CN116342276A - Method, device and server for determining abnormal object - Google Patents
Method, device and server for determining abnormal object Download PDFInfo
- Publication number
- CN116342276A CN116342276A CN202310239928.4A CN202310239928A CN116342276A CN 116342276 A CN116342276 A CN 116342276A CN 202310239928 A CN202310239928 A CN 202310239928A CN 116342276 A CN116342276 A CN 116342276A
- Authority
- CN
- China
- Prior art keywords
- target object
- risk
- abnormal
- target
- preset
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000002159 abnormal effect Effects 0.000 title claims abstract description 296
- 238000000034 method Methods 0.000 title claims abstract description 79
- 238000012545 processing Methods 0.000 claims abstract description 40
- 238000001514 detection method Methods 0.000 claims abstract description 39
- 230000005856 abnormality Effects 0.000 claims description 49
- 230000006399 behavior Effects 0.000 claims description 19
- 238000012549 training Methods 0.000 claims description 15
- 230000003993 interaction Effects 0.000 claims description 13
- 238000012790 confirmation Methods 0.000 claims description 11
- 238000004590 computer program Methods 0.000 claims description 8
- 238000012795 verification Methods 0.000 claims description 7
- 230000004044 response Effects 0.000 claims description 4
- 238000013473 artificial intelligence Methods 0.000 abstract description 2
- 238000004891 communication Methods 0.000 description 18
- 230000006870 function Effects 0.000 description 11
- 238000010586 diagram Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 8
- 206010000117 Abnormal behaviour Diseases 0.000 description 7
- 230000007246 mechanism Effects 0.000 description 7
- 238000011835 investigation Methods 0.000 description 5
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 101150054987 ChAT gene Proteins 0.000 description 2
- 101100203187 Mus musculus Sh2d3c gene Proteins 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 239000000203 mixture Substances 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 108010001267 Protein Subunits Proteins 0.000 description 1
- 230000002547 anomalous effect Effects 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 239000008280 blood Substances 0.000 description 1
- 210000004369 blood Anatomy 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004140 cleaning Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 230000003203 everyday effect Effects 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 238000002372 labelling Methods 0.000 description 1
- 230000006386 memory function Effects 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 238000003062 neural network model Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000007781 pre-processing Methods 0.000 description 1
- 238000004801 process automation Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000000060 site-specific infrared dichroism spectroscopy Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q40/00—Finance; Insurance; Tax strategies; Processing of corporate or income taxes
- G06Q40/04—Trading; Exchange, e.g. stocks, commodities, derivatives or currency exchange
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2455—Query execution
- G06F16/24564—Applying rules; Deductive queries
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
Landscapes
- Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Finance (AREA)
- General Physics & Mathematics (AREA)
- Strategic Management (AREA)
- General Business, Economics & Management (AREA)
- Development Economics (AREA)
- Technology Law (AREA)
- Marketing (AREA)
- Economics (AREA)
- Computer Security & Cryptography (AREA)
- Computational Linguistics (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- General Engineering & Computer Science (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The specification provides a method, a device and a server for determining an abnormal object, which are applied to the technical field of artificial intelligence. Based on the method, the association data of the target object and the association data of the relation object of the target object are acquired firstly; judging whether the target object is abnormal or not according to a preset abnormal recognition rule, the association data of the target object and the association data of the relation object; under the condition that the target object is determined to be abnormal, processing the association data of the target object and the association data of the relation object by utilizing a preset abnormal risk identification model to determine whether the target object is abnormal; and under the condition that the abnormal risk exists in the target object, adding the object identification of the target object into an abnormal risk tracking list so as to track the abnormal risk of the target object. Therefore, the abnormal object can be accurately and efficiently automatically detected and identified, the detection error is effectively reduced, and the data safety of related institutions or platforms is protected.
Description
Technical Field
The specification belongs to the technical field of artificial intelligence, and particularly relates to a method, a device and a server for determining abnormal objects.
Background
In some institutions or platforms (e.g., banks, securities exchanges, etc.) involving transactions, due to the specificity of the business in which the institution or platform participates, it is often required that employees must strictly follow staff rules within the institution or platform to avoid the occurrence of illegal abnormal behaviors. For example, for banking employees, most banks require that the employees cannot reveal account information of the depositors to the outside to protect the data security of the depositors and the banks.
Based on the existing method, a supervision person special to a relying organization or platform is usually required to manually collect related information, and based on personal experience, whether the behavior of staff is abnormal or not is checked and confirmed by manually analyzing and processing the information. When the method is implemented, the efficiency is low, and the method is easily influenced by human subjective factors, so that the problems of omission, error and the like are caused.
In view of the above problems, no effective solution has been proposed at present.
Disclosure of Invention
The specification provides a method, a device and a server for determining abnormal objects, which can accurately and efficiently automatically detect and identify abnormal objects with abnormal behaviors in staff of an institution or a platform related to transactions, effectively reduce detection errors and protect data security of related institutions or platforms related to transactions.
The specification provides a method for determining an abnormal object, which is applied to a server, and comprises the following steps:
obtaining an object identifier of a target object; according to the object identification of the target object, collecting the associated data of the target object and the associated data of the relation object with a preset relation with the target object through multiple channels;
according to a preset abnormal recognition rule, carrying out data matching on the associated data of the target object and the associated data of the relation object to obtain a target matching result aiming at the target object;
determining whether the target object is abnormal according to the target matching result;
under the condition that the target object is determined to be not abnormal, processing the associated data of the target object and the associated data of the relation object by using a preset abnormal risk identification model to obtain a target identification result aiming at the target object;
determining whether the target object has abnormal risk according to the target identification result;
and under the condition that the abnormal risk exists in the target object, adding the object identification of the target object into an abnormal risk tracking list to track the abnormal risk of the target object.
In one embodiment, the multi-channel collection of the associated data of the target object according to the object identification of the target object comprises:
Inquiring an information database of the target object according to the object identification of the target object to determine the equipment identification of the terminal equipment of the target object, the employee number of the target object and the attribute information of the target object;
inquiring an employee management system according to the employee number of the target object, and acquiring working behavior data in a first time period of the target object as the associated data;
and/or the number of the groups of groups,
inquiring a login record of the terminal equipment according to the equipment identification of the terminal equipment of the target object so as to determine the account identification of the virtual account of the target object; according to the virtual account identification, searching operation records of the key websites and/or the key media, and obtaining online behavior data of the target object in a first time period as the associated data;
and/or the number of the groups of groups,
generating a questionnaire aiming at the target object according to the attribute information of the target object; and transmitting the questionnaire to a target object to acquire response data of the target object for the questionnaire as the association data.
In one embodiment, the relationship object having a preset relationship with the target object is determined in the following manner:
inquiring an information database of the target object according to the object identification of the target object to determine attribute information of the target object; inquiring the staff management system according to the attribute information of the target object to determine a relation object with a working relation with the target object;
And/or the number of the groups of groups,
determining terminal equipment used by the target object according to the object identification of the target object; inquiring the interaction record of the terminal equipment to determine a relation object with an interaction relation with the target object in a first time period;
and/or the number of the groups of groups,
and according to the object identification of the target object, inquiring an information database of the target object to determine a relation object which has a relative relation with the target object.
In one embodiment, before the multi-channel collection of the associated data of the target object, the method further comprises:
generating an acquisition request of associated data about a target object; the acquisition request is sent to terminal equipment of the target object; the terminal equipment displays the acquisition request to a target object;
detecting whether acknowledgement information of the terminal equipment for the acquisition request is received in a second time period or not; wherein, the confirmation information at least carries the identity signature of the target object;
verifying the identity signature of the target object under the condition that confirmation information of the terminal equipment for the acquisition request is received in a second time period;
and under the condition that the identity signature verification of the target object is confirmed to pass, the associated data of the target object are collected through multiple channels.
In one embodiment, according to a preset anomaly identification rule, performing data matching on association data of a target object and association data of a relationship object to obtain a target matching result for the target object, including:
determining abnormal matching degree of each associated data according to a preset abnormal recognition rule, associated data of a target object and associated data of a relation object; the preset abnormality identification rule comprises reference values of a plurality of key associated data;
and obtaining a matching result aiming at the target object through weighting operation according to the abnormal matching degree of each associated data.
In one embodiment, after determining whether the target object has an anomaly based on the target match result, the method further comprises:
generating an abnormality prompt about the target object under the condition that the target object is determined to have abnormality according to the target matching result;
determining a supervision object of the target object;
sending an abnormal prompt about a target object to terminal equipment held by the supervision object; and pausing the critical rights of the target object.
In one embodiment, according to the target recognition result, determining whether the target object has an abnormal risk includes:
Detecting whether a target identification result is larger than a preset risk threshold;
and under the condition that the target identification result is larger than a preset risk threshold value, determining that the target object has abnormal risk.
In one embodiment, after determining that the target object is at risk of abnormality, the method further comprises:
combining the association data of the target object and the association data of the relation object with a preset relation with the target object to serve as a training sample of the current time period; the training samples in the current time period are used for training and updating a preset abnormal risk identification model after the current time period is ended, and the preset abnormal risk identification model applied to the next time period is obtained.
In one embodiment, after adding the object identification of the target object to the abnormal risk tracking manifest, the method further comprises:
inquiring a current abnormal risk tracking list at intervals of a preset time period, and determining a risk object to be subjected to abnormal risk tracking;
acquiring association data updated currently by a risk object and association data updated currently by a relation object of the risk object;
determining whether the risk object is abnormal or not according to a preset abnormality identification rule, association data of the current update of the risk object and association data of the current update of the relation object of the risk object;
Under the condition that the risk object is determined to be abnormal, processing the association data updated currently by the risk object and the association data updated currently by the relation object of the risk object by using a preset abnormal risk identification model, and determining whether the risk object is abnormal or not;
adding a current risk detection result for the risk object in the abnormal risk tracking list under the condition that the risk object is determined to have no abnormal risk; the current risk detection result carries a time tag.
In one embodiment, in the event that it is determined that the risk object is not at abnormal risk, the method further comprises:
inquiring and determining whether the accumulated safety duration of the risk object which is not present with abnormal risks continuously is larger than a preset safety duration threshold according to the risk detection result of the risk object in the abnormal risk tracking list;
and under the condition that the accumulated safety time length of the risk object without abnormal risks continuously exists is larger than the preset safety time length threshold value, eliminating the risk object from the abnormal risk tracking list.
In one embodiment, after processing the association data currently updated by the risk object and the association data currently updated by the relationship object of the risk object using the preset abnormal risk identification model, determining whether the risk object has an abnormal risk, the method further includes:
Under the condition that the risk object is determined to have abnormal risk, adding a current risk detection result aiming at the risk object into the abnormal risk tracking list; the current risk detection result carries a time tag;
the method comprises the steps of,
inquiring and determining whether the accumulated risk duration of the current continuous abnormal risks of the risk object is greater than a preset risk duration threshold according to the risk detection result of the risk object in the abnormal risk tracking list;
and under the condition that the accumulated risk time length of the current continuous abnormal risks of the risk object is larger than the preset risk time length threshold value, determining that the abnormal risks exist in the risk object.
The specification also provides a device for determining an abnormal object, which is applied to a server and comprises:
the acquisition module is used for acquiring the object identification of the target object; according to the object identification of the target object, collecting the associated data of the target object and the associated data of the relation object with a preset relation with the target object through multiple channels;
the matching module is used for carrying out data matching on the associated data of the target object and the associated data of the relation object according to a preset abnormal recognition rule to obtain a target matching result aiming at the target object;
The first determining module is used for determining whether the target object is abnormal or not according to the target matching result;
the first processing module is used for processing the associated data of the target object and the associated data of the relation object by utilizing a preset abnormal risk identification model under the condition that the target object is determined to have no abnormality, so as to obtain a target identification result aiming at the target object;
the second determining module is used for determining whether the target object has abnormal risk according to the target identification result;
and the second processing module is used for adding the object identification of the target object into the abnormal risk tracking list under the condition that the abnormal risk exists in the target object, so as to track the abnormal risk of the target object.
The present specification also provides a server comprising a processor and a memory for storing processor-executable instructions which, when executed by the processor, implement the relevant steps of the method of determining an abnormal object.
The present specification also provides a computer readable storage medium having stored thereon computer instructions which when executed by a processor perform the steps of: obtaining an object identifier of a target object; according to the object identification of the target object, collecting the associated data of the target object and the associated data of the relation object with a preset relation with the target object through multiple channels; according to a preset abnormal recognition rule, carrying out data matching on the associated data of the target object and the associated data of the relation object to obtain a target matching result aiming at the target object; determining whether the target object is abnormal according to the target matching result; under the condition that the target object is determined to be not abnormal, processing the associated data of the target object and the associated data of the relation object by using a preset abnormal risk identification model to obtain a target identification result aiming at the target object; determining whether the target object has abnormal risk according to the target identification result; and under the condition that the abnormal risk exists in the target object, adding the object identification of the target object into an abnormal risk tracking list to track the abnormal risk of the target object.
The present specification also provides a computer program product comprising a computer program which, when executed by a processor, implements the relevant steps of the method of determining an abnormal object.
Based on the method, the device and the server for determining the abnormal object provided by the specification, the associated data of the target object and the associated data of the relation object of the target object are acquired firstly; judging whether the target object is abnormal or not according to a preset abnormal recognition rule, the association data of the target object and the association data of the relation object; under the condition that the target object is determined to be abnormal, processing the association data of the target object and the association data of the relation object by utilizing a preset abnormal risk identification model to determine whether the target object has potential abnormal risk; and under the condition that the abnormal risk exists in the target object, the object identification of the target object can be added into an abnormal risk tracking list so as to track the abnormal risk of the target object. Therefore, abnormal objects with abnormal behaviors and risk objects with potential abnormal risks in staff related to related institutions or platforms of transactions can be accurately and efficiently detected and identified, continuous abnormal risk tracking is carried out on the risk objects, detection errors are effectively reduced, omission is avoided, and data safety of institutions or platforms related to transactions is well protected.
Drawings
In order to more clearly illustrate the embodiments of the present disclosure, the drawings that are required for the embodiments will be briefly described below, and the drawings described below are only some embodiments described in the present disclosure, and other drawings may be obtained according to these drawings without inventive effort for a person of ordinary skill in the art.
FIG. 1 is a flow diagram of a method for determining an abnormal object according to one embodiment of the present disclosure;
FIG. 2 is a schematic diagram of one embodiment of a method for determining an abnormal object using the embodiments of the present specification, in one example scenario;
FIG. 3 is a schematic diagram of one embodiment of a method for determining an abnormal object using the embodiments of the present disclosure, in one example scenario;
FIG. 4 is a schematic diagram of one embodiment of a method for determining an abnormal object using the embodiments of the present disclosure, in one example scenario;
FIG. 5 is a schematic diagram of one embodiment of a method for determining an abnormal object to which the embodiments of the present specification are applied, in one example of a scenario;
FIG. 6 is a schematic diagram of one embodiment of a method for determining an abnormal object using the embodiments of the present specification, in one example of a scenario;
FIG. 7 is a schematic diagram of the structural composition of a server according to one embodiment of the present disclosure;
fig. 8 is a schematic structural composition diagram of an abnormality object determination apparatus provided in one embodiment of the present specification.
Detailed Description
In order to make the technical solutions in the present specification better understood by those skilled in the art, the technical solutions in the embodiments of the present specification will be clearly and completely described below with reference to the drawings in the embodiments of the present specification, and it is obvious that the described embodiments are only some embodiments of the present specification, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are intended to be within the scope of the present disclosure.
It should be noted that, the information data related to the user in the present specification is obtained and used on the premise that the user knows and agrees, and the obtaining, storing, using, processing, etc. of the information data all conform to relevant regulations of national laws and regulations.
Referring to fig. 1, an embodiment of the present disclosure provides a method for determining an abnormal object. The method is particularly applied to the server side. In particular implementations, the method may include the following:
S101: obtaining an object identifier of a target object; according to the object identification of the target object, collecting the associated data of the target object and the associated data of the relation object with a preset relation with the target object through multiple channels;
s102: according to a preset abnormal recognition rule, carrying out data matching on the associated data of the target object and the associated data of the relation object to obtain a target matching result aiming at the target object;
s103: determining whether the target object is abnormal according to the target matching result;
s104: under the condition that the target object is determined to be not abnormal, processing the associated data of the target object and the associated data of the relation object by using a preset abnormal risk identification model to obtain a target identification result aiming at the target object;
s105: determining whether the target object has abnormal risk according to the target identification result;
s106: and under the condition that the abnormal risk exists in the target object, adding the object identification of the target object into an abnormal risk tracking list to track the abnormal risk of the target object.
The target object may be specifically understood as an employee object of a mechanism or platform to be detected whether an abnormality exists. Such as a teller of a bank, or a trader of a stock exchange, etc. Of course, the above-listed objects are only illustrative when needed. In specific implementation, the target object may further include other types of physical objects or virtual objects according to specific application scenarios and processing requirements. The present specification is not limited to this.
Based on the embodiment, comprehensive and rich associated data including the associated data of the target object and the associated data of the associated object of the target object, which are related to the target object, can be acquired automatically; and furthermore, based on a preset abnormality recognition rule and preset abnormality risk recognition, the related data is utilized to carry out multiple detection recognition, so that whether the target object is abnormal or not and the abnormality risk are accurately and efficiently judged, the detection precision can be effectively improved, the detection error is reduced, and the situations such as omission and the like are avoided.
In some embodiments, the method of determining an anomalous object described above may be particularly applicable to the server side of an institution or platform involved in a transaction. Specifically, reference may be made to fig. 2.
The server may specifically include a background server applied to a supervision system side of a related institution or platform (for example, XX bank) related to transactions, and capable of implementing functions such as data transmission and data processing. Specifically, the server may be, for example, an electronic device having data operation, storage function and network interaction function. Alternatively, the server may be a software program running in the electronic device that provides support for data processing, storage, and network interactions. In the present embodiment, the number of servers is not particularly limited. The server may be one server, several servers, or a server cluster formed by several servers.
In specific implementation, as shown in fig. 2, the server may acquire, at regular intervals (for example, a week) according to a preset detection rule, association data of the target object and association data of a relationship object having a preset relationship with the target object by multi-channel acquisition according to the identification of the target object, so as to obtain richer and comprehensive association data related to the target object.
Then, based on a preset abnormality rule, the correlation data is utilized to perform first re-detection identification through data matching so as to determine whether the target object has an abnormality. When the abnormality of the target object is determined, the existing behavior of the target object can be directly determined to have definitely not returned to the staff rule requirement, and the violation condition exists, and then the related prompt about the target object can be directly sent to the terminal equipment held by the supervision object (for example, the supervisor of the target object and the like) of the target object so as to prompt the supervision object to timely process.
The terminal equipment specifically comprises a front end which is applied to one side of a target object and a supervision object and can realize functions of data acquisition, data transmission and the like. Specifically, the terminal device may be, for example, an electronic device such as a desktop computer, a tablet computer, a notebook computer, or a smart phone. Alternatively, the terminal device may be a software application capable of running in the above-mentioned electronic device. For example, it may be an employee APP of a transaction platform running on a smart phone, etc.
When the target object is determined to have no abnormality through the first re-detection recognition, the correlation data can be processed by using a preset abnormality risk recognition model to perform the second re-detection recognition so as to determine whether the target object has potential abnormality risk.
Under the condition that the abnormal risk exists in the target object, the object identification of the target object can be further added into an abnormal risk tracking list, so that continuous abnormal risk tracking can be carried out on the target object according to a preset tracking rule.
Therefore, the specific abnormal objects and the risk objects with potential abnormal risks can be accurately and comprehensively detected and identified, continuous abnormal risk tracking is carried out on the risk objects, omission is avoided, and a mechanism or a platform is better protected.
In some embodiments, referring to fig. 3, before the multi-channel collection of the associated data of the target object, the method may further include the following when implemented:
s1: generating an acquisition request of associated data about a target object; the acquisition request is sent to terminal equipment of the target object; the terminal equipment displays the acquisition request to a target object;
S2: detecting whether acknowledgement information of the terminal equipment for the acquisition request is received in a second time period or not; wherein, the confirmation information at least carries the identity signature of the target object;
s3: verifying the identity signature of the target object under the condition that confirmation information of the terminal equipment for the acquisition request is received in a second time period;
s4: and under the condition that the identity signature verification of the target object is confirmed to pass, the associated data of the target object are collected through multiple channels.
Based on the embodiment, the server can acquire the associated data of the target object in multiple channels on the premise that the target object knows and agrees with the authorization, so that corresponding data processing can be completed on the premise of protecting the data privacy of the target object.
In some embodiments, the association data of the target object may further include: the target object is based on equipment operation records of the terminal, self evaluation of the target object, targeted object quarantine messages or mails and the like in a first time period.
In some embodiments, the terminal device may present the acquisition request to the target object after receiving the acquisition request. According to the acquisition request, the target object can feed back the confirmation information aiming at the acquisition request to the server through the terminal equipment under the condition of knowing and agreeing to acquire the associated data. The confirmation information may specifically also carry an identity signature that is known only to the target object.
Specifically, the identity signature is generated by using a user private key held by the target object, a user-defined password of the target object and a random number based on a corresponding encryption algorithm. For the server, the authenticity of the identity signature can be verified, but the identity signature cannot be generated by self.
After receiving the confirmation information, the server can conduct true and false verification on the identity signature, when the identity signature is judged to be true, the server can determine that the identity signature passes verification, the target object knows and agrees to collect relevant associated data, and at the moment, the server can collect relevant data relevant to the target object in multiple channels.
In some embodiments, the above-mentioned multi-channel collection of the associated data of the target object according to the object identifier of the target object may include the following when implemented:
inquiring an information database of the target object according to the object identification of the target object to determine the equipment identification of the terminal equipment of the target object, the employee number of the target object and the attribute information of the target object;
inquiring an employee management system according to the employee number of the target object, and acquiring working behavior data in a first time period of the target object as the associated data;
And/or the number of the groups of groups,
inquiring a login record of the terminal equipment according to the equipment identification of the terminal equipment of the target object so as to determine the account identification of the virtual account of the target object; according to the virtual account identification, searching operation records of the key websites and/or the key media, and obtaining online behavior data of the target object in a first time period as the associated data;
and/or the number of the groups of groups,
generating a questionnaire aiming at the target object according to the attribute information of the target object; and transmitting the questionnaire to a target object to acquire response data of the target object for the questionnaire as the association data.
The working behavior data may specifically include at least one of the following: the working time length, the delay times, the early-return times, the performance, the attendance rate and the like.
The attribute information of the target object may specifically include basic information of the target object, for example, sex, age, blood type, etc. of the target object; in addition, the attribute information of the target object may further include working information of the target object, for example, a service department where the target object is located, a job level of the target object, a working year of the target object, and the like.
Based on the embodiment, the server can acquire the relative data of the target object which is rich and comprehensive and is directly related to the target object through multiple channels.
In some embodiments, the terminal device may be a main operation device used by the target object, and the device identifier of the terminal device may be a device fingerprint of the terminal device, for example, a mac address, a device serial number (IMEI), an SSID, an IMSI, and the like.
The online behavior data may specifically include: the target object is based on a web transaction record, web browsing record, web rating record, web chat record, etc. of the key website and/or key medium. The key website may be a website related to trade, for example, a stock website, a futures trade website, a website of other trade platforms, and the like. The key medium can be commonly used chat interaction software.
When the server specifically acquires online behavior data of the target object in a first time period, a collaboration request can be initiated to terminal equipment of the target object; the collaboration request may carry an identity signature carried by acknowledgement information provided before the target object. After receiving the collaboration request, the terminal equipment can verify the authenticity of the identity signature a priori, and under the condition that the identity signature passes verification, the investigation authority about the terminal equipment is opened to the server; meanwhile, the terminal equipment also sends prompt information about developing the investigation permission to the target object. After the target object views the prompt information, if the temporary decision prohibits the server from acquiring the online behavior data through the terminal equipment, the terminal equipment can be operated to send out a rejection instruction. Correspondingly, the terminal equipment can timely terminal the investigation authority of the server.
After obtaining the investigation authority, the server can search and inquire the login record of the target object based on the terminal device by virtue of the investigation authority; and obtaining the account identification of the virtual account of the target object according to the login record. The virtual account may specifically be a virtual account used when the target object logs in to the key website and/or the key medium. For example, the account identifier of the virtual account may be an account name used when the target object logs into a stock website to perform a stock exchange operation.
Then, the server can search the operation record of the key website and/or the key medium of the target object in the terminal equipment according to the account identification of the virtual account so as to obtain the online behavior data of the target object in the first time period.
Further, the server can also detect whether the target object uses other operation terminals besides the terminal equipment according to the operation records of the key websites and/or the key media of the target object in the terminal equipment; when the target object is determined to be used by other operation terminals, the online behavior data in a first time period which is richer and more comprehensive for the target object can be obtained by accessing and searching the other operation terminals on the premise that the target object is known and agrees in the mode.
In some embodiments, during implementation, the server may screen out a questionnaire matched with the target object from a preset questionnaire library according to attribute information of the target object; and then the questionnaire is sent to the terminal equipment held by the target object. After receiving the questionnaire, the terminal device can display the questionnaire to the target object and remind the target object of replying in time. The target object can complete the reply of the questionnaire through the terminal device. Correspondingly, the terminal equipment collects reply data of the target object aiming at the questionnaire and feeds the reply data back to the server.
After receiving the reply data, the server can directly take the reply data as associated data; the answer data can also be processed by using a preset semantic recognition model to obtain a corresponding answer semantic text, and then the answer semantic text is used as associated data.
In some embodiments, the preset relationship may specifically include one or more of the following: relatives, friends, colleagues, net friends, etc. Accordingly, the relationship object of the target object may specifically include: relatives, friends, colleagues, net friends, etc. of the target object.
In some embodiments, in implementation, the relationship object having a preset relationship with the target object may be determined according to the following manner:
inquiring an information database of the target object according to the object identification of the target object to determine attribute information of the target object; inquiring the staff management system according to the attribute information of the target object to determine a relation object with a working relation with the target object;
and/or the number of the groups of groups,
determining terminal equipment used by the target object according to the object identification of the target object; inquiring the interaction record of the terminal equipment to determine a relation object with an interaction relation with the target object in a first time period;
and/or the number of the groups of groups,
and according to the object identification of the target object, inquiring an information database of the target object to determine a relation object which has a relative relation with the target object.
Based on the embodiment, the server can accurately and comprehensively determine the relation object with the preset relation with the target object, and acquire the relation data of the relation object indirectly related to the target object through multi-channel acquisition by referring to the mode of acquiring the relation data of the target object.
In some embodiments, the association data of the relationship object may specifically include at least one of: occupation of the relationship object, business management information related to the relationship object, court execution information related to the relationship object, and the like.
In some embodiments, in implementation, the server may acquire and automatically acquire, according to the keywords, the processing rules and the like of the supervision object, the institution or the platform custom configuration, the association data of the target object and the association data of the relationship object of the target object through an RPA (Robotic Process Automation robot flow automation) technology.
In some embodiments, the performing data matching on the association data of the target object and the association data of the relationship object according to the preset anomaly identification rule to obtain a target matching result for the target object may include:
s1: determining abnormal matching degree of each associated data according to a preset abnormal recognition rule, associated data of a target object and associated data of a relation object; the preset abnormality identification rule comprises reference values of a plurality of key associated data;
s2: and obtaining a matching result aiming at the target object through weighting operation according to the abnormal matching degree of each associated data.
Based on the above embodiment, the first re-detection recognition can be performed by using the preset anomaly recognition rule, the associated data of the target object, and the associated data of the relationship object, so as to obtain the target matching result with better accuracy, wider coverage dimension and higher reference value.
In some embodiments, the preset anomaly identification rule may specifically be obtained by clustering association data of a large number of historical anomaly objects and association data of relationship objects of the anomaly objects in advance.
Specifically, the preset abnormality recognition rule may include a reference value of associated data for indicating abnormality. The reference value may specifically be a key character or a parameter threshold.
Correspondingly, the implementation and implementation, performing data matching on the association data of the target object and the association data of the relation object according to the preset abnormality recognition rule may include: and carrying out key character matching or parameter threshold comparison on the associated data of the target object and the associated data of the relation object of the target object with the reference value of the associated data corresponding to the preset abnormality recognition rule respectively to obtain the abnormality matching degree of each associated data.
Then, the server can also obtain a matching result aiming at the target object through weighting operation by combining the abnormal matching degree of each associated data according to the preset weight coefficient.
Based on a preset weight coefficient, distinguishing the abnormal matching degree of the associated data directly related to the target object and the abnormal matching degree of the associated data indirectly related to the target object, and setting different weight values; and the relationship objects with different awareness degrees with the target object can be distinguished, and different weight values are set for the abnormal matching degree of the associated data of the different relationship objects. The preset weight coefficient may be specifically determined based on association data of the historical abnormal object and association data of the relationship object of the abnormal object by combining expert experience.
In some embodiments, after determining whether the target object has an anomaly according to the target matching result, referring to fig. 4, when the method is implemented, the method may further include the following:
s1: generating an abnormality prompt about the target object under the condition that the target object is determined to have abnormality according to the target matching result;
s2: determining a supervision object of the target object;
s3: sending an abnormal prompt about a target object to terminal equipment held by the supervision object; and pausing the critical rights of the target object.
In the implementation process, the server can determine the supervision object of the target object by querying the employee management system according to the working information of the target object.
In specific implementation, when it is determined that the target object has an anomaly according to the target matching result, it can be clearly determined that the existing behavior of the target object has violated the relevant employee's rule-keeping requirements, and that there has been a significant offending anomaly (e.g., preserving personal client information, intentionally operating without a system flow, participating in illegal funding, credit card cash register, lending account, excessive guarantee, abnormal lending or investment, hidden manager, improper interaction with a provider, etc.). At this time, the server may send an exception prompt of the target object to a terminal device held by the supervision object, and prompt the supervision object to verify and process the exception behavior of the target object in time. Meanwhile, the server can also pause the key authority of the target object so as to avoid the target object from continuing to perform abnormal behaviors and further damaging the data security of the mechanism or the platform. The above-mentioned key authority can be understood as an operation processing authority related to the sensitive data.
Based on the above embodiment, after identifying the abnormal object with abnormal behavior, the server may process the abnormal object in time, so as to avoid the data security of the related institution or platform related to the transaction from being damaged.
In some embodiments, when it is determined that the target object has no abnormality according to the target matching result, it can only be determined that the existing behavior of the target object in a first period of time has no abnormality, but it cannot be determined whether the target object has a potential abnormality risk. For example, the target object may not have an abnormal behavior implemented for one period of time, but may also be implemented for the next period of time in the future. Therefore, in order to more effectively and comprehensively protect the data security of the mechanism or the platform, after determining that the target object has no abnormality according to the target matching result, the association data of the target object and the association data of the relation object can be processed by using a preset abnormality risk recognition model, and the second detection recognition can be performed to further determine whether the target object has potential abnormality risk.
The preset abnormal risk recognition model is specifically obtained by training in advance, and can predict and output a neural network model aiming at an abnormal risk value of the target object based on the input association data of the target object and the association data of the relation object of the target object. Specifically, the preset abnormal risk identification model may include a model trained based on a support vector regression model.
In the implementation, the association data of the target object and the association data of the relation object can be combined according to a specified mode to obtain combined association data; and inputting the combined associated data into a preset abnormal risk identification model, and running the preset abnormal risk identification model. When the preset abnormal risk identification model specifically operates, a plurality of associated features with different dimensions can be extracted from the combined associated data, and then the associated features with different dimensions are subjected to multi-channel feature fusion to obtain the fused associated features; and further, according to the fused associated characteristics, the corresponding abnormal risk value can be calculated and output to serve as the target identification result.
Before implementation, referring to fig. 5, a preset abnormal risk identification model may be trained in the following manner:
s1: acquiring sample data; wherein the sample data at least comprises the association data of the sample object and the combination of the association data of the relation object of the sample object;
s2: labeling the sample data to obtain labeled sample data; constructing an initial model based on a support vector regression model;
S3: training the initial model by using the marked sample data to obtain a preset abnormal risk identification model meeting the requirements.
After the sample data is obtained, preprocessing such as data cleaning, data filtering and the like can be performed on the sample data so as to reduce data errors of the sample data and improve data precision.
When the sample data is specifically marked, a positive label can be added to the sample data mark corresponding to the abnormal sample object, and a negative label can be added to the sample data corresponding to the normal sample object, so that marked sample data is obtained.
In some embodiments, the determining whether the target object has an abnormal risk according to the target recognition result may include the following steps when in implementation:
s1: detecting whether a target identification result is larger than a preset risk threshold;
s2: and under the condition that the target identification result is larger than a preset risk threshold value, determining that the target object has abnormal risk.
Based on the above embodiment, whether the target object has an abnormal risk can be accurately determined by using the target recognition result obtained by the preset abnormal risk recognition model.
In some embodiments, after determining that the target object has an abnormal risk, the method may further include the following when implemented: combining the association data of the target object and the association data of the relation object with a preset relation with the target object to serve as a training sample of the current time period; the training samples in the current time period are used for training and updating a preset abnormal risk identification model after the current time period is ended, and the preset abnormal risk identification model applied to the next time period is obtained.
Based on the above embodiment, the preset abnormal risk recognition model can be continuously trained and updated by using the training sample in the current time period, so that the preset abnormal risk recognition model used in the next time period can be continuously improved and improved along with the change of the actual application situation, and therefore whether the target object has potential abnormal risk can be more accurately judged based on the preset abnormal risk recognition model.
In some embodiments, after adding the object identifier of the target object to the abnormal risk tracking list, referring to fig. 6, the method may further include the following when implemented:
s1: at intervals of a preset time period (for example, every day), inquiring a current abnormal risk tracking list, and determining a risk object to be subjected to abnormal risk tracking;
s2: acquiring association data updated currently by a risk object and association data updated currently by a relation object of the risk object;
s3: determining whether the risk object is abnormal or not according to a preset abnormality identification rule, association data of the current update of the risk object and association data of the current update of the relation object of the risk object;
S4: under the condition that the risk object is determined to be abnormal, processing the association data updated currently by the risk object and the association data updated currently by the relation object of the risk object by using a preset abnormal risk identification model, and determining whether the risk object is abnormal or not;
s5: adding a current risk detection result for the risk object in the abnormal risk tracking list under the condition that the risk object is determined to have no abnormal risk; the current risk detection result carries a time tag.
The preset time period is less than the first time period, for example, may be 1 day or 12 hours. The above-mentioned time tag may be used in particular to indicate the detection time.
Based on the above embodiment, the server may closely track the risk object in the abnormal risk tracking list at smaller time intervals for a preset time period, so as to more finely detect and determine whether the risk object is abnormal.
In some embodiments, in a case where it is determined that the risk object does not have an abnormal risk, the method may further include the following when implemented:
s1: inquiring and determining whether the accumulated safety duration of the risk object which is not present with abnormal risks continuously is larger than a preset safety duration threshold according to the risk detection result of the risk object in the abnormal risk tracking list;
S2: and under the condition that the accumulated safety time length of the risk object without abnormal risks continuously exists is larger than the preset safety time length threshold value, eliminating the risk object from the abnormal risk tracking list.
In the implementation, the accumulated safety duration of the risk object without abnormal risk is obtained through statistics by inquiring and according to the time tag of the risk detection result of the risk object recorded in the abnormal risk tracking list; comparing the accumulated safe duration with a preset safe duration threshold value; according to the comparison result, when the accumulated safety time length is determined to be greater than a preset safety time length threshold, the target object can be judged to have no abnormality, and meanwhile, no potential abnormal risk exists, so that the risk object can be removed from a risk tracking list, and the risk tracking of the object is not continued; in contrast, according to the comparison result, when the accumulated safety duration is less than or equal to the preset safety duration threshold, risk tracking can be continuously performed on the target object.
Based on the embodiment, the target object which does not have abnormality and potential abnormality risk can be timely determined and removed through continuous risk tracking, so that the data processing cost and the data processing consumption of the server side are effectively reduced.
In some embodiments, when it is determined that the target object has an abnormal risk, part of the key rights of the target object may be paused according to the attribute information of the target object. When the target object is detected to be removed from the risk tracking list, the server can restore part of key rights of the target object.
In some embodiments, after processing the association data currently updated by the risk object and the association data currently updated by the relationship object of the risk object by using the preset abnormal risk identification model, determining whether the risk object has an abnormal risk, the method may further include the following when implemented:
under the condition that the risk object is determined to have abnormal risk, adding a current risk detection result aiming at the risk object into the abnormal risk tracking list; the current risk detection result carries a time tag;
the method comprises the steps of,
inquiring and determining whether the accumulated risk duration of the current continuous abnormal risks of the risk object is greater than a preset risk duration threshold according to the risk detection result of the risk object in the abnormal risk tracking list;
and under the condition that the accumulated risk time length of the current continuous abnormal risks of the risk object is larger than the preset risk time length threshold value, determining that the abnormal risks exist in the risk object.
Based on the embodiment, the abnormal object can be accurately identified and determined from the risk objects through continuous risk tracking, so that the data security of related institutions or platforms can be better protected.
From the above, based on the method for determining an abnormal object provided in the embodiments of the present disclosure, the association data of the target object and the association data of the relationship object of the target object are obtained first; judging whether the target object is abnormal or not according to a preset abnormal recognition rule, the association data of the target object and the association data of the relation object; under the condition that the target object is determined to be abnormal, processing the association data of the target object and the association data of the relation object by utilizing a preset abnormal risk identification model to determine whether the target object is abnormal; and under the condition that the abnormal risk exists in the target object, adding the object identification of the target object into an abnormal risk tracking list so as to track the abnormal risk of the target object. Therefore, abnormal objects with abnormal behaviors in staff of the mechanism or platform related to the transaction can be accurately and efficiently detected and identified, detection errors are effectively reduced, omission is avoided, and data safety of the mechanism or platform related to the transaction is well protected.
The embodiment of the specification also provides a server, which comprises a processor and a memory for storing instructions executable by the processor, wherein the processor can execute the following steps according to the instructions when being implemented: obtaining an object identifier of a target object; according to the object identification of the target object, collecting the associated data of the target object and the associated data of the relation object with a preset relation with the target object through multiple channels; according to a preset abnormal recognition rule, carrying out data matching on the associated data of the target object and the associated data of the relation object to obtain a target matching result aiming at the target object; determining whether the target object is abnormal according to the target matching result; under the condition that the target object is determined to be not abnormal, processing the associated data of the target object and the associated data of the relation object by using a preset abnormal risk identification model to obtain a target identification result aiming at the target object; determining whether the target object has abnormal risk according to the target identification result; and under the condition that the abnormal risk exists in the target object, adding the object identification of the target object into an abnormal risk tracking list to track the abnormal risk of the target object.
In order to more accurately complete the above instructions, referring to fig. 7, another specific server is provided in this embodiment of the present disclosure, where the server includes a network communication port 701, a processor 702, and a memory 703, and the above structures are connected by an internal cable, so that each structure may perform specific data interaction.
The network communication port 701 may be specifically configured to obtain an object identifier of a target object; and collecting the associated data of the target object and the associated data of the relation object with a preset relation with the target object according to the object identification of the target object.
The processor 702 may be specifically configured to perform data matching on the association data of the target object and the association data of the relationship object according to a preset anomaly identification rule, so as to obtain a target matching result for the target object; determining whether the target object is abnormal according to the target matching result; under the condition that the target object is determined to be not abnormal, processing the associated data of the target object and the associated data of the relation object by using a preset abnormal risk identification model to obtain a target identification result aiming at the target object; determining whether the target object has abnormal risk according to the target identification result; and under the condition that the abnormal risk exists in the target object, adding the object identification of the target object into an abnormal risk tracking list to track the abnormal risk of the target object.
The memory 703 may be used for storing a corresponding program of instructions.
In this embodiment, the network communication port 701 may be a virtual port that binds with different communication protocols, so that different data may be sent or received. For example, the network communication port may be a port responsible for performing web data communication, a port responsible for performing FTP data communication, or a port responsible for performing mail data communication. The network communication port may also be an entity's communication interface or a communication chip. For example, it may be a wireless mobile network communication chip, such as GSM, CDMA, etc.; it may also be a Wifi chip; it may also be a bluetooth chip.
In this embodiment, the processor 702 may be implemented in any suitable manner. For example, the processor may take the form of, for example, a microprocessor or processor, and a computer-readable medium storing computer-readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, an application specific integrated circuit (Application Specific Integrated Circuit, ASIC), a programmable logic controller, and an embedded microcontroller, among others. The description is not intended to be limiting.
In this embodiment, the memory 703 may include a plurality of layers, and in a digital system, the memory may be any memory as long as it can hold binary data; in an integrated circuit, a circuit with a memory function without a physical form is also called a memory, such as a RAM, a FIFO, etc.; in the system, the storage device in physical form is also called a memory, such as a memory bank, a TF card, and the like.
The present specification embodiment also provides a computer-readable storage medium storing computer program instructions that when executed implement a method for determining an abnormal object as described above: obtaining an object identifier of a target object; according to the object identification of the target object, collecting the associated data of the target object and the associated data of the relation object with a preset relation with the target object through multiple channels; according to a preset abnormal recognition rule, carrying out data matching on the associated data of the target object and the associated data of the relation object to obtain a target matching result aiming at the target object; determining whether the target object is abnormal according to the target matching result; under the condition that the target object is determined to be not abnormal, processing the associated data of the target object and the associated data of the relation object by using a preset abnormal risk identification model to obtain a target identification result aiming at the target object; determining whether the target object has abnormal risk according to the target identification result; and under the condition that the abnormal risk exists in the target object, adding the object identification of the target object into an abnormal risk tracking list to track the abnormal risk of the target object.
In the present embodiment, the storage medium includes, but is not limited to, a random access Memory (Random Access Memory, RAM), a Read-Only Memory (ROM), a Cache (Cache), a Hard Disk (HDD), or a Memory Card (Memory Card). The memory may be used to store computer program instructions. The network communication unit may be an interface for performing network connection communication, which is set in accordance with a standard prescribed by a communication protocol.
In this embodiment, the functions and effects of the program instructions stored in the computer readable storage medium may be explained in comparison with other embodiments, and are not described herein.
The present specification also provides a computer program product comprising a computer program which, when executed by a processor, performs the steps of: obtaining an object identifier of a target object; according to the object identification of the target object, collecting the associated data of the target object and the associated data of the relation object with a preset relation with the target object through multiple channels; according to a preset abnormal recognition rule, carrying out data matching on the associated data of the target object and the associated data of the relation object to obtain a target matching result aiming at the target object; determining whether the target object is abnormal according to the target matching result; under the condition that the target object is determined to be not abnormal, processing the associated data of the target object and the associated data of the relation object by using a preset abnormal risk identification model to obtain a target identification result aiming at the target object; determining whether the target object has abnormal risk according to the target identification result; and under the condition that the abnormal risk exists in the target object, adding the object identification of the target object into an abnormal risk tracking list to track the abnormal risk of the target object.
Referring to fig. 8, on a software level, the embodiment of the present disclosure further provides an apparatus for determining an abnormal object, where the apparatus may specifically include the following structural modules:
the acquiring module 801 may be specifically configured to acquire an object identifier of a target object; according to the object identification of the target object, collecting the associated data of the target object and the associated data of the relation object with a preset relation with the target object through multiple channels;
the matching module 802 may be specifically configured to perform data matching on the association data of the target object and the association data of the relationship object according to a preset anomaly identification rule, so as to obtain a target matching result for the target object;
the first determining module 803 may be specifically configured to determine whether the target object has an anomaly according to the target matching result;
the first processing module 804 may be specifically configured to process, when it is determined that the target object has no abnormality, association data of the target object and association data of the relationship object by using a preset abnormality risk recognition model, to obtain a target recognition result for the target object;
the second determining module 805 may be specifically configured to determine, according to the target recognition result, whether the target object has an abnormal risk;
The second processing module 806 may be specifically configured to add, in a case where it is determined that the target object has an abnormal risk, an object identifier of the target object to the abnormal risk tracking list, so as to perform abnormal risk tracking on the target object.
In some embodiments, when the obtaining module 801 is specifically implemented, the associated data of the target object may be collected through multiple channels according to the object identifier of the target object in the following manner: inquiring an information database of the target object according to the object identification of the target object to determine the equipment identification of the terminal equipment of the target object, the employee number of the target object and the attribute information of the target object; inquiring an employee management system according to the employee number of the target object, and acquiring working behavior data in a first time period of the target object as the associated data; and/or inquiring the login record of the terminal equipment according to the equipment identifier of the terminal equipment of the target object so as to determine the account identifier of the virtual account of the target object; according to the virtual account identification, searching operation records of the key websites and/or the key media, and obtaining online behavior data of the target object in a first time period as the associated data; and/or generating a questionnaire for the target object according to the attribute information of the target object; and transmitting the questionnaire to a target object to acquire response data of the target object for the questionnaire as the association data.
In some embodiments, when the obtaining module 801 is specifically implemented, the relationship object following the preset relationship with the target object may be determined as follows: inquiring an information database of the target object according to the object identification of the target object to determine attribute information of the target object; inquiring the staff management system according to the attribute information of the target object to determine a relation object with a working relation with the target object; and/or determining terminal equipment used by the target object according to the object identification of the target object; inquiring the interaction record of the terminal equipment to determine a relation object with an interaction relation with the target object in a first time period; and/or according to the object identification of the target object, inquiring an information database of the target object to determine a relation object which has a relative relation with the target object.
In some embodiments, the apparatus, when embodied, may also be configured to generate an acquisition request for associated data of the target object prior to the multi-channel acquisition of the associated data of the target object; the acquisition request is sent to terminal equipment of the target object; the terminal equipment displays the acquisition request to a target object; detecting whether acknowledgement information of the terminal equipment for the acquisition request is received in a second time period or not; wherein, the confirmation information at least carries the identity signature of the target object; verifying the identity signature of the target object under the condition that confirmation information of the terminal equipment for the acquisition request is received in a second time period; and under the condition that the identity signature verification of the target object is confirmed to pass, the associated data of the target object are collected through multiple channels.
In some embodiments, when the matching module 802 is specifically implemented, data matching may be performed on the association data of the target object and the association data of the relationship object according to a preset anomaly identification rule in the following manner, so as to obtain a target matching result for the target object: determining abnormal matching degree of each associated data according to a preset abnormal recognition rule, associated data of a target object and associated data of a relation object; the preset abnormality identification rule comprises reference values of a plurality of key associated data; and obtaining a matching result aiming at the target object through weighting operation according to the abnormal matching degree of each associated data.
In some embodiments, after determining whether the target object has an abnormality according to the target matching result, the apparatus may be further configured to generate an abnormality prompt regarding the target object when determining that the target object has an abnormality according to the target matching result; determining a supervision object of the target object; sending an abnormal prompt about a target object to terminal equipment held by the supervision object; and pausing the critical rights of the target object.
In some embodiments, when the second determining module 805 is specifically implemented, it may determine whether the target object has an abnormal risk according to the target recognition result in the following manner: detecting whether a target identification result is larger than a preset risk threshold; and under the condition that the target identification result is larger than a preset risk threshold value, determining that the target object has abnormal risk.
In some embodiments, after determining that the target object has an abnormal risk, the apparatus may be further configured to combine, when implemented, association data of the target object and association data of a relationship object having a preset relationship with the target object as a training sample of the current time period; the training samples in the current time period are used for training and updating a preset abnormal risk identification model after the current time period is ended, and the preset abnormal risk identification model applied to the next time period is obtained.
In some embodiments, after adding the object identifier of the target object to the abnormal risk tracking list, the apparatus may be further configured to query the current abnormal risk tracking list at a preset time interval when the apparatus is specifically implemented, and determine a risk object to be subjected to abnormal risk tracking currently; acquiring association data updated currently by a risk object and association data updated currently by a relation object of the risk object; determining whether the risk object is abnormal or not according to a preset abnormality identification rule, association data of the current update of the risk object and association data of the current update of the relation object of the risk object; under the condition that the risk object is determined to be abnormal, processing the association data updated currently by the risk object and the association data updated currently by the relation object of the risk object by using a preset abnormal risk identification model, and determining whether the risk object is abnormal or not; adding a current risk detection result for the risk object in the abnormal risk tracking list under the condition that the risk object is determined to have no abnormal risk; the current risk detection result carries a time tag.
In some embodiments, when determining that the risk object does not have an abnormal risk, the apparatus may be further configured to query and determine, according to a risk detection result of the risk object in the abnormal risk tracking list, whether an accumulated safety duration of the risk object that does not currently continuously have an abnormal risk is greater than a preset safety duration threshold; and under the condition that the accumulated safety time length of the risk object without abnormal risks continuously exists is larger than the preset safety time length threshold value, eliminating the risk object from the abnormal risk tracking list.
In some embodiments, after processing the association data currently updated by the risk object and the association data currently updated by the relation object of the risk object by using the preset abnormal risk identification model, and determining whether the risk object has an abnormal risk, the apparatus may be further configured to, when specifically implemented, add a current risk detection result for the risk object in the abnormal risk tracking list if it is determined that the risk object has an abnormal risk; the current risk detection result carries a time tag; inquiring and determining whether the accumulated risk duration of the current continuous abnormal risks of the risk object is greater than a preset risk duration threshold according to the risk detection result of the risk object in the abnormal risk tracking list; and under the condition that the accumulated risk time length of the current continuous abnormal risks of the risk object is larger than the preset risk time length threshold value, determining that the abnormal risks exist in the risk object.
It should be noted that, the units, devices, or modules described in the above embodiments may be implemented by a computer chip or entity, or may be implemented by a product having a certain function. For convenience of description, the above devices are described as being functionally divided into various modules, respectively. Of course, when the present description is implemented, the functions of each module may be implemented in the same piece or pieces of software and/or hardware, or a module that implements the same function may be implemented by a plurality of sub-modules or a combination of sub-units, or the like. The above-described apparatus embodiments are merely illustrative, for example, the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
From the above, based on the determination device for abnormal objects provided in the embodiments of the present disclosure, the abnormal objects can be detected and identified more accurately and efficiently, so as to effectively reduce detection errors and protect the data security of the mechanism or platform related to the transaction.
Although the present description provides method operational steps as described in the examples or flowcharts, more or fewer operational steps may be included based on conventional or non-inventive means. The order of steps recited in the embodiments is merely one way of performing the order of steps and does not represent a unique order of execution. When implemented by an apparatus or client product in practice, the methods illustrated in the embodiments or figures may be performed sequentially or in parallel (e.g., in a parallel processor or multi-threaded processing environment, or even in a distributed data processing environment). The terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, it is not excluded that additional identical or equivalent elements may be present in a process, method, article, or apparatus that comprises a described element. The terms first, second, etc. are used to denote a name, but not any particular order.
Those skilled in the art will also appreciate that, in addition to implementing the controller in a pure computer readable program code, it is well possible to implement the same functionality by logically programming the method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers, etc. Such a controller can be regarded as a hardware component, and means for implementing various functions included therein can also be regarded as a structure within the hardware component. Or even means for achieving the various functions may be regarded as either software modules implementing the methods or structures within hardware components.
The description may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, classes, etc. that perform particular tasks or implement particular abstract data types. The specification may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer-readable storage media including memory storage devices.
From the above description of embodiments, it will be apparent to those skilled in the art that the present description may be implemented in software plus a necessary general hardware platform. Based on such understanding, the technical solutions of the present specification may be embodied essentially in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and include several instructions to cause a computer device (which may be a personal computer, a mobile terminal, a server, or a network device, etc.) to perform the methods described in the various embodiments or portions of the embodiments of the present specification.
Various embodiments in this specification are described in a progressive manner, and identical or similar parts are all provided for each embodiment, each embodiment focusing on differences from other embodiments. The specification is operational with numerous general purpose or special purpose computer system environments or configurations. For example: personal computers, server computers, hand-held or portable devices, tablet devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable electronic devices, network PCs, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like.
Although the present specification has been described by way of example, it will be appreciated by those skilled in the art that there are many variations and modifications to the specification without departing from the spirit of the specification, and it is intended that the appended claims encompass such variations and modifications as do not depart from the spirit of the specification.
Claims (15)
1. A method for determining an abnormal object, the method being applied to a server, the method comprising:
obtaining an object identifier of a target object; according to the object identification of the target object, collecting the associated data of the target object and the associated data of the relation object with a preset relation with the target object through multiple channels;
according to a preset abnormal recognition rule, carrying out data matching on the associated data of the target object and the associated data of the relation object to obtain a target matching result aiming at the target object;
determining whether the target object is abnormal according to the target matching result;
under the condition that the target object is determined to be not abnormal, processing the associated data of the target object and the associated data of the relation object by using a preset abnormal risk identification model to obtain a target identification result aiming at the target object;
determining whether the target object has abnormal risk according to the target identification result;
And under the condition that the abnormal risk exists in the target object, adding the object identification of the target object into an abnormal risk tracking list to track the abnormal risk of the target object.
2. The method of claim 1, wherein the multi-channel collection of the associated data of the target object based on the object identification of the target object comprises:
inquiring an information database of the target object according to the object identification of the target object to determine the equipment identification of the terminal equipment of the target object, the employee number of the target object and the attribute information of the target object;
inquiring an employee management system according to the employee number of the target object, and acquiring working behavior data in a first time period of the target object as the associated data;
and/or the number of the groups of groups,
inquiring a login record of the terminal equipment according to the equipment identification of the terminal equipment of the target object so as to determine the account identification of the virtual account of the target object; according to the virtual account identification, searching operation records of the key websites and/or the key media, and obtaining online behavior data of the target object in a first time period as the associated data;
and/or the number of the groups of groups,
generating a questionnaire aiming at the target object according to the attribute information of the target object; and transmitting the questionnaire to a target object to acquire response data of the target object for the questionnaire as the association data.
3. The method according to claim 1, wherein the relationship object having a preset relationship with the target object is determined in the following manner:
inquiring an information database of the target object according to the object identification of the target object to determine attribute information of the target object; inquiring the staff management system according to the attribute information of the target object to determine a relation object with a working relation with the target object;
and/or the number of the groups of groups,
determining terminal equipment used by the target object according to the object identification of the target object; inquiring the interaction record of the terminal equipment to determine a relation object with an interaction relation with the target object in a first time period;
and/or the number of the groups of groups,
and according to the object identification of the target object, inquiring an information database of the target object to determine a relation object which has a relative relation with the target object.
4. The method of claim 1, wherein prior to the multi-channel acquisition of the associated data of the target object, the method further comprises:
generating an acquisition request of associated data about a target object; the acquisition request is sent to terminal equipment of the target object; the terminal equipment displays the acquisition request to a target object;
Detecting whether acknowledgement information of the terminal equipment for the acquisition request is received in a second time period or not; wherein, the confirmation information at least carries the identity signature of the target object;
verifying the identity signature of the target object under the condition that confirmation information of the terminal equipment for the acquisition request is received in a second time period;
and under the condition that the identity signature verification of the target object is confirmed to pass, the associated data of the target object are collected through multiple channels.
5. The method of claim 1, wherein performing data matching on the association data of the target object and the association data of the relationship object according to a preset anomaly identification rule to obtain a target matching result for the target object comprises:
determining abnormal matching degree of each associated data according to a preset abnormal recognition rule, associated data of a target object and associated data of a relation object; the preset abnormality identification rule comprises reference values of a plurality of key associated data;
and obtaining a matching result aiming at the target object through weighting operation according to the abnormal matching degree of each associated data.
6. The method of claim 1, wherein after determining whether the target object has an anomaly based on the target match result, the method further comprises:
Generating an abnormality prompt about the target object under the condition that the target object is determined to have abnormality according to the target matching result;
determining a supervision object of the target object;
sending an abnormal prompt about a target object to terminal equipment held by the supervision object; and pausing the critical rights of the target object.
7. The method of claim 1, wherein determining whether the target object is at risk of abnormality based on the target recognition result comprises:
detecting whether a target identification result is larger than a preset risk threshold;
and under the condition that the target identification result is larger than a preset risk threshold value, determining that the target object has abnormal risk.
8. The method of claim 7, wherein after determining that the target object is at risk of abnormality, the method further comprises:
combining the association data of the target object and the association data of the relation object with a preset relation with the target object to serve as a training sample of the current time period; the training samples in the current time period are used for training and updating a preset abnormal risk identification model after the current time period is ended, and the preset abnormal risk identification model applied to the next time period is obtained.
9. The method of claim 1, wherein after adding the object identification of the target object to the abnormal risk tracking manifest, the method further comprises:
inquiring a current abnormal risk tracking list at intervals of a preset time period, and determining a risk object to be subjected to abnormal risk tracking;
acquiring association data updated currently by a risk object and association data updated currently by a relation object of the risk object;
determining whether the risk object is abnormal or not according to a preset abnormality identification rule, association data of the current update of the risk object and association data of the current update of the relation object of the risk object;
under the condition that the risk object is determined to be abnormal, processing the association data updated currently by the risk object and the association data updated currently by the relation object of the risk object by using a preset abnormal risk identification model, and determining whether the risk object is abnormal or not;
adding a current risk detection result for the risk object in the abnormal risk tracking list under the condition that the risk object is determined to have no abnormal risk; the current risk detection result carries a time tag.
10. The method of claim 9, wherein in the event that it is determined that the risk subject is not at abnormal risk, the method further comprises:
inquiring and determining whether the accumulated safety duration of the risk object which is not present with abnormal risks continuously is larger than a preset safety duration threshold according to the risk detection result of the risk object in the abnormal risk tracking list;
and under the condition that the accumulated safety time length of the risk object without abnormal risks continuously exists is larger than the preset safety time length threshold value, eliminating the risk object from the abnormal risk tracking list.
11. The method of claim 9, wherein after processing the associated data of the current update of the risk object and the associated data of the current update of the relationship object of the risk object using the preset abnormal risk identification model, determining whether the risk object has an abnormal risk, the method further comprises:
under the condition that the risk object is determined to have abnormal risk, adding a current risk detection result aiming at the risk object into the abnormal risk tracking list;
the method comprises the steps of,
inquiring and determining whether the accumulated risk duration of the current continuous abnormal risks of the risk object is greater than a preset risk duration threshold according to the risk detection result of the risk object in the abnormal risk tracking list;
And under the condition that the accumulated risk time length of the current continuous abnormal risks of the risk object is larger than the preset risk time length threshold value, determining that the abnormal risks exist in the risk object.
12. An abnormal object determining apparatus, applied to a server, comprising:
the acquisition module is used for acquiring the object identification of the target object; according to the object identification of the target object, collecting the associated data of the target object and the associated data of the relation object with a preset relation with the target object through multiple channels;
the matching module is used for carrying out data matching on the associated data of the target object and the associated data of the relation object according to a preset abnormal recognition rule to obtain a target matching result aiming at the target object;
the first determining module is used for determining whether the target object is abnormal or not according to the target matching result;
the first processing module is used for processing the associated data of the target object and the associated data of the relation object by utilizing a preset abnormal risk identification model under the condition that the target object is determined to have no abnormality, so as to obtain a target identification result aiming at the target object;
the second determining module is used for determining whether the target object has abnormal risk according to the target identification result;
And the second processing module is used for adding the object identification of the target object into the abnormal risk tracking list under the condition that the abnormal risk exists in the target object, so as to track the abnormal risk of the target object.
13. A server comprising a processor and a memory for storing processor-executable instructions, which when executed by the processor implement the steps of the method of any one of claims 1 to 11.
14. A computer readable storage medium, having stored thereon computer instructions which, when executed by a processor, implement the steps of the method of any of claims 1 to 11.
15. A computer program product comprising a computer program which, when executed by a processor, implements the steps of the method of any one of claims 1 to 11.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310239928.4A CN116342276A (en) | 2023-03-06 | 2023-03-06 | Method, device and server for determining abnormal object |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310239928.4A CN116342276A (en) | 2023-03-06 | 2023-03-06 | Method, device and server for determining abnormal object |
Publications (1)
Publication Number | Publication Date |
---|---|
CN116342276A true CN116342276A (en) | 2023-06-27 |
Family
ID=86876781
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202310239928.4A Pending CN116342276A (en) | 2023-03-06 | 2023-03-06 | Method, device and server for determining abnormal object |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN116342276A (en) |
-
2023
- 2023-03-06 CN CN202310239928.4A patent/CN116342276A/en active Pending
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11783028B2 (en) | Systems and methods for detecting resources responsible for events | |
US20210073819A1 (en) | Systems for detecting application, database, and system anomalies | |
CN110442712B (en) | Risk determination method, risk determination device, server and text examination system | |
KR20180013998A (en) | Account theft risk identification method, identification device, prevention and control system | |
CN113542279B (en) | Network security risk assessment method, system and device | |
US20150032624A1 (en) | Fraud detection engine and method of using the same | |
CN107798541B (en) | Monitoring method and system for online service | |
CN106156151A (en) | The Risk Identification Method of internetwork operation event and device | |
CN112819611A (en) | Fraud identification method, device, electronic equipment and computer-readable storage medium | |
CN109242658B (en) | Suspicious transaction report generation method, suspicious transaction report generation system, suspicious transaction report generation computer device and suspicious transaction report storage medium | |
CN111126844A (en) | Evaluation method, device, equipment and storage medium for mass-related risk enterprises | |
CN112330355A (en) | Consumption ticket transaction data processing method, device, equipment and storage medium | |
CN114841705B (en) | Anti-fraud monitoring method based on scene recognition | |
EP4060539A1 (en) | Real-time malicious activity detection using non-transaction data | |
CN117610045B (en) | Application password monitoring management cloud platform based on commercial password protection | |
Boehmer | Analyzing human behavior using case-based reasoning with the help of forensic questions | |
US20210035235A1 (en) | System and method for detecting fraud among tax experts | |
CN115760390A (en) | Service data processing method and device and network point terminal equipment | |
US20090234827A1 (en) | Citizenship fraud targeting system | |
CN115409424A (en) | Risk determination method and device based on platform service scene | |
CN116342276A (en) | Method, device and server for determining abnormal object | |
CN111447082B (en) | Determination method and device of associated account and determination method of associated data object | |
Kubigenova et al. | Prospects for Information Security in Big Data Technology | |
CN118536164B (en) | Data blood-edge tracking method, system and device for privacy security protection | |
CN115907802A (en) | Security assessment method and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |