CN116304252A - Communication network fraud prevention method based on graph structure clustering - Google Patents

Abstract

The invention discloses a communication network anti-fraud method and system based on graph structure clustering. The method comprises the following steps of constructing a network structure according to the user and call relationship, converting the network structure into a graph model and storing it in a CSR structure; constructing a network structure according to the user and call relationship, converting the network structure into a graph model and storing it in a CSR structure; The CSR structure of graph data generates non-repetitive edge tables and edge table indexes based on degree pointing; the data of the graph model is transmitted to the computing system, and the computing system executes the structural clustering method of the graph and outputs the structural clustering results; the present invention can help Law enforcement agencies can quickly locate areas where criminals may be active from the huge communication network, detect possible fraud gangs and defrauded objects, narrow the scope of observation, and improve law enforcement efficiency.

Description

A communication network anti-fraud method based on graph structure clustering

technical field

The invention belongs to the technical field of big data and data mining, and specifically relates to a communication network anti-fraud method based on graph structure clustering.

Background technique

The graph formed by the communication network structure is very large in the context of today's big data era. The graph structure formed by the communication data of a city with a population of several million may have hundreds of millions of edges. Due to the timeliness of combating fraud, how to dig out the important hierarchical structure information in a short period of time has always been a hot spot and difficult problem in technological development. Recent studies have proposed several classic community search methods defined in terms of subgraph cohesion metrics, such as k-core, k-truss, k-clique, and k-ECC. These methods can find cohesive and connected subgraphs as communities. However, these methods either have insufficient conditions to find out subgraph communities with poor cohesion, such as k-core; or the conditions are too strict, resulting in such defined communities that have very little stock in the graph and are consumed when searching Too much time, such as k-truss and k-clique. Therefore, these methods are actually not suitable for clustering search of most communication network graphs. Also as a graph structure clustering method for discovering cohesive subgraphs in the network, it can solve this problem well. Each cluster formed by graph structure clustering has high performance while ensuring good clustering effect. Therefore, graph structure clustering can be better applied to large-scale communication networks.

For traditional graph structure clustering, it often adopts a method that is conducive to CPU serial execution for structural clustering. The above method has a big problem: good performance can only be achieved in small and medium-sized graphs with no more than one million relationship levels, but the effect is poor in high-frequency and large-scale graph data. For example, the current twitter network and microblog network have large-scale social network graphs with more than one billion relationships. To find out the cohesive subgraphs in it, the traditional method is difficult to do, because it takes several hours to calculate the clustering. Hours, does not meet the anti-fraud practical application in the current era of big data.

Contents of the invention

In order to solve the above-mentioned technical defects in the prior art, the present invention proposes a communication network anti-fraud method based on graph structure clustering.

The technical solution for realizing the object of the present invention is: a communication network anti-fraud method based on graph structure clustering, comprising the following steps:

The communication operator platform regularly collects all communication network users and call records of all users within the set time period;

Build a network structure based on user and call relationships, convert the network structure into a graph model and store it in a CSR structure;

Based on the CSR structure of graph data, generate non-repeating edge tables and edge table indexes based on degree points;

The data of the graph model is transmitted to the computing system, and the computing system executes the structural clustering method of the graph, and outputs the structural clustering result;

Analyze the structural clustering results, display the analysis results, and list suspicious objects.

Preferably, the specific method for converting the network structure into a graph model is:

The user is a point in the graph, and the user information data is modeled as an attribute of the point;

The communication between users is regarded as the edge of the graph, and the communication data is modeled as the attribute of the edge.

Preferably, the specific method for storing the graph model in a CSR structure is:

According to the order of the point Id in the figure, record the degree of the point (the number of edges connected to the point) to form a degree array, and store the neighbor points of each point in the order of Id to form an adjacency array Adj. Then, according to the prefix sum of the degree array of the point, the array Rptr representing the starting position of the adjacent point set of each point in the adjacent array Adj is obtained; Rptr and Adj constitute the CSR structure of the graph.

Preferably, based on the CSR structure of the graph data, the specific method of generating the non-repeating edge table and edge table index based on the degree pointing is as follows:

Set the set of the neighbors of each point u whose degree is greater than or whose degree is equal to Id to be greater than u as N ₊ (u), create auxiliary arrays upptr and his to record whether each point u’s neighbor v belongs to N ₊ (u ) in which element and the size of N ₊ (u);

Calculate the exclusive prefix sum on his to obtain the write position in the edge list Degree-orientedEdge List of the edge with u as its source point;

Each element in the adj array is traversed in a two-level loop, and the position of v∈N(u) is recorded as O _uv , when processing a point v∈N ₊ (u), by adding elptr(u) to O The relative offset of the starting position of _uv upptr(u) to create the mapping eid(O _uv ), and assign e(u,v) to the edge table, otherwise, call the binary search on N(v) to locate O _vu , and create a mapping eid(O _uv ) by using v as the edge of the source point.

Preferably, the computing system executes the structural clustering method of the graph, and the specific process of outputting the structural clustering results is as follows:

Input the clustering parameters, initialize the cluster Id to which each point belongs and the degree of certainty and validity of all points;

Use the pruning strategy and input parameters to determine the similarity of some edges and the clustering role of some objects to eliminate redundant calculations;

Calculate the similarity of each edge, and determine whether it is a core point through the similarity of the edges related to each point;

The core points are preliminarily clustered by using union search, and the final cluster is formed by expanding outward from the formed preliminary cluster;

Classify out-of-class points as hub points or outliers according to whether they are connected to different clusters;

Get the clustering status of all points in the entire graph, and return the user group division status corresponding to these clustering statuses to the platform.

Preferably, GPU multithreading initializes the degree of certainty of each point in parallel, and the degree of certainty is initialized to 0; GPU multithreading initializes the degree of validity of each point in parallel, and the degree of validity is the number of neighbor points of each point. If the degree of validity If it is less than μ-1, the point is classified as a non-core point in advance.

Preferably, using the pruning strategy and input parameters to determine the similarity of some edges and the clustering roles of some objects to eliminate redundant calculations is as follows:

According to the non-repeating edge table based on the degree pointing that has been generated, each warp of the GPU selects an edge (u, v) from the edge table in order to process, if the edge satisfies |N[u]|<ε ² ·|N [v]|, you can directly determine that (u, v) are not similar in advance, and reduce the validity of point u and point v by one. If the validity of these two points is less than μ-1, return the point to Classes are non-core points. Among them, N[u] represents the set of point u itself and its neighbor points, and |N[u]| represents the number of elements in this set, and its value is equal to the degree of u plus one.

Preferably, the similarity of each edge is calculated, and the specific method for determining whether it is a core point through the similarity of the edge related to each point is:

Calculate the similarity of each edge (u, v) according to the following formula:

According to the attribute matching of two points u and v, update the similarity, which can be specifically divided into: consider the address attribute corresponding to the point, if the two points have the same address attribute, the similarity will increase according to a certain weight; the edge (u , v) The corresponding communication time attribute is taken into account, if the communication time represented by the edge is greater than the set value, then the similarity between u and v increases according to a certain weight;

If σ(u,v)<ε, dissimilar, and update the validity of u and v, and reduce their validity by one, if σ(u,v)≥ε, similar, and update u and v If the degree of certainty is greater than μ-1, then the point is classified as a non-core point, and if the degree of certainty is therefore greater than μ-1, the point is classified as a core point point.

Preferably, the core points are preliminarily clustered by union search, and the specific method of expanding from the formed preliminary clusters to form the final clusters is as follows:

Each core point is initialized into a single-element tree set, which serves as the root of the tree set, and the number Id of the set is the root Id;

First, cluster the core points. The first step is that each warp of the GPU processes a core point u in parallel, and the threads in the warp traverse the neighbors of u in parallel. If the neighbor v of point u is also a core point, then the generated The edge table index finds the position of the edge (u, v) in the edge table, and finds the similarity of the edge (u, v) record according to the position. If the similarity of (u, v) is unknown, skip it. If it is similar, Then use the Find operation of the union to find the root nodes R _u and R _v of the set where the points u and v are located. If _Ru and R _v are different, that is, they are not in the same set, use the union operation of the union to merge Two sets; the second step is similar to the first step. It is also to check the similarity between all core points u and its neighbor core points v in parallel. If the similarity is unknown, use the above similarity calculation method to calculate the similarity. If are similar, then use the method of the first step to merge the two sets where u and v are located;

Then check each core point in parallel for each warp of the non-core point clustering GPU. Each thread in the warp looks for the non-core point neighbor v of u, and also finds (u, v) according to the edge table index and edge table ) similarity, when (u, v) is similar, the non-core point is added to the cluster, that is, the cluster Id of v is assigned as the cluster Id of the core point u.

Compared with the prior art, the present invention has the following significant advantages: on the one hand, the present invention can help law enforcement agencies quickly locate areas where criminals may be active from a huge communication network, detect possible fraudulent gangs and defrauded objects, and narrow down Observation range, improve law enforcement efficiency; on the other hand, through the high concurrent computing framework CUDA of Nvidia GPU to accelerate the structural clustering of graphs, the structural clustering of large-scale graph data with tens of millions of edges can be completed within a hundred milliseconds At the same time, the current optimal GPU parallel similarity calculation strategy and union search clustering strategy are proposed, which greatly improves the calculation speed, and makes the present invention have the advantages of low delay, fast response and good robustness.

Additional features and advantages of the invention will be set forth in the description which follows, and in part will be apparent from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.

Description of drawings

The drawings are for the purpose of illustrating specific embodiments only and are not to be considered as limitations of the invention, and like reference numerals refer to like parts throughout the drawings.

FIG. 1 is a system architecture diagram of an embodiment of the present invention.

Fig. 2 is a flowchart of an embodiment of the present invention.

Fig. 3 is a data structure diagram of the graph structure clustering method of the present invention.

Fig. 4 is a GPU parallel computing diagram of the graph structure clustering method of the present invention.

Fig. 5 is a diagram showing the result of implementing the present invention in a communication network.

Detailed ways

It is easy to understand that, according to the technical solution of the present invention, those skilled in the art can imagine various implementations of the present invention without changing the essence and spirit of the present invention. Therefore, the following specific embodiments and drawings are only exemplary descriptions of the technical solution of the present invention, and should not be regarded as the entirety of the present invention or as a limitation or limitation on the technical solution of the present invention. Rather, these embodiments are provided to enable those skilled in the art to more thoroughly understand the present invention. Preferred embodiments of the present invention will be specifically described below in conjunction with the accompanying drawings, wherein the accompanying drawings constitute a part of the application and are used together with the embodiments of the present invention to explain the innovative concept of the present invention.

In order to make the purpose and technical solution of the present invention more clear, the technical solution of the present invention will be described in detail below in conjunction with the accompanying drawings and examples.

Refer to Fig. 1 for the system structure of the present invention. FIG. 1 is a system architecture diagram of an embodiment of the present invention. The system architecture belongs to a distributed architecture, including a communication network, a front-end platform, a data analysis layer, and a computing module. The communication network may be a telephone network or a mobile Internet network operated and maintained by major communication operators. The front-end platform is a server deployed with a front-end interface. All operations including search range setting, timing task setting, parameter input and result display are all performed on this platform. The data analysis layer is a back-end server cluster that receives front-end platform parameter transmission and collects communication network data. It is responsible for structuring the collected communication data into graph data and passing it to the computing module for processing, and receiving the results of the computing module for analysis and sending it back to Front-end platform display. The calculation module is a server cluster equipped with a graphics processor. The calculation method is a structural clustering method based on graph data. The powerful parallel computing capability of the graphics processor can greatly improve its efficiency.

In order to realize the functions of the system of the present invention, the unique id (such as a phone number) of each user needs to be determined in the communication network, and the feature information of each user in the process of use needs to be obtained. It is also necessary to divide the communication network by area, so that the communication id used by the users in the target area can be identified. An index table of users is maintained in the data analysis layer, and the index table records the users identified in the current time period in the area that the server is responsible for. Each user in the index table corresponds to a communication object table, which stores people who communicate with the user. Every time a communication occurs, the communication network obtains the information of both parties and passes it to the data analysis layer to check whether the two users already exist in the index table. If not, add them. If they already exist, there is no need to add them. Then check whether their adjacency list has recorded the communication object, if not, add it.

If the above method is used to collect communication information, an attribute mapping table corresponding to the user and an attribute mapping table corresponding to the communication object of the user may also be generated. When obtaining the user id, if the operator's communication network is capable, the user's attribute information can also be obtained, such as obtaining the user's physical address and call time according to the base station or ip. After the user information is determined, it can be added to the attribute mapping table corresponding to the users in the index table one-to-one, and the communication information can be added to the attribute mapping table corresponding to the communication object table. These attributes can be modeled as point attributes and edge attributes in the graph in the future, providing more references for similarity calculations and improving accuracy.

The structure of the index table, the communication object table and the attribute table can be as shown in Table 1:

Table 1

In Table 1, the user's identity uses a digital number, and the user's attribute uses a physical address. The attribute of the communication object adopts the duration of the call. There are two example user communication objects in the table, but actually the number is not limited, and the form of index table, communication object table and attribute table is not limited to one table.

The data tables collected based on the above data analysis layer can use memory database storage to improve writing speed. After receiving the task request from the front-end platform, model the data into a graph. The user is a point in the graph, and the user information data is modeled as an attribute of the point. The communication between users is regarded as the edge of the graph, and the attribute of the communication object is modeled as the attribute of the edge, forming a logical network graph structure. This structure is then transformed into the CSR structure of the generated graph. Referring to Fig. 3, the left part of Fig. 3 has a schematic diagram of the storage structure of an embodiment of the present invention. The network in the figure has 4 points including v ₁ , v ₂ , v ₃ , v ₄ , and the edges between these points. According to the order of the point Id in the figure, record the degree of the point (the number of edges connected to the point) to form a degree array, and store the neighbor points of each point in the order of Id to form an adjacency array Adj. Then, according to the prefix sum of the degree array of the point, the array Rptr representing the starting position of the adjacent point set of each point in the adjacent array Adj is obtained; Rptr and Adj constitute the CSR structure of the graph.

After the structuring is completed, the CSR structure is transmitted to the computing module. For the subsequent similarity calculation and the assignment of GPU parallel tasks, the computing module needs to regenerate the Degree-oriented EdgeList edge table and map the Adj Index Eid to the edge table. Store each edge of the graph, that is, the point pair structure composed of its two endpoints, into the edge table in order. Referring to FIG. 3 , the Edge List in FIG. 3 shows the degree-oriented Edge List edge list of the graph of the embodiment of the present invention.

Referring to the right part of Figure 3, the process of generating the Degree-oriented Edge List edge table and the index Eid is as follows: First, the set of the neighbor points of each point u whose degree is greater than or equal to the degree Id greater than u is set to N ₊ (u), Create auxiliary arrays upptr and his to respectively record whether the neighbor point v of each point u belongs to which element in N ₊ (u) and the size of N ₊ (u). Second, the exclusive prefix sum over his is computed to obtain the write position in the Degree-oriented Edge List (denoted by elptr ) of the edge with u as its source. Third, each element in the adj array is traversed in a two-stage loop, and the position of v∈N(u) is recorded as O _uv . When processing a point v ∈ N ₊ (u), the mapping eid(O _uv ) is created by adding elptr(u) to the relative offset upptr(u) from the starting position of O _uv from, and adding e( u, v) are assigned to edge tables. Otherwise, invoke a binary search on N(v) to locate O _vu and create a map eid(O _uv ) by using v as the edge of the source point.

The process of generating auxiliary arrays upptr and his from CSR can be accelerated in parallel by using CPU multithreading, and the process of constructing Degree-oriented Edge List and Eid from elptr can also be effectively parallelized. Therefore, the process can be greatly accelerated through parallelization, and it only takes a few seconds to complete in the case of billion-level large-scale data.

After completing the construction of the data structure, input the clustering parameters ε and μ, and transfer the parameters and the aforementioned structure from the device memory to the GPU memory. The certainty and efficiency of each point are initialized in parallel using GPU multithreading. The degree of certainty is initialized to 0, and the degree of validity is initialized to the number of neighbor points of the point. The degree of certainty and validity are used to determine whether a point is a core point while calculating the similarity of edges in the graph. Once the degree of a point is found to be less than μ-1 during the initialization process, the point can be determined in advance as a non-core point.

In order to avoid redundant calculations, the pruning strategy needs to be used before the next similarity calculation step. According to the formula derivation, if |N[u]|<ε ² ·|N[v]| (without loss of generality, assume| N[u]|<|N[v]|), then (u, v) must be dissimilar, where N[u] represents the set of point u itself and its neighbors, and |N[u]| represents this set The number of elements is equal to the degree of u plus one, so that u and v can be directly determined to be dissimilar without calculating the common neighbors of u and v. And due to empirical derivation, most of the edges in the real world graph are dissimilar, this pruning strategy works well.

Therefore, according to the non-repeating edge table based on the degree pointing that has been generated, each warp of the GPU selects an edge (u, v) from the edge table in order to process, if the edge satisfies |N[u]|<ε ² · |N[v]|, you can directly determine that (u, v) are not similar in advance, and reduce the validity of point u and point v by one, if the validity of these two points is less than μ-1, then advance the Points are classified as non-core points.

After completing the initial preparation, start to calculate the similarity and cluster. The similarity calculation formula of (u,v) is as follows:

Among them, N[u] is the structural neighbor of point u, that is, the set of neighbor points of u plus itself. When σ(u, v)≥ε, it is considered that (u, v) are similar.

The similarity calculation process is as follows: according to the generated non-repeating edge table based on degree pointing, each warp of the GPU selects an edge (u, v) from the edge table in order to process, first check whether the points u and v are both It has been determined as a core point or a non-core point. If both have been determined, skip the similarity calculation of the opposite side (u, v), and its similarity remains unknown. If at least one of u or v is not determined, each The 32 threads in a warp calculate the number of common neighbors of two points u and v on the selected edge (u, v), and the number of common neighbors of u and v plus two is the number of structural neighbors of u and v, which is | N[u]∩N[v]|; Get the degrees of u and v directly from the CSR structure, add one to the degree of point u to get |N[u]|, add one to the degree of point v to get N[v] , and then calculate the similarity σ(u,v) according to the formula. If σ(u,v)<ε, dissimilar, and update the validity of u and v, and reduce their validity by one, if σ(u,v)≥ε, similar, and update u and v If the degree of certainty is greater than μ-1, then the point is classified as a non-core point, and if the degree of certainty is therefore greater than μ-1, the point is classified as a core point point.

The calculation process of the method mainly adopts a binary search strategy under GPU parallelism, as shown in FIG. 3 . Figure 3 shows the implementation process of this step with a sample diagram. Figure 3 shows the warp's work distribution and binary search process for computing (v ₁ ,v ₀ ) common neighbors. Parts a and b in the figure illustrate that the edges (v ₁ , v ₀ ), (v ₂ , v ₀ ) and (v ₂ , v ₁ ) at adjacent positions are composed of continuous W _i , W _i+1 and W _{i +2} warps are processed simultaneously. Take the edge (v ₁ , v ₀ ) processed by W _i as an example. In order to calculate its similarity, the adjacent points of _v1 and _v0 are first obtained from the CSR structure. Then, since the degree of v ₁ is small, threads t ₀ , t ₁ , t ₂ and t ₃ in Wx are responsible for matching neighbor points v ₀ , v ₂ , v ₄ and v ₇ , respectively. Parts c and d of Figure 3 show these processes.

During the calculation process, these threads put their corresponding points into the neighbor array of v ₀ , and perform matching through binary search, as shown in part e in the figure. According to the binary search tree, in the first iteration, four threads compare their target points with _v4 , and thread 2 ends the task after a successful hit. Due to the rule of binary search, thread 0 and thread 1 whose point id is less than v ₄ will search to the left of the binary tree, while thread 3 is greater than v ₄ and will search to the right. The next few rounds of iterations are the same, and finally there are three common neighbors that are statistically matched, which is in line with the intuitive reflection of the example picture. The number of common neighbors found is used to calculate the similarity. If the result of the calculation is dissimilar, the calculation of the similarity can be further optimized by converting the attributes of the points and edges through the communication data. Specifically, it can be divided into: taking into account the address attribute corresponding to the point, if two points are in the same region, the similarity will increase according to a certain weight; taking into account the communication time attribute corresponding to the edge, if the communication time represented by the edge is sufficient is long, the similarity between the two ends of the edge increases according to a certain weight. After taking attributes into account, the similarity of modified edges may increase beyond the threshold ε to become similar edges, but this helps this method to fit the actual situation. After the similarity is determined, the validity and certainty of the two points are updated according to the results to determine whether they are core points.

The clustering process is used to cluster these core points together after all the core points are determined, and then extend this to form the final cluster. The first step is to group edge-connected and similar core points in the same cluster. The second step is to add the non-core point similar neighbors of the core point to the cluster formed by the core point.

The specific performance of the clustering process is as follows: each core point is initialized into a single-element tree set, and this point is used as the root of the tree set, and the number Id of the set is the tree root Id; first, the core points are clustered, and the first The first step is that each warp of the GPU processes a core point u in parallel, and the threads in the warp traverse the neighbors of u in parallel. If the neighbor v of point u is also a core point, then find out the edge (u, v) The position in the edge table, find the similarity of the edge (u, v) record according to the position, if the similarity of (u, v) is unknown, skip it, if it is similar, go up through the Find operation of the union search Find the root nodes R _u and R _v of the set where u point and v point are located. If _Ru and R _v are different, that is, they are not in the same set, use the union operation of the union search set to merge the two sets; the second step is the same as the first One step is similar, also check the similarity between all core points u and its neighbor core points v in parallel, if the similarity is unknown, use the above similarity calculation method to calculate the similarity, if it is similar, use the first step The method merges the two sets where u and v are located; then checks each core point in parallel for each warp of the non-core point clustering GPU, and each thread in the warp looks for the non-core point neighbor v of u, also according to The edge table index and the edge table find the similarity of (u, v), and add the non-core point to the cluster when (u, v) is similar, that is, assign the cluster Id of v to be the same as the core point u. Cluster ID. In summary, all the structural clusters expanded from the core points in the graph can be found.

The clustering process also adopts GPU parallel acceleration, utilizing parallelized union search and clustering. When a thread unifies the clusters to which two points belong (that is, the root node of one cluster points to another cluster), if another thread is operating the same node, it will lead to thread insecurity caused by access conflicts. Therefore, it is necessary to ensure mutually exclusive access to these critical resources. The present invention adopts the atomic operation atomicCAS in CUDA to ensure that multiple threads operate mutually exclusive access to the same node data.

After the method of the present invention obtains the structural clustering of the graph as the searched community, it will also classify those points that are not in the clustering, and further mine the structural information of the graph. Among them, the points that are only directly connected or indirectly connected in the same cluster are marked as outliers. The characteristics of these points are: the neighbors all belong to the same cluster or are also outliers. Other points connecting different clusters are marked as hub points, which are the hubs connecting different clusters. The specific method is: each GPU warp corresponds to the classification of a non-clustering internal point, and the default value of these points is the outlier point. A warp first checks whether the point is connected to a point in the cluster; if so, 32 threads in the warp simultaneously look for neighbors that are not in the same cluster; if found, the point is classified as a pivot point, Otherwise leave its default value unchanged.

The results of the calculation modules are passed back to the data analysis layer, which in turn analyzes suspected criminal gangs based on the results. The actual meaning of the point set corresponding to the cluster is a group of users with close internal communication, and criminal gangs are more likely to appear in these clusters. Outliers that are edge-connected to the cluster are more likely to be victims of fraud. The pivot points connecting different clusters are most likely to be the superiors linking multiple groups. In order to make the analysis more accurate, deep learning methods can also be introduced, such as multi-layer perceptrons or generative confrontation networks. A feasible method is: input the characteristic information of users in the group corresponding to the cluster (whether they are in the cluster, the size of the cluster, the number of edges connected to other users, and the attributes of the edges, etc.) Identity data is used for training. The introduction of artificial intelligence is suspicious to further improve the accuracy and assist law enforcement officers to judge.

The results of the data analysis layer are transmitted to the front-end platform for display, and law enforcement officers can quickly locate suspicious criminal gangs based on the results, narrow the scope of investigation, and effectively combat telecommunications fraud.

Effect of the present invention can be further illustrated by following simulation experiments:

Simulation conditions

In order to verify the effect of our proposed invention, the data set of the simulation experiment uses 8 real-world large-scale graphs that are commonly used to test and evaluate the performance of graph algorithms. They are soc-LiveJournal, Enwiki-2022, com-orkut, Hollywood-2011, tech-p2p, UK-2002, soc-Twitter and Yahoo songs. These datasets are obtained from well-known foreign graph dataset websites SNAPNets, Network Repository and Laboratory for Web Algorithmics. The smallest graph, Soc-Journal, has tens of millions of relationships, and the largest graph, Yahoo songs, has 700 million relationships. The simulation experiments and related comparative experiments are carried out under the Ubuntu16.04 operating system, the programming language environment is C++11 and CUDA10.1, and the hardware is Nvidia Tesla v100 computing card. The experimental data is the average of the execution time three times

The evaluation index adopted in the present invention is the time (unit: s) consumed by clustering search. In order to prove the effectiveness of our invention, we also implemented several widely used comparison methods for comparison, namely:

(1) SCAN: This method realizes the basic method of graph structure clustering, which adopts CPU serial calculation, similarity calculation method is merge sort, and clustering adopts breadth-first search.

(2) GPUSCAN: This model adopts GPU-accelerated SCAN, the similarity calculation method is parallel merge sorting, and the clustering adopts the parallel Unicom subgraph generation strategy.

Simulation experiment result analysis

Table 2 shows the results of the simulation experiments of the method of the present invention and other comparison methods on eight data sets under common parameters ε=0.6, μ=6. From the experimental results, our results have achieved the best results in eight different data sets, reflecting the universality of our invented method. Among them, GPUSCAN is the first method to use parallel acceleration, and it can be seen that it has a good performance improvement compared with the ordinary structural clustering method SCAN. However, due to the poor parallelism and heavy workload of the similarity calculation method adopted by GPUSCAN, the efficiency of the method used in the clustering step is not very ideal when there are many similar relationships. Therefore its performance is still far weaker than the method of the present invention, and the average performance of the method of the present invention is its more than ten times.

Table 3 shows the results of the simulation experiment of the method of the present invention and other comparative methods under the parameters ε=0.6, μ=16. It can be seen that when the parameter μ is changed, the performances of the present invention and other comparative methods remain basically unchanged, and the performance of the present invention still maintains a performance lead of more than ten times.

Table 4 shows the results of the simulation experiment of the method of the present invention and other comparative methods under the parameters ε=0.2, μ=6. It can be seen that when the parameter ε is small, the number of similar relationships in the graph increases, and the parallel Unicom subgraph generation strategy adopted by GPUSCAN increases the number of iterations greatly when the similar relationship increases, so the performance decreases. However, the speed of the present invention remains substantially unchanged under the comparison, reflecting the robustness of the method of the present invention.

In order to further reflect the effect of this method, the results of graph structure clustering on the communication network are visualized, as shown in Figure 5. Record data for the communication of 10,000 people in a certain area in one day. In this dataset, each vertex represents a phone user, and the edge from u to v represents the communication between the user represented by u and the user represented by v. The data set is clustered using the method of the present invention. The parameter values and results are shown in the figure, and the part surrounded by the gray circle is all the clusters found by the structural clustering algorithm (in the figure, the clusters with cluster IDs of C ₁ and C ₂ are taken as examples), and the same clusters Users in the community are represented by the same color, and users outside the community are represented by light gray. Among them, there are three clusters with large scale and tight cohesion, which are suspicious gangs. Although the other two clusters have only 2 and 5 members respectively, they are smaller in scale and less likely to be gangs. For the outliers outside the class, they are marked as Outliers. Taking u and v as examples, they have communication with users in the cluster, so they are likely to be deceived. Those users marked in dark gray are classified as hubs due to their communication with different suspicious gangs, marked as Hubs, which are suspected criminal gang superiors.

Table 2

table 3

Table 4

The above is only a preferred embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Any person skilled in the art within the technical scope disclosed in the present invention can easily think of changes or Replacement should be covered within the protection scope of the present invention.

It should be appreciated that in the foregoing description of exemplary embodiments of the invention, in order to streamline the present disclosure and to assist those skilled in the art in understanding its various aspects, various features of the invention are sometimes described in the context of a single embodiment, or with reference to A single graph is described. However, the present invention should not be interpreted that the features included in the exemplary embodiments are all essential technical features of the patent claims.

It should be understood that the modules, units, components, etc. included in the device of one embodiment of the present invention can be adaptively changed so as to be arranged in a device different from that of the embodiment. Different modules, units or components included in the device of the embodiment can be combined into one module, unit or component, or they can be divided into multiple sub-modules, sub-units or sub-components.

Claims (9)

1. A communication network anti-fraud method based on graph structure clustering, characterized in that, comprising the following steps: The communication operator platform regularly collects all communication network users and call records of all users within the set time period; Build a network structure based on user and call relationships, convert the network structure into a graph model and store it in a CSR structure; Based on the CSR structure of graph data, generate non-repeating edge tables and edge table indexes based on degree points; The data of the graph model is transmitted to the computing system, and the computing system executes the structural clustering method of the graph, and outputs the structural clustering result; Analyze the structural clustering results, display the analysis results, and list suspicious objects. 2. The communication network anti-fraud method based on graph structure clustering according to claim 1, characterized in that, the specific method for converting the network structure into a graph model is: The user is a point in the graph, and the user information data is modeled as an attribute of the point; The communication between users is regarded as the edge of the graph, and the communication data is modeled as the attribute of the edge. 3. The communication network anti-fraud method based on graph structure clustering according to claim 1, wherein the specific method for storing the graph model with a CSR structure is: Record the degrees of the points according to the order of the point Id in the figure to form a degree array, and store the neighbor points of each point in the order of Id according to the order of the point Id to form an adjacency array Adj; according to the prefix sum of the degree array of the point to represent each point The adjacency point set in the array Rptr of the starting position of the adjacency array Adj; Rptr and Adj constitute the CSR structure of the graph. 4. The communication network anti-fraud method based on graph structure clustering according to claim 1, characterized in that, based on the CSR structure of graph data, the specific method for generating non-repetitive edge tables and edge table indexes based on degree points is: Set the set of the neighbors of each point u whose degree is greater than or whose degree is equal to Id to be greater than u as N ₊ (u), create auxiliary arrays upptr and his to record whether each point u’s neighbor v belongs to N ₊ (u ) in which element and the size of N ₊ (u); Calculate the exclusive prefix sum on his to obtain the write position in the edge list Degree-oriented EdgeList of the edge with u as its source point; Each element in the adj array is traversed in a two-level loop, and the position of v∈N(u) is recorded as O _uv , when processing a point v∈N ₊ (u), by adding elptr(u) to O The relative offset of the starting position of _uv upptr(u) to create the mapping eid(O _uv ), and assign e(u,v) to the edge table, otherwise, call the binary search on N(v) to locate O _vu , and create a mapping eid(O _uv ) by using v as the edge of the source point. 5. The communication network anti-fraud method based on graph structure clustering according to claim 1, wherein the computing system executes the graph structure clustering method, and the specific process of outputting the structure clustering results is: Input the clustering parameters, initialize the cluster Id to which each point belongs and the degree of certainty and validity of all points; Use the pruning strategy and input parameters to determine the similarity of some edges and the clustering role of some objects to eliminate redundant calculations; Calculate the similarity of each edge, and determine whether it is a core point through the similarity of the edges related to each point; The core points are preliminarily clustered by using union search, and the final cluster is formed by expanding outward from the formed preliminary cluster; Classify out-of-class points as hub points or outliers according to whether they are connected to different clusters; Get the clustering status of all points in the entire graph, and return the user group division status corresponding to these clustering statuses to the platform. 6. The communication network anti-fraud method based on graph structure clustering according to claim 5, wherein the degree of certainty of each point is initialized in parallel by GPU multithreading, and the degree of certainty is initialized to 0; the degree of certainty is initialized in parallel by GPU multithreading The validity of each point is the number of neighbor points of each point. If the validity is less than μ-1, the point is classified as a non-core point in advance. 7. The communication network anti-fraud method based on graph structure clustering according to claim 5, wherein the similarity of some edges and the clustering roles of some objects are determined by using pruning strategies and input parameters to eliminate redundancy The specific process of calculation is: According to the non-repeating edge table based on the degree pointing that has been generated, each warp of the GPU selects an edge (u, v) from the edge table in order to process, if the edge satisfies |N[u]|<ε ² ·|N [v]|, you can directly determine that (u, v) are not similar in advance, and reduce the validity of point u and point v by one. If the validity of these two points is less than μ-1, return the point to The class is a non-core point, where N[u] represents the set of point u itself and its neighbors, and |B[u]| represents the number of elements in this set, and its value is equal to the degree of u plus one. 8. The communication network anti-fraud method based on graph structure clustering according to claim 5, wherein the similarity of each edge is calculated, and whether it is the core is determined by the similarity of the edge associated with each point The specific method of point is: According to the generated non-repeating edge table based on degree pointing, each warp of the GPU selects an edge (u, v) from the edge table in order to process, first check whether point u and point v have been determined as core points or For non-core points, if both of them have been determined, the similarity calculation of the opposite side (u, v) will be skipped, and its similarity will remain unknown; if at least one of u or v is not determined, then 32 in the warp The threads work together to calculate the number of common neighbors of two points u and v on the selected edge (u, v), and the number of common neighbors of u and v plus two is the number of structural neighbors of u and v, expressed as |N[u]∩N [v]|; Obtain the degree of u and v directly from the CSR structure, the degree of point u plus one is |N[u]|, the degree of point v plus one is N[v]; Calculate the similarity of each edge (u, v) according to the following formula:

According to the attribute matching of two points u and v, update the similarity, which can be specifically divided into: consider the address attribute corresponding to the point, if the two points have the same address attribute, the similarity will increase according to a certain weight; the edge (u , v) The corresponding communication time attribute is taken into account, if the communication time represented by the edge is greater than the set value, then the similarity between u and v increases according to a certain weight; If σ(u,v)<ε, dissimilar, and update the validity of u and v, and reduce their validity by one, if σ(u,v)≥ε, similar, and update u and v If the degree of certainty is greater than μ-1, then the point is classified as a non-core point, and if the degree of certainty is therefore greater than μ-1, the point is classified as a core point point. 9. The communication network fraud prevention method based on graph structure clustering according to claim 5, characterized in that the core points are preliminarily clustered by using union search, and the final cluster is formed by expanding outward from the formed preliminary cluster. The specific method is: Each core point is initialized into a single-element tree set, which serves as the root of the tree set, and the number Id of the set is the root Id; First, cluster the core points. The first step is that each warp of the GPU processes a core point u in parallel. The threads in the warp traverse the neighbors of u in parallel. If the neighbor v of point u is also a core point, then the generated The edge table index finds the position of the edge (u, v) in the edge table, finds the similarity of the edge (u, v) record according to the position, if the similarity is unknown, skip, if similar, pass and check The Find operation searches upwards for the root nodes R _u and R _v of the set where u point and v point are located. If R _u and R _v are different, that is, they are not in the same set, use the union operation of union search to merge the two sets; The second step is similar to the first step. It is also to check the similarity between all core points u and its neighbor core points v in parallel. If the similarity is unknown, then adopt the similarity calculation method described in claim 8 to calculate the similarity. If it is Similarly, use the method of the first step to merge the two sets where u and v are located; Then, each warp of the non-core point clustering GPU is checked in parallel for each core point. Each thread in the warp looks for the non-core point neighbor v of u, which is also found according to the edge table index and edge table (u, v) Similarity, if it is similar, add the non-core point to the cluster, that is, assign the cluster Id of v to the cluster Id of the core point u; if the similarity is unknown, calculate the similarity first, if similar Then add the non-core point to the cluster.

Images