corresponding to the transaction client.
Description
Technical Field
The embodiment of the invention relates to the technical field of finance, in particular to a suspicious transaction monitoring method, a suspicious transaction monitoring device, suspicious transaction monitoring equipment and a suspicious transaction monitoring storage medium.
Background
In recent years, suspicious transactions are rapidly intensified, and suspicious transaction modes increasingly present the characteristics of specialization, science and technology, regional extension and the like, so that higher requirements are put forward for monitoring work of suspicious transactions by financial institutions.
The existing suspicious transaction monitoring mode is that developers monitor transactions according to personal experience generally, so that the labor cost is high, and the efficiency is low.
Disclosure of Invention
The embodiment of the invention provides a suspicious transaction monitoring method, a suspicious transaction monitoring device, equipment and a storage medium, which can automatically monitor suspicious transactions and improve the efficiency and accuracy of suspicious transaction monitoring.
According to an aspect of the invention, there is provided a suspicious transaction monitoring method, comprising:
obtaining transaction customer data, wherein the transaction customer data comprises: the method comprises the following steps of (1) transaction flow corresponding to a transaction client, associated information of the transaction client and a terminal equipment address corresponding to the transaction client;
and inputting the data of the transaction client into a target model to obtain the probability of the target suspicious transaction corresponding to the transaction client.
According to another aspect of the present invention, there is provided a suspicious transaction monitoring device comprising:
the data acquisition module is used for acquiring transaction client data, wherein the transaction client data comprises: the method comprises the following steps of (1) transaction flow corresponding to a transaction client, associated information of the transaction client and a terminal equipment address corresponding to the transaction client;
and the suspicious transaction probability determining module is used for inputting the transaction client data into a target model to obtain the target suspicious transaction probability corresponding to the transaction client.
According to another aspect of the present invention, there is provided an electronic apparatus including:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein, the first and the second end of the pipe are connected with each other,
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform a method of suspicious transaction monitoring according to any one of the embodiments of the present invention.
According to another aspect of the present invention, there is provided a computer readable storage medium having stored thereon computer instructions for causing a processor to execute a method of suspicious transaction monitoring according to any one of the embodiments of the present invention.
The embodiment of the invention acquires the transaction client data, wherein the transaction client data comprises the following components: the method comprises the following steps that a transaction pipeline corresponding to a transaction client, associated information of the transaction client and a terminal device address corresponding to the transaction client are obtained; and inputting the data of the transaction client into a target model to obtain the target suspicious transaction probability corresponding to the transaction client, so that the suspicious transaction can be automatically monitored, and the suspicious transaction monitoring efficiency and accuracy are improved.
It should be understood that the statements in this section do not necessarily identify key or critical features of the embodiments of the present invention, nor do they necessarily limit the scope of the invention. Other features of the present invention will become apparent from the following description.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.
FIG. 1 is a flow diagram of a suspicious transaction monitoring method in an embodiment of the present invention;
FIG. 2 is a schematic diagram of a partial transaction network map in an embodiment of the invention;
FIG. 3 is a schematic diagram of a service network architecture in an embodiment of the invention;
fig. 4 is a schematic diagram of a core network structure in an embodiment of the invention;
FIG. 5 is a flow diagram of another suspicious transaction monitoring method in an embodiment of the present invention;
FIG. 6 is a schematic diagram of a suspicious transaction monitoring device according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of an electronic device in an embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example one
Fig. 1 is a flowchart of a suspicious transaction monitoring method according to an embodiment of the present invention, which is applicable to a suspicious transaction monitoring situation, and the method may be implemented by a suspicious transaction monitoring apparatus according to an embodiment of the present invention, where the apparatus may be implemented in a software and/or hardware manner, as shown in fig. 1, the method specifically includes the following steps:
s110, acquiring transaction customer data, wherein the transaction customer data comprises: the transaction flow corresponding to the transaction client, the associated information of the transaction client and the terminal equipment address corresponding to the transaction client.
Wherein the associated information of the transaction client comprises: at least one of relatives, corporate legal persons, revolution privacies, and mutual securities.
Wherein, the address of the terminal device corresponding to the transaction client comprises: IP and/or MAC.
Wherein the transaction customer data further comprises: basic information of the transaction client. The basic information of the transaction client includes: the transaction client comprises at least one of name of the transaction client, client state of the transaction client, identity information, operation range information, certificate information, risk condition, account type of the transaction client, early warning condition, in/out of line, account opening time, account selling time and account opening mechanism.
Specifically, the manner of acquiring the transaction customer data may be: and acquiring historical data, and removing invalid normal transaction data in the historical data to obtain transaction client data. For example, historical data is acquired, invalid and normal transaction data are removed through business rules such as related transaction amount, number and type and model rules of a connected graph algorithm, transaction client data are obtained, and graph pattern matching is performed on the transaction client data obtained in the mode, so that the graph pattern matching efficiency can be effectively improved.
In one specific example, if the transaction client data is missing, the transaction client data is culled. And if the transaction client data are isolated nodes, namely no association relationship exists, removing the transaction client data.
And S120, inputting the data of the transaction client into a target model to obtain the probability of the target suspicious transaction corresponding to the transaction client.
Wherein the target model comprises a first model and/or a graph mining model.
Specifically, the manner of inputting the transaction customer data into the target model to obtain the target suspicious transaction probability corresponding to the transaction customer may be: constructing a suspicious transaction network map according to the transaction customer data; performing pattern matching according to a pattern rule and the suspicious transaction network map to obtain a suspicious transaction client; and inputting the transaction client data corresponding to the suspicious transaction client into the target model to obtain the target suspicious transaction probability corresponding to the suspicious transaction client.
Optionally, inputting the data of the transaction client into a target model to obtain a target suspicious transaction probability corresponding to the transaction client, where the target suspicious transaction probability includes:
constructing a suspicious transaction network map according to the transaction customer data;
performing pattern matching according to a pattern rule and the suspicious transaction network map to obtain a suspicious transaction client;
and inputting the transaction client data corresponding to the suspicious transaction client into the target model to obtain the target suspicious transaction probability corresponding to the suspicious transaction client.
Specifically, the method for constructing the suspicious transaction network graph according to the transaction client data may be: determining customer information according to the transaction flow; determining an entity according to the customer information; determining the relationship between the entities according to the associated information of the transaction client; determining attribute information according to the associated information of the transaction flow and the transaction client; and constructing a suspicious transaction network map according to the entities, the relationship among the entities and the attribute information.
Wherein the graph pattern rule may include: transferring in times and transferring out in a centralized way; the transferred opponents come from all parts of the country; the transferred sum is integer multiples of hundred yuan or the transferred sum mantissa is provided with a specific number; the number of transaction strokes is large; the non-counter transaction accounts for a higher percentage; trades are available all day long; the late-night transaction pen number is high; the transaction notes an alphanumeric combination. The graph schema rule may further include: the number of counterparties is small and the counterparties are relatively fixed; the transaction amount is large; a transaction occurs with a suspicious customer. The graph schema rule may further include: the transaction amount is greater than the set amount threshold. The graph schema rule may further include: presence filtering account features: a plurality of funds are remitted after a plurality of funds are imported in the same day, the fund flow is abnormally and rapidly increased, the account opening time is short, and the consumption occupation ratio of the ATM and the POS machine is high. The graph schema rule may further include: within half a year of account opening time, the inflow and outflow amount is basically leveled, and the accumulated amount exceeds the amount threshold value. The graph schema rule may further include: the amount of money to be collected is greater than the amount threshold, the single amount is an integral multiple of ten thousand yuan, and the additional statement: investment, borrowing, repayment, little balance after fast forward and fast out, decentralized transferring and centralized transferring; personal account: a corporate or close relative of an investment company; for public accounts: there are numerous human opponents. The graph pattern rule may further include: the transaction time is fixed, and the opponent and the collection account are overlapped.
Specifically, the manner of inputting the transaction client data corresponding to the suspicious transaction client into the target model to obtain the target suspicious transaction probability corresponding to the suspicious transaction client may be as follows: generating a target characteristic index according to the transaction customer data corresponding to the suspicious transaction customer; and inputting the target characteristic index into a first model to obtain the target suspicious transaction probability corresponding to the suspicious transaction client. The method for inputting the transaction client data corresponding to the suspicious transaction client into the target model to obtain the target suspicious transaction probability corresponding to the suspicious transaction client may further include: determining corresponding out-degree characteristics and in-degree characteristics of suspicious transaction clients according to the suspicious transaction network map; and inputting the out-degree characteristic and the in-degree characteristic corresponding to the suspicious transaction client into a graph mining model to obtain the target suspicious transaction probability corresponding to the suspicious transaction client. The method for inputting the transaction client data corresponding to the suspicious transaction client into the target model to obtain the target suspicious transaction probability corresponding to the suspicious transaction client may further include: screening the suspicious transaction clients according to the blacklist to obtain target suspicious transaction clients; acquiring target characteristics corresponding to the target suspicious transaction client; segmenting the target feature based on a segmentation rule; and determining the target suspicious transaction probability corresponding to the suspicious transaction client according to the WOE value corresponding to the segmented target characteristic. The method of inputting the transaction client data corresponding to the suspicious transaction client into the target model to obtain the target suspicious transaction probability corresponding to the suspicious transaction client may be: generating a target characteristic index according to the transaction customer data corresponding to the suspicious transaction customer; inputting the target characteristic index into a first model to obtain a first suspicious transaction probability corresponding to the suspicious transaction client, wherein the first model is obtained by iteratively training a neural network model through a target sample set, and the target sample set comprises: the transaction client data corresponding to the transaction client sample and the first suspicious transaction probability corresponding to the transaction client sample; determining the out-degree characteristic and the in-degree characteristic corresponding to the suspicious transaction client according to the suspicious transaction network map; inputting the out-degree characteristic and the in-degree characteristic corresponding to the suspicious transaction client into a graph mining model to obtain a second suspicious transaction probability corresponding to the suspicious transaction client; and determining the target suspicious transaction probability according to the first suspicious transaction probability and the second suspicious transaction probability. The method for inputting the transaction client data corresponding to the suspicious transaction client into the target model to obtain the target suspicious transaction probability corresponding to the suspicious transaction client may further include: generating a target characteristic index according to the transaction client data corresponding to the suspicious transaction client; inputting the target characteristic index into a first model to obtain a first suspicious transaction probability corresponding to the suspicious transaction client, wherein the first model is obtained by iteratively training a neural network model through a target sample set, and the target sample set comprises: the transaction client data corresponding to the transaction client sample and the first suspicious transaction probability corresponding to the transaction client sample are obtained; screening the suspicious transaction clients according to a blacklist to obtain target suspicious transaction clients; acquiring target characteristics corresponding to the target suspicious transaction client; segmenting the target feature based on a segmentation rule; determining a third suspicious transaction probability corresponding to the suspicious transaction client according to the WOE value corresponding to the segmented target feature; and determining the target suspicious transaction probability according to the first suspicious transaction probability and the third suspicious transaction probability. The method for inputting the transaction client data corresponding to the suspicious transaction client into the target model to obtain the target suspicious transaction probability corresponding to the suspicious transaction client may further include: determining corresponding out-degree characteristics and in-degree characteristics of suspicious transaction clients according to the suspicious transaction network map; inputting the out-degree characteristic and the in-degree characteristic corresponding to the suspicious transaction client into a graph mining model to obtain a second suspicious transaction probability corresponding to the suspicious transaction client; screening the suspicious transaction clients according to a blacklist to obtain target suspicious transaction clients; acquiring target characteristics corresponding to the target suspicious transaction client; segmenting the target features based on a segmentation rule; determining a third suspicious transaction probability corresponding to the suspicious transaction client according to the WOE value corresponding to the segmented target feature; and determining the target suspicious transaction probability according to the second suspicious transaction probability and the third suspicious transaction probability.
Optionally, the target model includes: a first model and a graph mining model;
correspondingly, inputting the transaction client data corresponding to the suspicious transaction client into the target model to obtain the target suspicious transaction probability corresponding to the suspicious transaction client, including:
generating a target characteristic index according to the transaction client data corresponding to the suspicious transaction client;
inputting the target characteristic index into a first model to obtain a first suspicious transaction probability corresponding to the suspicious transaction client, wherein the first model is obtained by iteratively training a neural network model through a target sample set, and the target sample set comprises: the transaction client data corresponding to the transaction client sample and the first suspicious transaction probability corresponding to the transaction client sample;
determining the out-degree characteristic and the in-degree characteristic corresponding to the suspicious transaction client according to the suspicious transaction network map;
inputting the out-degree characteristic and the in-degree characteristic corresponding to the suspicious transaction client into a graph mining model to obtain a second suspicious transaction probability corresponding to the suspicious transaction client;
screening the suspicious transaction clients according to the blacklist to obtain target suspicious transaction clients;
acquiring target characteristics corresponding to the target suspicious transaction client;
segmenting the target feature based on a segmentation rule;
determining a third suspicious transaction probability corresponding to the suspicious transaction client according to the WOE value corresponding to the segmented target feature;
and determining a target suspicious transaction probability according to the first suspicious transaction probability, the second suspicious transaction probability and the third suspicious transaction probability.
Specifically, the method of screening the suspicious transaction clients according to the blacklist to obtain the target suspicious transaction clients may be: and marking suspicious samples, specifically, verifying the suspicious samples in a mode of combining manual work and blacklists.
In a specific example, a graph pattern matching result is obtained, a suspicious sample is marked, a characteristic engineering is performed on the marked suspicious sample, a similar WOE conversion is performed after the characteristic engineering is performed, and a third suspicious transaction probability corresponding to a suspicious transaction client is determined according to the similar WOE conversion result. The marking of the suspicious sample can be performed by the following steps: and verifying the suspicious sample by combining a manual method and a blacklist method. The method for performing feature engineering on the marked suspicious sample can be as follows: firstly, grading feature construction is carried out, then grading feature screening is carried out, continuous variables are subjected to box separation processing, a box separation result is adjusted by an expert, and original data are mapped to boxes. The way to perform WOE-like conversion may be: calculating the subsection distribution proportion of the characteristics of the complete list, calculating the subsection distribution proportion of the characteristics of the suspicious list, calculating the WOE value of the subsection, and standardizing the WOE value.
Optionally, constructing a suspicious transaction network map according to the transaction customer data includes:
determining customer information according to the transaction flow;
determining an entity according to the customer information;
determining the relationship between the entities according to the associated information of the transaction client;
determining attribute information according to the associated information of the transaction flow and the transaction client;
and constructing a suspicious transaction network map according to the entities, the relationship among the entities and the attribute information.
Specifically, the entity types of the suspicious transaction network graph include: account, customer, address, device and phone, the attributes corresponding to the entities of the account type include: basic information and account opening and account cancellation conditions, wherein the basic information comprises the following components: account type (public/private), pre-warning case (yes/no), inline/out-of-line; the account opening and account canceling condition comprises the following steps: account opening time, account cancellation time, and account opening mechanism. Attributes corresponding to entities of the customer type include: basic information, certificate information and risk condition, the basic information includes: client name, client state, inline/offline, public/private, identity information, occupation, and business scope; the certificate information includes: certificate type, certificate number, certificate start date and certificate expiration date; the risk situations include: the client suspicious transaction risk level, whether the client is suspicious early-warned or not, and the reporting times of the suspicious transaction report. Attributes of an entity of address type include: a registration address and a personal address. The attribute of the entity of the device type is "none", and the attribute of the entity of the phone type is "none". Relationships between entities include: account attribution, transaction, phone attribution, address attribution, device attribution, corporate relationship, and relationship of relatives. The attribute corresponding to the account attribution is 'none', the attribute corresponding to the transaction attribution is a specific transaction amount, 'none', the attribute corresponding to the address attribution is 'none', the attribute corresponding to the equipment attribution is 'none', the attribute corresponding to the company relationship is 'none', and the attribute corresponding to the relatives relationship can be a child, a couple and the like. As shown in fig. 2, fig. 2 is a partial transaction network map, and fig. 2 includes: the relation among the entities comprises the private customer entity, the public customer entity, the account entity, the telephone entity, the equipment number entity and the address entity: account number attribution, transaction, relationship of relatives, corporate identity, phone attribution, device number attribution, and address attribution.
Optionally, performing pattern matching according to a pattern rule and the suspicious transaction network graph to obtain a suspicious transaction client, including:
acquiring at least one service network structure corresponding to at least one suspicious transaction scene;
generating graph mode rules according to the at least one service network structure;
and carrying out pattern matching according to the pattern rule and the suspicious transaction network map to obtain the suspicious transaction client.
Wherein a suspicious transaction scenario may correspond to at least one business network structure.
Specifically, the manner of generating the graph pattern rule according to the at least one service network structure may be: and generating a graph mode rule corresponding to each service network structure according to each service network structure.
Specifically, the mode of obtaining the suspicious transaction client by performing mode matching according to the graph mode rule and the suspicious transaction network graph may be: inputting a graph mode rule and the suspicious transaction network graph into a mode matching model to obtain at least one sub-network graph matched with the graph mode rule in the graph mode rule; and determining suspicious transaction customers according to the at least one sub-network graph.
In a specific example, fig. 3 is a service network structure, and a proxy account in the service network structure shown in fig. 3 has: transferring into and transferring out in a concentrated manner in a plurality of times; the transferred opponents come from all parts of the country; the transferred amount is integer multiples of hundred yuan or the amount mantissa is provided with a specific number; the number of transaction strokes is large; the non-counter transaction accounts for a higher percentage; trades are available all day long; the late-night transaction is high in pen number; the combination of the transaction notes alphanumeric and the collection account has: the number of counterparties is small and the counterparties are relatively fixed; the transaction amount is large; the nature of the transaction with the suspect customer. The core network structure shown in fig. 4 is obtained according to the service network structure shown in fig. 3, and the graph pattern rule is determined according to the core network structure shown in fig. 4.
Optionally, performing pattern matching according to a pattern rule and the suspicious transaction network graph to obtain a suspicious transaction client, including:
inputting a graph mode rule and the suspicious transaction network graph into a mode matching model to obtain at least one sub-network graph matched with the graph mode rule in the graph mode rule;
and determining suspicious transaction customers according to the at least one sub-network graph.
Wherein the sub-network graph is a portion of the suspicious transaction network graph.
Specifically, the mode of inputting the graph pattern rule and the suspicious transaction network graph into the pattern matching model to obtain at least one sub-network graph matched with the graph pattern rule in the graph pattern rule may be as follows: and inputting each graph mode rule and the suspicious transaction network map into a mode matching model to obtain at least one sub-network map matched with the graph mode rule in each graph mode rule.
Optionally, the method further includes:
and if the correction information input by the user is received, adjusting parameters in the graph mode rule according to the correction information input by the user to obtain an updated graph mode rule.
The correction information may be a feedback result, and may be a feedback result obtained by a business person reviewing a suspicious transaction client, combining business experience and a black sample.
It should be noted that, if the correction information input by the user is received, the parameters in the graph pattern rule are adjusted according to the correction information input by the user, so as to construct a graph pattern rule that conforms to the customer service scenario.
In a specific example, the embodiment of the invention provides a suspicious transaction monitoring method based on graph pattern matching and a graph mining algorithm, provides a suspicious transaction monitoring method based on graph rules and a graph model, and comprehensively improves monitoring accuracy by combining transaction behaviors and associated information of samples in the model; the method comprises the steps of extracting a core network by using a comprehensive anti-money laundering heterogeneous atlas, constructing 4-5 layers or more of complex graph patterns, performing pattern matching and graph pattern rule construction, inputting the complex graph patterns into a graph model (GCN, graph representation learning and graph embedding) for model training and prediction, and improving risk monitoring and recognition effects. The method is characterized in that a 'graph technology-knowledge graph' technology is used for mining the complex and intricate relations of enterprise and personal transactions, legal persons, share rights and the like, the abnormal graph structure mode conforming to the suspicious transaction characteristics is rapidly found through the customer incidence relation insights and the abnormal incidence structure mining, the suspicious account group is identified, the anti-suspicious transaction group is identified, and the data discrimination and analysis intellectualization is realized.
As shown in fig. 5, the method comprises the following steps:
step 1:
and (4) preparing data. Data such as transaction flow, incidence relation and terminal equipment address required by the model are processed, invalid and normal transaction data are removed through business rules such as related transaction amount, number and type and model rules of a connected graph algorithm, efficiency of graph mode matching is effectively improved, resources are saved, and accuracy is improved;
step 2:
and (5) map construction. Extracting relevant information of the knowledge graph from the data obtained in the step 1, and extracting the structured data into point and side files required by graph construction, wherein the extraction of the relevant information of the knowledge graph comprises the following steps: and extracting entities, relations and attributes to obtain the entity, entity relation and attribute information of the transaction client data. On the basis of the traditional transaction relationship, introducing multidimensional relationships such as an account, a client, an address, equipment, a telephone and the like, and constructing a comprehensive suspicious transaction network map;
and step 3:
and (4) core network extraction. Based on pedestrian guidance and industry cases, combining with business expert knowledge, extracting core network structures of different scenes, and constructing a graph mode rule, wherein the graph mode rule is a sub-graph formed by a specific network structure and related features, and the related features cover node features, relationship features and network features;
and 4, step 4:
and (6) matching the patterns. Based on the graph pattern rule extracted in the step 3, scanning the comprehensive suspicious transaction network map constructed in the step 2 by using a pattern matching algorithm, searching a sub-network similar to the core network structure, and outputting suspicious transaction clients;
and 5:
inputting the transaction client data corresponding to the suspicious transaction client into the target model to obtain the target suspicious transaction probability corresponding to the suspicious transaction client:
firstly, constructing a target characteristic index by utilizing personal basic information of a customer and basic characteristics of anti-money laundering market processing, wherein the basic characteristics comprise abnormal transactions, large-amount transactions, transnational transactions and the like, and inputting the target characteristic index into a first model to obtain a first suspicious transaction probability corresponding to a suspicious transaction customer;
secondly, processing a secondary graph index by synthesizing the suspicious network graph, wherein the secondary graph index comprises out-degree characteristics, in-degree characteristics and the like, and inputting the out-degree characteristics and the in-degree characteristics corresponding to the suspicious transaction client into a graph mining model to obtain a second suspicious transaction probability corresponding to the suspicious transaction client;
thirdly, screening the suspicious transaction clients according to a blacklist to obtain target suspicious transaction clients; acquiring target characteristics corresponding to the target suspicious transaction client; segmenting the target feature based on a segmentation rule; and determining a third suspicious transaction probability corresponding to the suspicious transaction client according to the WOE value corresponding to the segmented target feature.
Step 6:
and determining the target suspicious transaction probability based on the first suspicious transaction probability, the second suspicious transaction probability and the third suspicious transaction probability, continuously adjusting the weights of the three probabilities, outputting the target suspicious transaction probability, and selecting TOPN to report and warn.
And 7:
and (6) adjusting a threshold value. And (4) examining the suspicious subnet, adjusting the parameters of the core network structure by combining service experience and black sample performance, and constructing the network structure and the threshold value which accord with the service scene of the client.
According to the technical scheme of the embodiment, transaction customer data is acquired, wherein the transaction customer data comprises: the method comprises the following steps that a transaction pipeline corresponding to a transaction client, associated information of the transaction client and a terminal device address corresponding to the transaction client are obtained; and inputting the data of the transaction client into a target model to obtain the target suspicious transaction probability corresponding to the transaction client, so that the suspicious transaction can be automatically monitored, and the suspicious transaction monitoring efficiency and accuracy are improved.
Example two
Fig. 6 is a schematic structural diagram of a suspicious transaction monitoring device according to an embodiment of the present invention. The present embodiment may be applicable to the suspicious transaction monitoring, and the apparatus may be implemented in a software and/or hardware manner, and the apparatus may be integrated into any device providing a suspicious transaction monitoring function, as shown in fig. 6, where the suspicious transaction monitoring apparatus specifically includes: a data acquisition module 210 and a suspicious transaction probability determination module 220.
The data acquisition module is used for acquiring transaction client data, wherein the transaction client data comprises: the method comprises the following steps that a transaction pipeline corresponding to a transaction client, associated information of the transaction client and a terminal device address corresponding to the transaction client are obtained;
and the suspicious transaction probability determination module is used for inputting the transaction client data into a target model to obtain the target suspicious transaction probability corresponding to the transaction client.
The product can execute the method provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method.
According to the technical scheme of the embodiment, transaction customer data is acquired, wherein the transaction customer data comprises: the method comprises the following steps of (1) transaction flow corresponding to a transaction client, associated information of the transaction client and a terminal equipment address corresponding to the transaction client; and inputting the data of the transaction client into a target model to obtain the target suspicious transaction probability corresponding to the transaction client, so that the suspicious transaction can be automatically monitored, and the efficiency and accuracy of monitoring the suspicious transaction are improved.
EXAMPLE III
FIG. 7 illustrates a block diagram of an electronic device 10 that may be used to implement an embodiment of the invention. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital assistants, cellular phones, smart phones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.
As shown in fig. 7, the electronic device 10 includes at least one processor 11, and a memory communicatively connected to the at least one processor 11, such as a Read Only Memory (ROM) 12, a Random Access Memory (RAM) 13, and the like, wherein the memory stores a computer program executable by the at least one processor, and the processor 11 can perform various suitable actions and processes according to the computer program stored in the Read Only Memory (ROM) 12 or the computer program loaded from a storage unit 18 into the Random Access Memory (RAM) 13. In the RAM 13, various programs and data necessary for the operation of the electronic apparatus 10 may also be stored. The processor 11, the ROM 12, and the RAM 13 are connected to each other via a bus 14. An input/output (I/O) interface 15 is also connected to bus 14.
A number of components in the electronic device 10 are connected to the I/O interface 15, including: an input unit 16 such as a keyboard, a mouse, or the like; an output unit 17 such as various types of displays, speakers, and the like; a storage unit 18 such as a magnetic disk, an optical disk, or the like; and a communication unit 19 such as a network card, modem, wireless communication transceiver, etc. The communication unit 19 allows the electronic device 10 to exchange information/data with other devices via a computer network such as the internet and/or various telecommunication networks.
The processor 11 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of processor 11 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, or the like. Processor 11 performs the various methods and processes described above, such as suspicious transaction monitoring methods.
In some embodiments, the suspicious transaction monitoring method may be implemented as a computer program tangibly embodied in a computer-readable storage medium, such as storage unit 18. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 10 via the ROM 12 and/or the communication unit 19. When the computer program is loaded into RAM 13 and executed by processor 11, one or more steps of the suspicious transaction monitoring method described above may be performed. Alternatively, in other embodiments, the processor 11 may be configured to perform the suspicious transaction monitoring method by any other suitable means (e.g., by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuitry, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), system on a chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.
A computer program for implementing the methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be performed. A computer program can execute entirely on a machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. A computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user may provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), blockchain networks, and the internet.
The computing system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical host and VPS service are overcome.
It should be understood that various forms of the flows shown above may be used, with steps reordered, added, or deleted. For example, the steps described in the present invention may be executed in parallel, sequentially, or in different orders, and are not limited herein as long as the desired results of the technical solution of the present invention can be achieved.
The above-described embodiments should not be construed as limiting the scope of the invention. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made in accordance with design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A method for monitoring suspicious transactions, comprising:
obtaining transaction customer data, wherein the transaction customer data comprises: the method comprises the following steps that a transaction pipeline corresponding to a transaction client, associated information of the transaction client and a terminal device address corresponding to the transaction client are obtained;
and inputting the data of the transaction client into a target model to obtain the probability of the target suspicious transaction corresponding to the transaction client.
2. The method of claim 1, wherein inputting the transaction client data into a goal model to obtain a probability of suspicious goal transactions corresponding to the transaction client comprises:
constructing a suspicious transaction network map according to the transaction customer data;
performing pattern matching according to a pattern rule and the suspicious transaction network map to obtain a suspicious transaction client;
and inputting the transaction client data corresponding to the suspicious transaction client into the target model to obtain the target suspicious transaction probability corresponding to the suspicious transaction client.
3. The method of claim 2, wherein the object model comprises: a first model and a graph mining model;
correspondingly, inputting the transaction client data corresponding to the suspicious transaction client into the target model to obtain the target suspicious transaction probability corresponding to the suspicious transaction client, including:
generating a target characteristic index according to the transaction customer data corresponding to the suspicious transaction customer;
inputting the target characteristic index into a first model to obtain a first suspicious transaction probability corresponding to the suspicious transaction client, wherein the first model is obtained by iteratively training a neural network model through a target sample set, and the target sample set comprises: the transaction client data corresponding to the transaction client sample and the first suspicious transaction probability corresponding to the transaction client sample are obtained;
determining corresponding out-degree characteristics and in-degree characteristics of suspicious transaction clients according to the suspicious transaction network map;
inputting the out-degree characteristic and the in-degree characteristic corresponding to the suspicious transaction client into a graph mining model to obtain a second suspicious transaction probability corresponding to the suspicious transaction client;
screening the suspicious transaction clients according to a blacklist to obtain target suspicious transaction clients;
acquiring target characteristics corresponding to the target suspicious transaction client;
segmenting the target feature based on a segmentation rule;
determining a third suspicious transaction probability corresponding to the suspicious transaction client according to the WOE value corresponding to the segmented target feature;
and determining a target suspicious transaction probability according to the first suspicious transaction probability, the second suspicious transaction probability and the third suspicious transaction probability.
4. The method of claim 2, wherein constructing a suspicious transaction network graph from the transaction customer data comprises:
determining customer information according to the transaction flow;
determining an entity according to the customer information;
determining the relationship between the entities according to the associated information of the transaction client;
determining attribute information according to the associated information of the transaction flow and the transaction client;
and constructing a suspicious transaction network map according to the entities, the relationship among the entities and the attribute information.
5. The method of claim 2, wherein performing pattern matching according to a graph pattern rule and the suspicious transaction network graph to obtain suspicious transaction customers comprises:
acquiring at least one service network structure corresponding to at least one suspicious transaction scene;
generating graph mode rules according to the at least one service network structure;
and performing pattern matching according to a pattern rule and the suspicious transaction network map to obtain a suspicious transaction client.
6. The method of claim 5, wherein performing pattern matching according to a graph pattern rule and the suspicious transaction network graph to obtain suspicious transaction customers comprises:
inputting a graph mode rule and the suspicious transaction network graph into a mode matching model to obtain at least one sub-network graph matched with the graph mode rule in the graph mode rule;
and determining suspicious transaction customers according to the at least one sub-network graph.
7. The method of claim 5, further comprising:
and if the correction information input by the user is received, adjusting parameters in the graph mode rule according to the correction information input by the user to obtain an updated graph mode rule.
8. A suspicious transaction monitoring device, comprising:
the data acquisition module is used for acquiring transaction client data, wherein the transaction client data comprises: the method comprises the following steps that a transaction pipeline corresponding to a transaction client, associated information of the transaction client and a terminal device address corresponding to the transaction client are obtained;
and the suspicious transaction probability determination module is used for inputting the transaction client data into a target model to obtain the target suspicious transaction probability corresponding to the transaction client.
9. An electronic device, characterized in that the electronic device comprises:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores a computer program executable by the at least one processor, the computer program being executable by the at least one processor to enable the at least one processor to perform the method of monitoring suspicious transactions according to any one of claims 1-7.
10. A computer-readable storage medium having stored thereon computer instructions for causing a processor to, when executed, implement the suspicious transaction monitoring method according to any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211309970.0A CN115619411A (en) | 2022-10-25 | 2022-10-25 | Suspicious transaction monitoring method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211309970.0A CN115619411A (en) | 2022-10-25 | 2022-10-25 | Suspicious transaction monitoring method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115619411A true CN115619411A (en) | 2023-01-17 |
Family
ID=84864253
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211309970.0A Pending CN115619411A (en) | 2022-10-25 | 2022-10-25 | Suspicious transaction monitoring method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115619411A (en) |
-
2022
- 2022-10-25 CN CN202211309970.0A patent/CN115619411A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110119413B (en) | Data fusion method and device | |
| US20160364794A1 (en) | Scoring transactional fraud using features of transaction payment relationship graphs | |
| CN112668859A (en) | Big data based customer risk rating method, device, equipment and storage medium | |
| CN111932130B (en) | Service type identification method and device | |
| CN112348519A (en) | Method and device for identifying fraudulent user and electronic equipment | |
| CN111932020B (en) | Customer churn prediction method and device | |
| CN114186626A (en) | Abnormity detection method and device, electronic equipment and computer readable medium | |
| CN112417060A (en) | Method, device, equipment and computer readable medium for identifying enterprise relationship | |
| CN115545886A (en) | Overdue risk identification method, overdue risk identification device, overdue risk identification equipment and storage medium | |
| CN114997975A (en) | Abnormal enterprise identification method, device, equipment, medium and product | |
| CN112750038B (en) | Transaction risk determination method, device and server | |
| CN111245815B (en) | Data processing method and device, storage medium and electronic equipment | |
| CN117499148A (en) | Network access control method, device, equipment and storage medium | |
| CN116757837A (en) | Credit wind control method and system applied to winning bid | |
| CN113706223B (en) | Data processing method and device | |
| CN111429257B (en) | Transaction monitoring method and device | |
| CN115619411A (en) | Suspicious transaction monitoring method, device, equipment and storage medium | |
| CN114943608A (en) | Fraud risk assessment method, device, equipment and storage medium | |
| CN115455960A (en) | Tax risk detection method, apparatus, device and storage medium | |
| CN114461657A (en) | Method and device for updating point of interest information, electronic equipment and storage medium | |
| CN110570301B (en) | Risk identification method, device, equipment and medium | |
| CN114092230A (en) | Data processing method and device, electronic equipment and computer readable medium | |
| CN113420174A (en) | Difficult sample mining method, device, equipment and storage medium | |
| CN110895564A (en) | Potential customer data processing method and device | |
| CN116644372B (en) | Account type determining method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |