CN116579776A - Risk transaction identification method, apparatus, device, storage medium and program product - Google Patents

Risk transaction identification method, apparatus, device, storage medium and program product Download PDF

Info

Publication number
CN116579776A
CN116579776A CN202310537551.0A CN202310537551A CN116579776A CN 116579776 A CN116579776 A CN 116579776A CN 202310537551 A CN202310537551 A CN 202310537551A CN 116579776 A CN116579776 A CN 116579776A
Authority
CN
China
Prior art keywords
function
transaction
risk
heuristic
call
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310537551.0A
Other languages
Chinese (zh)
Inventor
龚展鸿
谢波
王竟成
程春生
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202310537551.0A priority Critical patent/CN116579776A/en
Publication of CN116579776A publication Critical patent/CN116579776A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4016Transaction verification involving fraud or risk level assessment in transaction processing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/04Forecasting or optimisation specially adapted for administrative or management purposes, e.g. linear programming or "cutting stock problem"
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q40/00Finance; Insurance; Tax strategies; Processing of corporate or income taxes
    • G06Q40/04Trading; Exchange, e.g. stocks, commodities, derivatives or currency exchange

Landscapes

  • Business, Economics & Management (AREA)
  • Engineering & Computer Science (AREA)
  • Accounting & Taxation (AREA)
  • Strategic Management (AREA)
  • Economics (AREA)
  • Finance (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Development Economics (AREA)
  • Human Resources & Organizations (AREA)
  • Marketing (AREA)
  • Computer Security & Cryptography (AREA)
  • Game Theory and Decision Science (AREA)
  • Entrepreneurship & Innovation (AREA)
  • Operations Research (AREA)
  • Quality & Reliability (AREA)
  • Tourism & Hospitality (AREA)
  • Technology Law (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The disclosure provides a risk transaction identification method, relates to the technical field of information security, and can be applied to the technical field of finance. The method comprises the following steps: intercepting a transaction request by using a program probe to acquire function call information; inputting the function call information into a progressive multi-heuristic prediction model to perform transaction risk identification analysis; outputting a risk degree predicted value of the transaction request; and processing the transaction request according to the risk degree predicted value. The present disclosure also provides a risk transaction identification device, apparatus, storage medium, and program product.

Description

Risk transaction identification method, apparatus, device, storage medium and program product
Technical Field
The present disclosure relates to the field of information security technology, and in particular, to the field of transaction identification technology, and more particularly, to a risk transaction identification method, apparatus, device, storage medium, and program product.
Background
In the existing security risk identification field, network data are intercepted on a network link and flow analysis is performed according to the external flow data characteristics of a client such as a network IP (Internet protocol), a MAC (media access control) address, a request sequence code and the like of a calling party.
However, the identification mode cannot go deep into the program call level for analysis, and cannot sense the influence of nuances on transaction request data on the actually and specifically triggered call link branches, so that transaction abnormality information is obtained from the program abnormality call branches.
It should be noted that the information disclosed in the above background section is only for enhancing understanding of the background of the present disclosure and thus may include information that does not constitute prior art known to those of ordinary skill in the art.
Disclosure of Invention
In view of the foregoing, the present disclosure provides a risk transaction recognition method, apparatus, device, storage medium, and program product that improve the accuracy of risk transaction recognition.
According to a first aspect of the present disclosure, there is provided a risk transaction identification method, the method comprising:
intercepting a transaction request by using a program probe to acquire function call information;
inputting the function call information into a progressive multi-heuristic prediction model to perform transaction risk identification analysis;
outputting a risk degree predicted value of the transaction request; and
and processing the transaction request according to the risk degree predicted value.
According to an embodiment of the disclosure, the inputting the function call information into a progressive multi-heuristic prediction model for transaction risk identification analysis includes:
Progressive heuristic prediction is carried out on the current function call to generate a predicted call link set; and
and calculating the transaction reliability according to the calling link set to obtain a risk degree predicted value.
According to an embodiment of the present disclosure, the progressive-power heuristic prediction model includes function history call link information, and the performing progressive-power heuristic prediction on the current function call to generate a set of predicted call links includes:
determining a heuristic function result set according to the function call information and the function history call link information;
determining a sub-calling function node set according to the heuristic function result set; and
and performing iterative heuristic calculation on the sub-call function node set based on a progressive decision control strategy to form a prediction call link set.
According to an embodiment of the disclosure, the progressive multi-heuristic prediction model further includes historical parameter features of function call information, and determining a heuristic function result set according to the function call information and the function historical call link information includes:
determining the transfer probability of the next sub-calling function node according to the function history calling link information;
Calculating the similarity between the current function node parameters and the historical parameter characteristics of the function call information according to the function call information; and
and determining the confidence degree of the next sub-calling function node according to the transition probability and the similarity.
According to an embodiment of the disclosure, the determining the set of sub-call function nodes according to the set of heuristic function results includes:
and generating a sub-calling function node set by using the next sub-calling function node with the confidence level smaller than a preset threshold value in the heuristic function result set.
According to an embodiment of the disclosure, the performing iterative heuristic calculation on the sub-call function node set based on the progressive decision control policy includes:
before iterative heuristic calculation is carried out on the sub-calling function node set, progressive decision control is carried out according to the confidence level of the current function node and a preset security level control condition;
and when the confidence level of the current function node meets the preset security level control condition, ending iterative heuristic calculation.
A second aspect of the present disclosure provides a risk transaction identification device, the device comprising:
the transaction interception module is used for intercepting a transaction request by using the program probe so as to acquire function call information;
The transaction risk analysis module is used for inputting the function call information into a progressive multi-heuristic prediction model to perform transaction risk identification analysis;
the output module is used for outputting the risk degree predicted value of the transaction request; and
and the risk transaction processing module is used for processing the transaction request according to the risk degree predicted value.
According to an embodiment of the present disclosure, a transaction risk analysis module includes: and calling a link prediction submodule and a risk degree prediction value calculation submodule.
The call link prediction sub-module is used for carrying out progressive heuristic prediction on the current function call so as to generate a prediction call link set; and
and the risk degree prediction value calculation sub-module is used for calculating the transaction reliability according to the calling link set by English to obtain a risk degree prediction value.
According to an embodiment of the present disclosure, the call path prediction submodule includes: the device comprises a first determining unit, a second determining unit and an iterative computing unit.
The first determining unit is used for determining a heuristic function result set according to the function call information and the function history call link information;
the second determining unit is used for determining a sub-calling function node set according to the heuristic function result set; and
And the iterative calculation unit is used for carrying out iterative heuristic calculation on the sub-calling function node set based on the progressive decision control strategy so as to form a prediction calling link set.
According to an embodiment of the present disclosure, the first determination unit includes a first determination subunit, a calculation subunit, and a second determination subunit.
The first determining subunit is used for determining the transition probability of the next sub-calling function node according to the function history calling link information;
a calculating subunit, configured to calculate, according to the function call information, a similarity between a current function node parameter and a history parameter feature of the function call information; and
and the second determining subunit is used for determining the confidence level of the next sub-calling function node according to the transition probability and the similarity.
According to an embodiment of the present disclosure, the second determining unit includes: generating a subunit.
And the generating subunit is used for generating a sub-calling function node set from the next sub-calling function node with the confidence degree smaller than a preset threshold value in the heuristic function result set.
According to an embodiment of the present disclosure, the iterative calculation unit comprises a progressive decision control subunit.
The gradual control subunit is used for performing gradual decision control according to the confidence level of the current function node and a preset security level control condition before performing iterative heuristic calculation on the sub-call function node set; and when the confidence level of the current function node meets the preset security level control condition, ending iterative heuristic calculation.
A third aspect of the present disclosure provides an electronic device, comprising: one or more processors; and a memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the business date changing method described above.
A fourth aspect of the present disclosure also provides a computer-readable storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to perform the above-described risk transaction identification method.
A fifth aspect of the present disclosure also provides a computer program product comprising a computer program which, when executed by a processor, implements the risk transaction identification method described above.
According to the risk transaction identification method provided by the embodiment of the disclosure, when a transaction request is received, a program probe is used for acquiring function call information, the function call information is input into a progressive multi-heuristic prediction model for transaction risk identification analysis, a call link of the current transaction request can be predicted based on existing transaction sample data through the multi-heuristic prediction model, the influence of nuances on the transaction request data on a call link branch can be perceived, further a risk degree predicted value of the current transaction request is output, and the transaction request is processed according to the risk degree predicted value.
Drawings
The foregoing and other objects, features and advantages of the disclosure will be more apparent from the following description of embodiments of the disclosure with reference to the accompanying drawings, in which:
FIG. 1 schematically illustrates a system architecture diagram of a risk transaction identification device in accordance with an embodiment of the present disclosure;
FIG. 2 schematically illustrates an application scenario diagram of a risk transaction identification method, apparatus, device, storage medium and program product according to an embodiment of the present disclosure;
FIG. 3 schematically illustrates a flow chart of a risk transaction identification method provided in accordance with an embodiment of the present disclosure;
FIG. 4 schematically illustrates a flow chart of a risk transaction identification method provided in accordance with another embodiment of the present disclosure;
FIG. 5a schematically illustrates one of the schematics of the predictive call link set generation method provided in accordance with an embodiment of the present disclosure;
FIG. 5b schematically illustrates a second exemplary diagram of a predictive call link set generation method provided in accordance with an embodiment of the disclosure;
FIG. 5c schematically illustrates a third exemplary diagram of a predictive call link set generation method provided in accordance with an embodiment of the disclosure;
FIG. 6 schematically illustrates a block diagram of a risk transaction identification device in accordance with an embodiment of the present disclosure; and
Fig. 7 schematically illustrates a block diagram of an electronic device adapted to implement a risk transaction identification method according to an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is only exemplary and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the present disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and/or the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It should be noted that the terms used herein should be construed to have meanings consistent with the context of the present specification and should not be construed in an idealized or overly formal manner.
Where expressions like at least one of "A, B and C, etc. are used, the expressions should generally be interpreted in accordance with the meaning as commonly understood by those skilled in the art (e.g.," a system having at least one of A, B and C "shall include, but not be limited to, a system having a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
The terms appearing in the embodiments of the present disclosure will be explained first:
transaction processing program: in a computer transaction system, a computer program for implementing specific transaction business logic.
Program probe: the method flexibly obtains information from the running program process in an injection mode and adds a tool program of custom code logic at the key node, so that the method has no invasion to service codes.
Program call chain: the method consists of function node connection in the program execution process, and can represent the execution process and the characteristics of the program call.
Progressive decision process: what is meant is the theory that the claimant modifies the existing policy in a progressive manner, and the component achieves the decision goal.
Heuristic algorithm: a method based on visual or empirical construction gives a near optimal solution to the problem to be solved at an acceptable computational cost.
Heuristic prediction: searching the predicted branch through a heuristic algorithm, and obtaining a set of possible branch paths as a result of problem prediction in given conditions, targets and confidence intervals.
The existing security risk identification is realized by intercepting network data on a network link and analyzing flow, according to the external flow data characteristics of a client such as a network IP (Internet protocol), a MAC (media access control) address, a request sequence code and the like of a calling party. However, interception analysis is performed on a network link, the analysis cannot be performed deep into a program call level, the influence of nuances on transaction request data on actually and specifically triggered call link branches cannot be perceived, and then transaction abnormal information is acquired from program abnormal call branches; and the safety rules are relatively cured, learning adaptation cannot be carried out according to the whole transaction condition of the application, and different transaction applications need to formulate a specific set of rules, so that good application effects cannot be achieved among different types of transaction applications.
Based on the above technical problems, embodiments of the present disclosure provide a risk transaction identification method, which includes: intercepting a transaction request by using a program probe to acquire function call information; inputting the function call information into a progressive multi-heuristic prediction model to perform transaction risk identification analysis; outputting a risk degree predicted value of the transaction request; and processing the transaction request according to the risk degree predicted value.
Fig. 1 schematically illustrates a system architecture diagram of a risk transaction identification device according to an embodiment of the present disclosure. As shown in fig. 1, the risk transaction identification apparatus 100 includes a transaction enhancing module 121, a data acquisition module 131, a progressive decision module 141, and a multi-heuristic prediction module 151.
The transaction enhancing module 121 is configured to interface with a transaction processing program to serve as an entrance for the overall risk transaction recognition device. The transaction enhancing module 121 includes a transaction probe unit 122, an evaluation summary unit 123, and a transaction handling unit 124. The transaction probe unit 122 is used for detecting and collecting program call information including program call key node functions, function call information and the like of a program probe of a transaction processing program. The evaluation and summary unit 123 is configured to submit the transaction portal call and the call parameter to the progressive decision module 141 for transaction risk identification analysis. The transaction handling unit 124 is used for handling the transaction according to the transaction risk identification result, allowing the safe transaction to be implemented, or rejecting the risk transaction and alarming.
The data acquisition and storage module 131 is used for carrying out data analysis statistics on the transaction calling sample information, completing preprocessing such as data normalization processing, invalid data rejection, calling parameter serialization and the like. The modules include a call link analysis unit 132, a data statistics processing unit 133, a link data storage unit 134. The call link analysis unit 132 is configured to receive call link information collected by the transaction probe unit 122, and parse out parameter values corresponding to the call link and function nodes on the link. And summarizing the program core bottom layer call according to the call branch end node. The data statistics processing unit 133 is configured to statistically invoke the link analysis unit 132 to parse out the transition probability information of the invoking branch between the link invoking function nodes, statistically calculate the occurrence probability information of the parameters on different function nodes, normalize the related information, and unify the numerical dimensions. The link data storage unit 134 is configured to store the numerical results obtained by the call link analysis unit 132 and the data statistics processing unit 133, for use by the subsequent multi-heuristic prediction module 151.
The progressive decision module 141 is configured to evaluate a progressive decision transaction risk evaluation process, evaluate a multi-heuristic prediction effect of each progressive iteration, and control whether the sub-prediction process needs to be progressively invoked again until a given security level control condition is satisfied. The module comprises: a decision target recognition unit 142, a progressive control unit 143, a decision voting unit 144.
The decision target identifying unit 142 is configured to identify the transaction evaluation task initiated by the evaluation summarizing unit 123, including the set overall security control level, and set the completion condition of the decision according to the security level. The progression control unit 143 uses a progression policy to perform risk identification on the transaction. In the progressive control, function nodes on a transaction core call link are used as process nodes, progressive judgment is carried out on core call functions along a call chain, if the risk prediction of the current function nodes meets the confidence level judged by the decision voting unit 144, the progressive decision process is finished, otherwise, the transaction probe acquires the next sub-call of the program call as the next decision point of the progressive process, and call safety is identified. The decision voting unit 144 makes a conditional judgment on the progressive decision result completed by the progressive control unit 143 once, decides whether the risk identification requirement is satisfied, completes the identification of the transaction, and returns the result to the summary evaluation unit 123.
The multi-heuristic prediction module 151 is configured to perform risk assessment on a transaction, perform link call prediction by using a heuristic search algorithm with a plurality of heuristic functions, and perform transaction reliability calculation by using a call link set predicted by a given confidence level parameter, thereby obtaining a transaction risk assessment. The multi-heuristic prediction module 151 includes a data loading unit 152, a heuristic function calculation unit 153, a confidence tuning unit 154, a multi-heuristic iteration unit 155, and a prediction orchestration unit 156.
The data loading unit 152 is configured to obtain call function related data from the link data storage unit 134 according to the needs of other units of the module. The heuristic function calculating unit 153 is configured to calculate a heuristic function result according to the data collected by the data loading unit 152 and the upstream-downstream call relationship of the function node, and store the heuristic function result in the heuristic function calculation result set. Where the calculation is done using two heuristic functions, one that calculates the transition probability of the possible next sub-call for the current function node and the other that calculates the similarity of the parameters obtained by the current function node to the historical parameter characteristics of the same procedure call in the link data store 134. The confidence regulation unit 154 is configured to screen the next sub-calling function node in the confidence interval according to the heuristic function result set of the heuristic function calculation unit 153, and store the next sub-calling function node in the subsequent function call set. Multi-heuristic iteration unit 155: and processing the obtained function call set stored in the follow-up function call set according to the confidence regulation unit 154, iterating the heuristic calculation process on the function call set, and storing the information of the next sub-function of each function call in the process to form a prediction call link. And when the function node is called for the set core bottom layer, ending the iteration process. The prediction overall unit 156 is configured to call link nodes in the link set according to the prediction generated by the multi-heuristic iteration unit 155, and call the occurrence probability distribution of the final core of each link in the sample data, so as to obtain a risk degree prediction value of the transaction.
Fig. 2 schematically illustrates an application scenario diagram of a risk transaction identification method, apparatus, device, storage medium and program product according to an embodiment of the present disclosure.
As shown in fig. 2, the application scenario 200 according to this embodiment may include a risk transaction identification scenario. The network 204 is the medium used to provide communication links between the terminal devices 201, 202, 203 and the server 205. The network 204 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
The user may interact with the server 205 via the network 204 using the terminal devices 201, 202, 203 to receive or send messages or the like. Various communication client applications, such as shopping class applications, web browser applications, search class applications, instant messaging tools, mailbox clients, social platform software, etc. (by way of example only) may be installed on the terminal devices 201, 202, 203.
The terminal devices 201, 202, 203 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablets, laptop and desktop computers, and the like.
The server 205 may be a risk transaction identification server, where the risk transaction identification method provided by the embodiments of the present disclosure is executed, function call information is obtained in response to a transaction request, a prediction call link of a current transaction request is determined according to a pre-trained progressive multi-heuristic prediction model, a risk degree predicted value of the transaction request is obtained, and the transaction request is processed according to the risk degree predicted value.
It should be noted that, the risk transaction identification method provided by the embodiments of the present disclosure may be generally executed by the server 205. Accordingly, the risk transaction identification device provided by the embodiments of the present disclosure may be generally disposed in the server 205. The risk transaction identification method provided by the embodiments of the present disclosure may also be performed by a server or a cluster of servers that are different from the server 205 and that are capable of communicating with the terminal devices 201, 202, 203 and/or the server 205. Accordingly, the risk transaction identifying apparatus provided by the embodiments of the present disclosure may also be provided in a server or a server cluster that is different from the server 205 and is capable of communicating with the terminal devices 201, 202, 203 and/or the server 205.
It should be understood that the number of terminal devices, networks and servers in fig. 2 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
It should be noted that, the risk transaction identification method and the apparatus determined by the embodiments of the present disclosure may be used in the field of cloud computing technology, or may be used in the field of financial technology, or may be used in any field other than the financial field, and the application field of the risk transaction identification method and the apparatus determined by the embodiments of the present disclosure is not limited.
The risk transaction identification method according to the embodiments of the present disclosure will be described in detail below with reference to fig. 3 to 6 based on the system architecture described in fig. 1 and the application scenario described in fig. 2.
Fig. 3 schematically illustrates a flowchart of a risk transaction identification method provided in accordance with an embodiment of the present disclosure. As shown in fig. 3, the risk transaction identification method of this embodiment includes operations S210 to S240, which may be performed by a server or other computing device.
In operation S210, a transaction request is intercepted using a program probe to acquire function call information.
In operation S220, the function call information is input into a progressive multi-heuristic prediction model for transaction risk identification analysis.
In operation S230, a risk level prediction value of the transaction request is output.
In operation S240, the transaction request is processed according to the risk level predictor.
In one example, in the identification stage, a transaction request is intercepted by a transaction probe, a transaction portal call is acquired, and then a risk identification and evaluation flow for the transaction is initiated.
In one example, when a transaction request is received, the transaction request is intercepted, and a risk of the transaction request is firstly predicted and evaluated to identify whether the transaction request is a risk transaction, specifically, program call information including a program call key node function and function call information is detected and collected through a program probe acting with a transaction processing program. And inputting function call information into a progressive multi-heuristic prediction model to output a risk degree predicted value of the transaction request, wherein the progressive multi-heuristic prediction model is trained in advance according to the original transaction data, specifically, in a running preparation stage, the original transaction data are acquired through a transaction probe, and transaction data are acquired and transaction characteristics are learned through calling link mining.
In one example, the transaction request is processed according to the risk level predictor output in operation S230, e.g., if the risk level predictor is below a certain threshold, then it is determined that the current transaction request belongs to a secure transaction, allowing continued enforcement; if the risk degree predicted value is higher than a certain threshold value, determining that the current transaction request belongs to risk transaction, rejecting the risk transaction and alarming.
According to the risk transaction identification method provided by the embodiment of the disclosure, when a transaction request is received, a program probe is used for acquiring function call information, the function call information is input into a progressive multi-heuristic prediction model for transaction risk identification analysis, a call link of the current transaction request can be predicted based on existing transaction sample data through the multi-heuristic prediction model, the influence of nuances on the transaction request data on a call link branch can be perceived, further a risk degree predicted value of the current transaction request is output, and the transaction request is processed according to the risk degree predicted value.
The process of transaction risk identification analysis by the progressive multi-heuristic predictive model will be described below in conjunction with fig. 4. Fig. 4 schematically illustrates a flow chart of a risk transaction identification method provided in accordance with another embodiment of the present disclosure. As shown in fig. 4, operation S220 includes operation S221 and operation S222.
In operation S221, a progressive heuristic prediction is performed on the current function call to generate a set of predicted call links.
According to an embodiment of the present disclosure, the progressive addition heuristic prediction model includes function history call link information.
In operation S222, a risk level prediction value is obtained by calculating the transaction reliability according to the call link set.
In one example, the progressive heuristic prediction model in the embodiment of the disclosure is obtained by performing data analysis statistics based on historical transaction call sample information, specifically, performing data analysis statistics on the transaction call sample information, and completing preprocessing, such as normalization processing of data, invalid data rejection and call parameter serialization. And counting call branch transition probability information among call function nodes of the link, counting and calculating occurrence probability information of parameters on different function nodes, and carrying out normalization processing on related information to unify numerical values and dimensions. And carrying out link call prediction by using a heuristic search algorithm of a plurality of heuristic functions, and calculating the transaction reliability through a call link set predicted by a given confidence level parameter to obtain transaction risk assessment.
In one example, the transaction risk level predictor is derived from a probability distribution of occurrence in the sample data of link nodes and each link final core call in the predicted call link set.
Fig. 5a schematically illustrates one of the schematics of the predictive call link set generation method provided according to an embodiment of the present disclosure. Fig. 5b schematically illustrates a second schematic diagram of a predictive call link set generation method provided in accordance with an embodiment of the disclosure. Fig. 5c schematically illustrates a third exemplary diagram of a method for generating a set of predicted call links provided in accordance with an embodiment of the disclosure.
As shown in fig. 5a, operation S221 includes operations S310 to S330.
In operation S310, a heuristic function result set is determined from the function call information and the function history call link information.
According to an embodiment of the present disclosure, the progressive multi-heuristic prediction model further includes historical parameter features of function call information.
In operation S320, a set of sub-call function nodes is determined from the set of heuristic function results.
According to the embodiment of the disclosure, generating a sub-call function node set by using the next sub-call function node with the confidence level smaller than a preset threshold value in the heuristic function result set.
As shown in fig. 5b, operation S310 includes operations S311 to S313.
In operation S311, a transition probability of the next sub-call function node is determined according to the function history call link information.
In operation S312, a similarity between the current function node parameter and the history parameter feature of the function call information is calculated according to the function call information.
In operation S313, a confidence level of the next sub-call function node is determined according to the transition probability and the similarity.
In one example, the upstream and downstream call relationships of the function nodes can be determined by function history call link information in the predictive model. And calculating a heuristic function result according to the function call information and the relation between the function call information and the upstream and downstream call of the function node, and storing the heuristic function result in a heuristic function calculation result set. Specifically, two heuristic functions are used to complete the calculation, one calculates the possible transfer probability of the next sub-call of the current function node, and the other calculates the similarity between the parameters obtained by the current function node and the historical parameter characteristics of the same program call in the link data storage unit.
In one example, a confidence level of a next sub-call function node is determined based on the transition probability and the similarity. For example, if the similarity between the current function node parameter and the history parameter feature is greater than a preset threshold, determining that the risk degree of the current function node parameter is lower, and if the similarity between the current function node parameter and the history parameter feature is less than the preset threshold, determining that the risk may exist in the current function node parameter, and if the similarity between the current function node parameter and the history parameter feature is lower, determining that the confidence degree of the corresponding next sub-calling function node is lower, determining a sub-calling function node set according to the heuristic function result set, and generating a sub-calling function node set by the next sub-calling function node with the confidence degree in the heuristic function result set less than the preset threshold, wherein the sub-calling function node set comprises the transfer probability and the confidence degree of the node.
In operation S330, iterative heuristic computation is performed on the set of sub-call function nodes based on a progressive decision control policy to form a set of predicted call links.
As shown in fig. 5c, operation S330 includes operations S331 to S332.
In operation S331, before performing iterative heuristic computation on the sub-call function node set, progressive decision control is performed according to the confidence level of the current function node and a preset security level control condition.
In operation S332, when it is determined that the confidence level of the current function node satisfies the preset security level control condition, the iterative heuristic calculation is ended.
In one example, in the embodiment of the disclosure, heuristic prediction is performed on the current transaction request, and heuristic calculation is iterated until a core bottom layer call is obtained, so as to form a prediction call link.
In one example, if it is determined that the similarity between the current function node parameter and the historical parameter characteristic of the same program call in the link data storage unit is greater than a preset threshold, that is, it is determined that the current function call parameter is a normal legal parameter, and at this time, the confidence level of the current function node is greater than a confidence level value in a preset security level control condition, so that in order to improve the recognition efficiency and shorten the risk recognition time, a progressive control strategy is used to control the heuristic prediction process, and the foregoing case is not required to continue to perform downward iterative computation. If it is determined that the similarity between the current function node parameter and the historical parameter characteristic of the same program call in the link data storage unit is smaller than a preset threshold, when the confidence level of the current function node is smaller than the confidence level value in the preset security level control condition, determining that a certain risk exists in the current function call, and continuing iterative calculation until it is determined that the confidence level of any current function node meets the preset security level control condition, not continuing to predict the call link, and directly ending iterative heuristic calculation.
Based on the risk transaction identification method, the disclosure also provides a risk transaction identification device. The device will be described in detail below in connection with fig. 6.
Fig. 6 schematically illustrates a block diagram of a risk transaction identification device, in accordance with an embodiment of the present disclosure.
As shown in fig. 6, the risk transaction identification apparatus 600 of this embodiment includes a transaction interception module 610, a transaction risk analysis module 620, an output module 630, and a risk transaction processing module 640.
The transaction interception module 610 is configured to intercept a transaction request using a program probe to obtain function call information. In an embodiment, the transaction interception module 610 may be configured to perform the operation S210 described above, which is not described herein.
The transaction risk analysis module 620 is configured to input the function call information into a progressive multi-heuristic prediction model for transaction risk identification analysis. In an embodiment, the transaction risk analysis module 620 may be configured to perform the operation S220 described above, which is not described herein.
The output module 630 is configured to output a risk level prediction value of the transaction request. In an embodiment, the output module 630 may be used to perform the operation S230 described above, which is not described herein.
The risk transaction processing module 640 is configured to process the transaction request according to the risk level predictor. In an embodiment, the risk transaction processing module 640 may be configured to perform the operation S240 described above, which is not described herein.
According to an embodiment of the present disclosure, a transaction risk analysis module includes: and calling a link prediction submodule and a risk degree prediction value calculation submodule.
And the call link prediction sub-module is used for carrying out progressive heuristic prediction on the current function call so as to generate a prediction call link set. In an embodiment, the call link prediction sub-module may be used to perform the operation S221 described above, which is not described herein.
And the risk degree prediction value calculation sub-module is used for calculating the transaction reliability according to the calling link set by English to obtain a risk degree prediction value. In an embodiment, the risk level predictor calculation sub-module may be used to perform the operation S222 described above, which is not described herein.
According to an embodiment of the present disclosure, the call path prediction submodule includes: the device comprises a first determining unit, a second determining unit and an iterative computing unit.
And the first determining unit is used for determining a heuristic function result set according to the function call information and the function history call link information. In an embodiment, the first determining unit may be configured to perform the operation S310 described above, which is not described herein.
And the second determining unit is used for determining a sub-calling function node set according to the heuristic function result set. In an embodiment, the second determining unit may be configured to perform the operation S320 described above, which is not described herein.
And the iterative calculation unit is used for carrying out iterative heuristic calculation on the sub-calling function node set based on the progressive decision control strategy so as to form a prediction calling link set. In an embodiment, the iterative calculation unit may be configured to perform the operation S330 described above, which is not described herein.
According to an embodiment of the present disclosure, the first determination unit includes a first determination subunit, a calculation subunit, and a second determination subunit.
And the first determining subunit is used for determining the transition probability of the next sub-calling function node according to the function history calling link information. In an embodiment, the first determining subunit may be configured to perform the operation S3 11 described above, which is not described herein.
And the calculating subunit is used for calculating the similarity between the current function node parameters and the historical parameter characteristics of the function call information according to the function call information. In an embodiment, the computing subunit may be configured to perform the operation S312 described above, which is not described herein.
And the second determining subunit is used for determining the confidence level of the next sub-calling function node according to the transition probability and the similarity. In an embodiment, the second determining subunit may be configured to perform the operation S313 described above, which is not described herein.
According to an embodiment of the present disclosure, the second determining unit includes: generating a subunit.
And the generating subunit is used for generating a sub-calling function node set from the next sub-calling function node with the confidence degree smaller than a preset threshold value in the heuristic function result set.
According to an embodiment of the present disclosure, the iterative calculation unit comprises a progressive decision control subunit.
The gradual control subunit is used for performing gradual decision control according to the confidence level of the current function node and a preset security level control condition before performing iterative heuristic calculation on the sub-call function node set; and when the confidence level of the current function node meets the preset security level control condition, ending iterative heuristic calculation.
Any of the transaction interception module 610, the transaction risk analysis module 620, the output module 630, and the risk transaction processing module 640 may be combined in one module to be implemented, or any of the modules may be split into multiple modules, according to embodiments of the present disclosure. Alternatively, at least some of the functionality of one or more of the modules may be combined with at least some of the functionality of other modules and implemented in one module. According to embodiments of the present disclosure, at least one of the transaction interception module 610, the transaction risk analysis module 620, the output module 630, and the risk transaction processing module 640 may be implemented at least in part as hardware circuitry, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or in hardware or firmware, such as any other reasonable manner of integrating or packaging circuitry, or in any one of or a suitable combination of three of software, hardware, and firmware. Alternatively, at least one of the transaction interception module 610, the transaction risk analysis module 620, the output module 630, and the risk transaction processing module 640 may be at least partially implemented as a computer program module that, when executed, performs the corresponding functions.
Fig. 7 schematically illustrates a block diagram of an electronic device adapted to implement a risk transaction identification method according to an embodiment of the present disclosure.
As shown in fig. 7, an electronic device 900 according to an embodiment of the present disclosure includes a processor 901 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 902 or a program loaded from a storage portion 908 into a Random Access Memory (RAM) 903. The processor 901 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or an associated chipset and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), or the like. Processor 901 may also include on-board memory for caching purposes. Processor 901 may include a single processing unit or multiple processing units for performing the different actions of the method flows according to embodiments of the present disclosure.
In the RAM 903, various programs and data necessary for the operation of the electronic device 900 are stored. The processor 901, the ROM 902, and the RAM 903 are connected to each other by a bus 904. The processor 901 performs various operations of the method flow according to the embodiments of the present disclosure by executing programs in the ROM 902 and/or the RAM 903. Note that the program may be stored in one or more memories other than the ROM 902 and the RAM 903. The processor 901 may also perform various operations of the method flow according to embodiments of the present disclosure by executing programs stored in the one or more memories.
According to an embodiment of the disclosure, the electronic device 900 may also include an input/output (I/O) interface 905, the input/output (I/O) interface 905 also being connected to the bus 904. The electronic device 900 may also include one or more of the following components connected to the I/O interface 905: an input section 906 including a keyboard, a mouse, and the like; an output portion 907 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and a speaker; a storage portion 908 including a hard disk or the like; and a communication section 909 including a network interface card such as a LAN card, a modem, or the like. The communication section 909 performs communication processing via a network such as the internet. The drive 910 is also connected to the I/O interface 905 as needed. A removable medium 911 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is installed as needed on the drive 910 so that a computer program read out therefrom is installed into the storage section 908 as needed.
The present disclosure also provides a computer-readable storage medium that may be embodied in the apparatus/device/system described in the above embodiments; or may exist alone without being assembled into the apparatus/device/system. The computer-readable storage medium carries one or more programs that, when executed, implement a risk transaction identification method according to an embodiment of the present disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example, but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, the computer-readable storage medium may include ROM 902 and/or RAM 903 and/or one or more memories other than ROM 902 and RAM 903 described above.
Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the methods shown in the flowcharts. The program code, when executed in a computer system, causes the computer system to implement the risk transaction identification method provided by embodiments of the present disclosure.
The above-described functions defined in the system/apparatus of the embodiments of the present disclosure are performed when the computer program is executed by the processor 901. The systems, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
In one embodiment, the computer program may be based on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted, distributed, and downloaded and installed in the form of a signal on a network medium, via communication portion 909, and/or installed from removable medium 911. The computer program may include program code that may be transmitted using any appropriate network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
In such an embodiment, the computer program may be downloaded and installed from the network via the communication portion 909 and/or installed from the removable medium 911. The above-described functions defined in the system of the embodiments of the present disclosure are performed when the computer program is executed by the processor 901. The systems, devices, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
According to embodiments of the present disclosure, program code for performing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, such computer programs may be implemented in high-level procedural and/or object-oriented programming languages, and/or assembly/machine languages. Programming languages include, but are not limited to, such as Java, c++, python, "C" or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that the features recited in the various embodiments of the disclosure and/or in the claims may be provided in a variety of combinations and/or combinations, even if such combinations or combinations are not explicitly recited in the disclosure. In particular, the features recited in the various embodiments of the present disclosure and/or the claims may be variously combined and/or combined without departing from the spirit and teachings of the present disclosure. All such combinations and/or combinations fall within the scope of the present disclosure.
The embodiments of the present disclosure are described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described above separately, this does not mean that the measures in the embodiments cannot be used advantageously in combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be made by those skilled in the art without departing from the scope of the disclosure, and such alternatives and modifications are intended to fall within the scope of the disclosure.

Claims (10)

1. A risk transaction identification method, the method comprising:
intercepting a transaction request by using a program probe to acquire function call information;
Inputting the function call information into a progressive multi-heuristic prediction model to perform transaction risk identification analysis;
outputting a risk degree predicted value of the transaction request; and
and processing the transaction request according to the risk degree predicted value.
2. The method of claim 1, wherein said inputting the function call information into a progressive multi-heuristic predictive model for transaction risk identification analysis comprises:
progressive heuristic prediction is carried out on the current function call to generate a predicted call link set; and
and calculating the transaction reliability according to the calling link set to obtain a risk degree predicted value.
3. The method of claim 2, wherein the progressive addition heuristic prediction model comprises function history call link information, wherein the progressively heuristic predicting current function calls to generate a set of predicted call links comprises:
determining a heuristic function result set according to the function call information and the function history call link information;
determining a sub-calling function node set according to the heuristic function result set; and
and performing iterative heuristic calculation on the sub-call function node set based on a progressive decision control strategy to form a prediction call link set.
4. A method according to claim 3, wherein the progressive multi-heuristic prediction model further comprises historical parameter features of function call information, the determining a set of heuristic function results from the function call information and the function historical call link information comprising:
determining the transfer probability of the next sub-calling function node according to the function history calling link information;
calculating the similarity between the current function node parameters and the historical parameter characteristics of the function call information according to the function call information; and
and determining the confidence degree of the next sub-calling function node according to the transition probability and the similarity.
5. The method of claim 4, wherein said determining a set of sub-call function nodes from said set of heuristic function results comprises:
and generating a sub-calling function node set by using the next sub-calling function node with the confidence level smaller than a preset threshold value in the heuristic function result set.
6. The method of claim 5, wherein the iterative heuristic computation of the set of sub-call function nodes based on a progressive decision control policy comprises:
before iterative heuristic calculation is carried out on the sub-calling function node set, progressive decision control is carried out according to the confidence level of the current function node and a preset security level control condition;
And when the confidence level of the current function node meets the preset security level control condition, ending iterative heuristic calculation.
7. A risk transaction identification device, the device comprising:
the transaction interception module is used for intercepting a transaction request by using the program probe so as to acquire function call information;
the transaction risk analysis module is used for inputting the function call information into a progressive multi-heuristic prediction model to perform transaction risk identification analysis;
the output module is used for outputting the risk degree predicted value of the transaction request; and
and the risk transaction processing module is used for processing the transaction request according to the risk degree predicted value.
8. An electronic device, comprising:
one or more processors;
storage means for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the risk transaction identification method of any of claims 1-6.
9. A computer readable storage medium having stored thereon executable instructions which when executed by a processor cause the processor to perform the risk transaction identification method of any of claims 1 to 6.
10. A computer program product comprising a computer program which, when executed by a processor, implements a risk transaction identification method according to any one of claims 1 to 6.
CN202310537551.0A 2023-05-12 2023-05-12 Risk transaction identification method, apparatus, device, storage medium and program product Pending CN116579776A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310537551.0A CN116579776A (en) 2023-05-12 2023-05-12 Risk transaction identification method, apparatus, device, storage medium and program product

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310537551.0A CN116579776A (en) 2023-05-12 2023-05-12 Risk transaction identification method, apparatus, device, storage medium and program product

Publications (1)

Publication Number Publication Date
CN116579776A true CN116579776A (en) 2023-08-11

Family

ID=87543790

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310537551.0A Pending CN116579776A (en) 2023-05-12 2023-05-12 Risk transaction identification method, apparatus, device, storage medium and program product

Country Status (1)

Country Link
CN (1) CN116579776A (en)

Similar Documents

Publication Publication Date Title
CN105590055B (en) Method and device for identifying user credible behaviors in network interaction system
US20180225450A1 (en) Counter-fraud operation management
CN115174353B (en) Fault root cause determining method, device, equipment and medium
CN111951008A (en) Risk prediction method and device, electronic equipment and readable storage medium
CN115204889A (en) Text processing method and device, computer equipment and storage medium
CN112613978A (en) Bank capital abundance prediction method, device, electronic equipment and medium
CN116757816A (en) Information approval method, device, equipment and storage medium
CN115795345A (en) Information processing method, device, equipment and storage medium
CN108768742B (en) Network construction method and device, electronic equipment and storage medium
CN116664306A (en) Intelligent recommendation method and device for wind control rules, electronic equipment and medium
CN116091249A (en) Transaction risk assessment method, device, electronic equipment and medium
CN116579776A (en) Risk transaction identification method, apparatus, device, storage medium and program product
CN111429257B (en) Transaction monitoring method and device
CN114218283A (en) Abnormality detection method, apparatus, device, and medium
CN114723548A (en) Data processing method, apparatus, device, medium, and program product
CN113052509A (en) Model evaluation method, model evaluation apparatus, electronic device, and storage medium
CN113034123B (en) Abnormal resource transfer identification method and device, electronic equipment and readable storage medium
CN114710397B (en) Service link fault root cause positioning method and device, electronic equipment and medium
US20230385837A1 (en) Machine learning-based detection of potentially malicious behavior on an e-commerce platform
CN114996119B (en) Fault diagnosis method, fault diagnosis device, electronic device and storage medium
CN117911159A (en) Real-time data processing method, device, equipment, storage medium and program product
CN118114649A (en) Data processing method and device, equipment, storage medium and program product
CN114239985A (en) Exchange rate prediction method and device, electronic equipment and storage medium
CN114693421A (en) Risk assessment method, apparatus, electronic device and medium
CN118134590A (en) Information transmission method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination