CN117078266A - Transaction data security detection method, device, computer equipment and storage medium - Google Patents
Transaction data security detection method, device, computer equipment and storage medium Download PDFInfo
- Publication number
- CN117078266A CN117078266A CN202311061718.7A CN202311061718A CN117078266A CN 117078266 A CN117078266 A CN 117078266A CN 202311061718 A CN202311061718 A CN 202311061718A CN 117078266 A CN117078266 A CN 117078266A
- Authority
- CN
- China
- Prior art keywords
- account
- feature
- reconstruction
- transaction
- original
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 518
- 238000003860 storage Methods 0.000 title claims abstract description 19
- 238000000034 method Methods 0.000 claims abstract description 96
- 238000004590 computer program Methods 0.000 claims abstract description 26
- 238000012549 training Methods 0.000 claims description 103
- 238000012546 transfer Methods 0.000 claims description 70
- 238000012545 processing Methods 0.000 claims description 34
- 238000012216 screening Methods 0.000 claims description 19
- 230000004927 fusion Effects 0.000 claims description 12
- 238000012423 maintenance Methods 0.000 claims description 8
- 238000013473 artificial intelligence Methods 0.000 abstract description 12
- 230000008569 process Effects 0.000 description 39
- 230000001960 triggered effect Effects 0.000 description 23
- 238000005516 engineering process Methods 0.000 description 17
- 230000006870 function Effects 0.000 description 16
- 238000010586 diagram Methods 0.000 description 11
- 230000002159 abnormal effect Effects 0.000 description 10
- 238000009826 distribution Methods 0.000 description 10
- 238000011156 evaluation Methods 0.000 description 9
- 238000004422 calculation algorithm Methods 0.000 description 8
- 238000012360 testing method Methods 0.000 description 8
- 238000004364 calculation method Methods 0.000 description 7
- 230000000694 effects Effects 0.000 description 7
- 238000010801 machine learning Methods 0.000 description 7
- 230000009467 reduction Effects 0.000 description 7
- 238000011161 development Methods 0.000 description 6
- 238000003062 neural network model Methods 0.000 description 6
- 238000013528 artificial neural network Methods 0.000 description 5
- 230000008901 benefit Effects 0.000 description 5
- 238000012795 verification Methods 0.000 description 5
- 238000004458 analytical method Methods 0.000 description 4
- 230000001965 increasing effect Effects 0.000 description 4
- 238000012544 monitoring process Methods 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 238000011217 control strategy Methods 0.000 description 3
- 238000002372 labelling Methods 0.000 description 3
- 238000007477 logistic regression Methods 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 230000005856 abnormality Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 238000013500 data storage Methods 0.000 description 2
- 238000003066 decision tree Methods 0.000 description 2
- 238000013135 deep learning Methods 0.000 description 2
- 238000013136 deep learning model Methods 0.000 description 2
- 238000000605 extraction Methods 0.000 description 2
- 238000007499 fusion processing Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000005304 joining Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 210000002569 neuron Anatomy 0.000 description 2
- 238000002360 preparation method Methods 0.000 description 2
- 230000035945 sensitivity Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- OKTJSMMVPCPJKN-UHFFFAOYSA-N Carbon Chemical compound [C] OKTJSMMVPCPJKN-UHFFFAOYSA-N 0.000 description 1
- 230000004913 activation Effects 0.000 description 1
- 230000003044 adaptive effect Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000033228 biological regulation Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000004069 differentiation Effects 0.000 description 1
- 229910021389 graphene Inorganic materials 0.000 description 1
- 230000002779 inactivation Effects 0.000 description 1
- 230000006698 induction Effects 0.000 description 1
- 230000001939 inductive effect Effects 0.000 description 1
- 230000000873 masking effect Effects 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 238000003058 natural language processing Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000007781 pre-processing Methods 0.000 description 1
- 230000001105 regulatory effect Effects 0.000 description 1
- 230000002787 reinforcement Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000013526 transfer learning Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
- G06Q20/401—Transaction verification
- G06Q20/4016—Transaction verification involving fraud or risk level assessment in transaction processing
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
Landscapes
- Business, Economics & Management (AREA)
- Engineering & Computer Science (AREA)
- Accounting & Taxation (AREA)
- Computer Security & Cryptography (AREA)
- Finance (AREA)
- Strategic Management (AREA)
- Physics & Mathematics (AREA)
- General Business, Economics & Management (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
Abstract
The present application relates to a transaction data security detection method, apparatus, computer device, storage medium and computer program product. The method involves artificial intelligence techniques, including: acquiring transaction data generated by at least two user accounts through triggering a transaction event, and acquiring respective original account characteristics of the at least two user accounts based on the transaction data; performing first coding reconstruction on each original account number feature, and obtaining a first detection result according to reconstructed account number features obtained by reconstruction; performing second coding reconstruction on the characteristics aiming at the transactions with characteristic association relations among the original account characteristics, and obtaining a second detection result according to the reconstructed transaction pairs obtained by reconstruction; based on the first detection result and the second detection result, a security detection result for the transaction data is obtained. By adopting the method, the accuracy of transaction data security detection can be improved.
Description
Technical Field
The present application relates to the field of computer technology, and in particular, to a transaction data security detection method, apparatus, computer device, storage medium, and computer program product.
Background
With the development of computer technology, cashless transaction methods have thoroughly changed people's lives. Particularly, in recent years, with the popularization and development of online payment, online transactions are favored by more and more users, and countless transactions occur on various online transaction platforms.
While online transactions are rapidly developed, there may be some potential safety hazards, such as fraudulent transactions threatening the interests of users and network security, and demands for how to accurately detect fraudulent transactions occurring in online transactions to ensure transaction security are not waited, but the accuracy of security detection for transaction data is low at present.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a transaction data security detection method, apparatus, computer device, computer readable storage medium, and computer program product that can improve the accuracy of transaction data security detection.
In a first aspect, the present application provides a transaction data security detection method. The method comprises the following steps:
acquiring transaction data generated by triggering transaction events by at least two user accounts, and acquiring respective original account characteristics of the at least two user accounts based on the transaction data;
Performing first coding reconstruction aiming at each original account number characteristic, and obtaining a first detection result according to the reconstructed account number characteristics obtained by reconstruction;
carrying out second coding reconstruction on the characteristics aiming at the transaction with the characteristic association relation among the characteristics of each original account, and obtaining a second detection result according to the reconstructed transaction pair characteristics obtained by reconstruction;
based on the first detection result and the second detection result, a security detection result for the transaction data is obtained.
In a second aspect, the application also provides a transaction data security detection device. The device comprises:
the account feature acquisition module is used for acquiring transaction data generated by triggering transaction events by at least two user accounts and acquiring the respective original account features of the at least two user accounts based on the transaction data;
the first detection result determining module is used for carrying out first coding reconstruction on the original account number characteristics, and obtaining a first detection result according to the reconstructed account number characteristics obtained by reconstruction;
the second detection result determining module is used for carrying out second coding reconstruction on the characteristics aiming at the transaction with the characteristic association relation among the characteristics of each original account, and obtaining a second detection result according to the reconstructed transaction pair characteristics obtained by reconstruction;
And the security detection result determining module is used for obtaining the security detection result aiming at the transaction data based on the first detection result and the second detection result.
In a third aspect, the present application also provides a computer device. The computer device comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the steps of the transaction data security detection method when executing the computer program.
In a fourth aspect, the present application also provides a computer-readable storage medium. The computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements the steps of the transaction data security detection method described above.
In a fifth aspect, the present application also provides a computer program product. The computer program product comprises a computer program which, when executed by a processor, implements the steps of the transaction data security detection method described above.
The transaction data security detection method, the device, the computer equipment, the storage medium and the computer program product acquire transaction data generated by triggering transaction events by at least two user accounts, acquire respective original account characteristics of the at least two user accounts based on the transaction data, perform first coding reconstruction on each original account characteristic, acquire a first detection result according to the reconstructed account characteristics acquired by reconstruction, perform second coding reconstruction on characteristics according to transactions with characteristic association relations among the original account characteristics, acquire a second detection result according to the reconstructed transaction pairs acquired by reconstruction, and acquire security detection results for the transaction data based on the first detection result and the second detection result. In the transaction data security detection process, security detection for coding reconstruction of original account features and security detection for coding reconstruction of features of transactions with feature association relations between the original account features are integrated, multi-dimensional security detection can be performed based on account features of user accounts related to the transaction data, and accuracy of the transaction data security detection is improved.
Drawings
FIG. 1 is an application environment diagram of a transaction data security detection method in one embodiment;
FIG. 2 is a flow chart of a transaction data security detection method according to one embodiment;
FIG. 3 is a flow diagram of a transaction data security detection method in one embodiment;
FIG. 4 is a schematic diagram of steps for obtaining a first detection result according to an embodiment;
FIG. 5 is a schematic diagram of feature selection in one embodiment;
FIG. 6 is a schematic view of feature selection in another embodiment;
FIG. 7 is a flow chart of a method of transaction data security detection in another embodiment;
FIG. 8 is a schematic diagram of a mechanism for a strategy wind-controlled platform in one embodiment;
FIG. 9 is a flow diagram of prediction detection based on a self-encoder in one embodiment;
FIG. 10 is a schematic diagram of the structure of a self-encoder in one embodiment;
FIG. 11 is a flow diagram of a model process in one embodiment;
FIG. 12 is a block diagram of a transaction data security sensing device in one embodiment;
fig. 13 is an internal structural view of a computer device in one embodiment.
Detailed Description
The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
The transaction data security detection method provided by the embodiment of the application can be applied to an application environment shown in figure 1. Wherein the first terminal 102 and the second terminal 104 communicate with the server 106 via a network, respectively. The data storage system may store data that the server 106 needs to process. The data storage system may be integrated on the server 106 or may be located on the cloud or other server. The transaction event is triggered between the first terminal 102 and the second terminal 104 to generate a transaction, and the first terminal 102 and the second terminal 104 can respectively log in different user accounts to realize transaction processing among different user accounts; the server 104 may perform security detection with respect to transaction data generated between the first terminal 102 and the second terminal 104.
During the transaction data security detection application, the first terminal 102 may actively trigger a transaction event, for example, a user may scan the second terminal device 104 based on the first terminal 102, and a merchant's checkout code may be displayed in the second terminal device 104, so that the transaction event may be triggered based on the user account number associated with the first terminal 102 and the user account number of the merchant associated with the second terminal device 104, and transaction data may be generated. As another example, the first terminal 102 may initiate a resource transfer procedure to the second terminal device 104 based on a resource transfer function in the online transaction platform, such that a transaction event may be triggered between a user account associated with the first terminal 102 and a user account associated with the second terminal device 104, and transaction data generated.
The server 106 may obtain transaction data generated between the first terminal 102 and the second terminal 104 by triggering a transaction event by at least two user accounts, where the transaction event may be a resource transfer process, the at least two user accounts may include a user account of a resource transfer party and a user account of the resource transfer party, and the server 106 may obtain, based on the transaction data, respective original account characteristics of the at least two user accounts, that is, obtain original account characteristics of the user account held by the resource transfer party and obtain original account characteristics of the user account held by the resource transfer party; the server 106 performs first coding reconstruction on each original account feature, and obtains a first detection result according to the reconstructed account features obtained by reconstruction; the server 106 carries out second coding reconstruction on the characteristics aiming at the transaction with the characteristic association relation among the characteristics of each original account, and obtains a second detection result according to the reconstructed transaction pair characteristics obtained by reconstruction; the server 106 obtains a security detection result for the transaction data based on the first detection result and the second detection result. The server 106 may feed back the security detection results for the transaction data to the first terminal 102 and the second terminal 104 in order to feed back the security detection results for the transaction to the end user.
The first terminal 102 or the second terminal 104 may be, but not limited to, various desktop computers, notebook computers, smart phones, tablet computers, internet of things devices and portable wearable devices, and the internet of things devices may be smart speakers, smart televisions, smart air conditioners, smart vehicle devices, and the like. The portable wearable device may be a smart watch, smart bracelet, headset, or the like. The server 106 may be implemented as a stand-alone server or as a cluster of servers.
When the method is applied specifically, the transaction data security detection method provided by the application can be realized based on an artificial intelligence technology. Among these, artificial intelligence (Artificial Intelligence, AI) is the theory, method, technique and application system that uses a digital computer or a digital computer-controlled machine to simulate, extend and extend human intelligence, sense the environment, acquire knowledge and use knowledge to obtain optimal results. In other words, artificial intelligence is an integrated technology of computer science that attempts to understand the essence of intelligence and to produce a new intelligent machine that can react in a similar way to human intelligence. Artificial intelligence, i.e. research on design principles and implementation methods of various intelligent machines, enables the machines to have functions of sensing, reasoning and decision. The artificial intelligence technology is a comprehensive subject, and relates to the technology with wide fields, namely the technology with a hardware level and the technology with a software level. Artificial intelligence infrastructure technologies generally include technologies such as sensors, dedicated artificial intelligence chips, cloud computing, distributed storage, big data processing technologies, operation/interaction systems, mechatronics, and the like. The artificial intelligence software technology mainly comprises a computer vision technology, a voice processing technology, a natural language processing technology, machine learning/deep learning and other directions.
Machine Learning (ML) is a multi-domain interdisciplinary, involving multiple disciplines such as probability theory, statistics, approximation theory, convex analysis, algorithm complexity theory, etc. It is specially studied how a computer simulates or implements learning behavior of a human to acquire new knowledge or skills, and reorganizes existing knowledge structures to continuously improve own performance. Machine learning is the core of artificial intelligence, a fundamental approach to letting computers have intelligence, which is applied throughout various areas of artificial intelligence. Machine learning and deep learning typically include techniques such as artificial neural networks, confidence networks, reinforcement learning, transfer learning, induction learning, teaching learning, and the like. The scheme provided by the embodiment of the application relates to an artificial intelligence machine learning technology, for example, the first coding reconstruction can be performed on the original account number characteristics based on the machine learning technology, the second coding reconstruction is performed on the characteristics of the transaction, and the like, and the method is specifically described by the following embodiment.
In one embodiment, as shown in fig. 2, a transaction data security detection method is provided, where the method is executed by a computer device, specifically, may be executed by a computer device such as a terminal or a server, or may be executed by the terminal and the server together, and in an embodiment of the present application, the method is applied to the server in fig. 1, and is described as an example, and includes the following steps:
In one embodiment, as shown in fig. 2, a transaction data security detection method is provided, where the method is executed by a computer device, specifically, may be executed by a computer device such as a terminal or a server, or may be executed by the terminal and the server together, and in an embodiment of the present application, the method is applied to the server in fig. 1, and is described as an example, and includes the following steps:
step 202, obtaining transaction data generated by at least two user accounts through triggering a transaction event, and obtaining respective original account characteristics of the at least two user accounts based on the transaction data.
The user account may be an identifier of a transaction account held by a user who triggers a transaction, and in a transaction scenario of resource transfer, the transaction account may be a resource account, where the resource account may include a resource possessed by the user, and the user account may identify the resource account of the user. Each user account may correspond to a unique identifier, which may be set by the user itself based on the user terminal, and may be letters, numbers, or other characters. The transaction event may be a transaction-related event triggered by at least two user accounts, such as may include a resource transfer event triggered by a user account at which the resource transfer-out party and the resource transfer-in party are located. In practical applications, a transaction event may be triggered between at least two user accounts, each of which may be held by a corresponding user, so that a transaction may be triggered between multiple users to implement online transaction processing through the user accounts held by the respective users, e.g., online resource transfer may be implemented.
The triggering mode of triggering the transaction event between the user accounts can be flexibly set according to actual needs, for example, the mode of triggering the transaction event can be different according to different properties of the resource transfer-out party and the resource transfer-in party. For example, in a transaction event for resource transfer, when the resource transfer-out party includes an individual user and the resource transfer-in party includes a merchant, if a user terminal associated with a user account of the individual user scans a payment device associated with a user account of the merchant, the transaction event may be triggered, that is, when the user terminal scans a payment device's checkout code, the transaction event is triggered. When the resource transfer-out party comprises an individual user, and the resource transfer-in party also comprises an individual user, the user account of the resource transfer-out party can be a first user account, the payment account of the resource transfer-in party can be a second user account, and the resource transfer-out party and the resource transfer-in party can be users with social relations on a network social platform. When a first user terminal associated with a first user account initiates a resource transfer operation to a second user terminal associated with a second user account, a transaction event can be triggered; the resource transfer-out party and the resource transfer-in party can also be users without social relation, and when a first user terminal associated with a first user account scans a collection code of a second user terminal associated with a second user account, a transaction event can be triggered.
Further, transaction events may be triggered not only based on two user accounts, but also by multiple user accounts. For example, in a transaction application scenario of the resource transfer process, the transaction participant may refer to the resource transfer party and the resource transfer party, that is, the user account may include a user account of the resource transfer party, or may include a user account of the resource transfer party, and according to the user account, the resource transfer party and the resource transfer party involved in the process of performing the resource transfer process may be explicitly referred to. The resource transfer-out party can be a resource paying party, namely a paying party, in the resource transfer processing process; the resource transfer party may be a resource receiving party, i.e. a payee, in the process of resource transfer. During the resource transfer process, only one payer and one payee may be involved, e.g., the resource transfer process occurring between the consumer and the merchant may include only the consumer account of one payer and the merchant account of one payee; in the resource transfer process, at least one of the payor or payees can be multiple, namely one payor and multiple payees; or a plurality of payees and a payee; but also multiple payees and multiple payees. For example, in a process of transferring resources in the same network interaction platform, the user account triggering the transaction event may include a user account 1, a user account 2, a user account 3, and the like, where the user account 1 may be a payor, and the user account 2 and the user account 3 may be payees; in another resource transfer process, the user account 2 and the user account 3 may be payors, and the user account 1 may be payors.
The transaction data refers to data generated by triggering transaction events, the transaction data can be used for describing transaction events triggered between user accounts, and the transaction data can comprise various types of data related to transactions, such as the user accounts, transaction triggering time, transaction content and the like, which can be used for triggering the transaction events. The transaction data may include a time at which the transaction event was triggered, such as a time at which the user terminal scanned the checkout code of the payment device, a time at which the first user initiated a resource transfer operation to the second user's terminal through the terminal, etc.; the transaction data may also include transaction content involved in the triggered transaction event, where the transaction content may include a resource amount, a resource transfer unit number, resource transfer-out information associated with the user account, resource transfer-in information associated with the user account, and the like in a resource transfer transaction application. The resource transfer-out party information may be information for identifying the resource transfer-out party, and the account number of the resource transfer-out party involved in the transaction event may be determined through the resource transfer-out party information. The resource transfer-in party information may be information for identifying a resource transfer-in party, and the account number of the resource transfer-in party involved in the transaction event may be determined through the resource transfer-in party information.
The raw account number features are used to characterize the user account number, and different user accounts may correspond to different raw account number features. The raw account number features may include various types of features that are related to transaction data security detection and may have an impact on the transaction data security detection. The original account characteristics can be extracted according to account data of the user account, and specifically can comprise account attribute information of the user account, such as registration time, service life, holder information, account social information and the like, and also can comprise historical transaction information of the user account, such as historical transaction times, transaction contents, transaction objects and the like. For example, in a transaction scenario of resource transfer, the original account feature may include account attribute information of the payer and the payee themselves, such as a registration duration, a registration place, a social relationship, etc. that the resource transfer-out party and the resource transfer-in party each hold a user account; the raw account feature may also include historical transaction information generated during a historical time period, such as account expenditures, account transfers, etc. by the resource transfer-out party and the resource transfer-in party during a past time period; the original account number features may also include the current transaction information generated by triggering the current transaction event, such as the time of triggering the current transaction, the transaction list number of the current transaction event, and so on.
Each user account can have the corresponding original account characteristics, and the obtained original account characteristics are different according to the different numbers of the user accounts participating in the triggering transaction event. For example, in a transaction scenario of resource transfer, when a transaction event is triggered between two user accounts, the obtained original account characteristics may include only the original account characteristics of one payer account, where the payer account is a user account held by a payer, and only the original account characteristics of one payee account, where the payee account is a user account held by a payee; when the transaction event is triggered by more than two user accounts, the obtained original account characteristics may include original account characteristics of one payer account, user account characteristics of a plurality of payee accounts; the obtained original account characteristics can also comprise the original account characteristics of a plurality of payer accounts, and the user account characteristics of one payee account; the obtained raw account characteristics may also include raw account characteristics of a plurality of payer accounts, user account characteristics of a plurality of payee accounts.
Identification information of the user account triggering the transaction event can be recorded in the transaction data, for example, account identification of the user account triggering the transaction event can be recorded, the user account triggering the transaction event can be determined according to the transaction data, and corresponding original account characteristics can be obtained based on the determined user account.
Specifically, the server may obtain transaction data to be detected, where the transaction data may be generated by at least two user accounts, for example, only by two user accounts through triggering a transaction event, or may be generated by more than two user accounts through triggering a transaction event. The server may detect transaction event triggers between individual user accounts, and upon detection of a transaction event, the server may obtain transaction data generated by the triggered transaction event. The server may determine the user account based on the transaction data, that is, determine at least two user accounts participating in the triggering transaction event according to the transaction participants recorded in the transaction data, and obtain respective original account features of each user account based on the determined at least two user accounts, for example, may query from an account feature library to obtain respective original account features of the at least two user accounts triggering the transaction event.
In a specific application, when the server obtains the respective original account characteristics of at least two user accounts based on transaction data, the server can directly obtain the original account characteristics of the respective user accounts of the resource transfer-out party and the resource transfer-in party when only two user accounts exist, namely, only the user account of one resource transfer-out party and the user account of one resource transfer-in party; when more than two user accounts are included, the server can screen each user account based on preset account screening conditions to obtain user accounts meeting the account screening conditions, wherein when the account screening conditions are set, setting can be performed based on account characteristic information quantity, account liveness and the like of the accounts, so that the user accounts with more representative safety detection of transaction data can be determined by screening the user accounts, the accuracy of the safety detection of the transaction data is improved, and meanwhile, the data quantity can be reduced and the safety detection efficiency of the transaction data is improved by screening the user accounts.
Step 204, performing first coding reconstruction on each original account feature, and obtaining a first detection result according to the reconstructed account features obtained by reconstruction.
The first code reconstruction may be a processing procedure of performing feature reconstruction on each original account feature, and specifically may include a process of reconstructing a corresponding original account feature after encoding the original account feature. The feature reconstruction of the features of each original account number can be realized by using a feature reconstruction model constructed based on various algorithms. When the feature reconstruction model is constructed, the feature reconstruction model can be constructed based on supervised learning, or constructed without supervised learning. In constructing the feature reconstruction model based on unsupervised learning, the underlying neural network model may include encoder models of a self-encoder, a sparse self-encoder, a noise reduction self-encoder, a stacked self-encoder, and the like. The reconstructed account number features may be features obtained after feature reconstruction is performed on each original account number feature, and specifically, feature reconstruction may be performed on each original account number feature based on a preset sparse self-encoder to obtain reconstructed account number features.
The first detection result is a detection result obtained by performing security detection on the transaction data according to the reconstructed account number features obtained by reconstruction, and specifically may be a result obtained by performing security detection analysis on the original account number features and the reconstructed account number features. The first detection result may indicate that the current transaction data does not have transaction risk, and may also indicate that the current transaction data has transaction risk. The method comprises the steps that specifically, the characteristics difference between the original account number characteristics and the reconstructed account number characteristics can be determined through comparing and analyzing the reconstructed account number characteristics and the original account number characteristics, and a first detection result is obtained according to the characteristics difference; the characteristic difference between the original account number characteristic and the reconstructed account number characteristic can be obtained through the characteristic similarity, the characteristic distance and other parameters between the characteristics.
Specifically, the server performs first coding reconstruction based on the obtained original account characteristics, and performs security detection according to the reconstructed account characteristics obtained by reconstruction to obtain a first detection result. If the server can adopt a preset feature reconstruction model, performing first coding reconstruction on each original account feature to obtain reconstructed account features, and obtaining a first detection result according to the reconstructed account features obtained by reconstruction. In specific implementation, the server may select a target feature reconstruction model from a plurality of feature reconstruction models for performing a first encoding reconstruction based on the original account number features, where the plurality of feature reconstruction models may include a feature reconstruction model constructed based on a self-encoder, a feature reconstruction model constructed based on a sparse encoder, and a feature reconstruction model constructed based on a variance self-encoder. When the server selects the characteristic reconstruction model for carrying out the first coding reconstruction, the characteristic reconstruction model can be selected after being comprehensively evaluated by combining a specific transaction data security detection task, the data characteristics of the characteristics of each original account number and the like, so that the sensitivity to an abnormal sample can be increased to a certain extent, and an accurate first detection result can be obtained.
And 206, carrying out second coding reconstruction on the characteristics aiming at the transaction with the characteristic association relation among the characteristics of each original account, and obtaining a second detection result on the characteristics according to the reconstructed transaction obtained by reconstruction.
The transaction pair features are features with association relations determined from the original account features. The characteristic association relation can be set according to actual needs, the transaction pair characteristics can comprise account association characteristics, and the account association characteristics can be characteristics with certain association determined among the original account characteristics, such as characteristics belonging to a certain enterprise, commonly joining a certain group and high transaction frequency triggered by the same user account. If the feature association relationship can be determined based on the transaction objects, if the transaction objects are included in the original account features, the same transaction objects can be determined as transaction pair features with feature association relationship among the original account features when the same transaction objects exist in the original account features; for another example, whether a feature association relationship exists can also be determined based on the social relationship, and the same social friends existing in the original account features can be determined as transaction pair features with the feature association relationship among the original account features.
The transaction pair features may also include account common features, which may be features that are common among the original account features, i.e., feature association is a feature that determines whether there is a common feature. For example, the original account number features 1 may include features a, B, and C, the original account number features 1 may include features a, D, and E, and the account number common feature may be feature B. In the security detection scenario for transaction data, the account common feature may be a common social relationship feature existing in at least two user accounts, and the common social relationship feature may specifically be a common friend number, a common joining group number and the like of at least two user accounts, and the account common feature may further include a duration of establishing social association between at least two user accounts and the like.
The second code reconstruction may be a process of performing feature reconstruction on the transaction, and performing the second code reconstruction on the feature for the transaction may be implemented based on a preset feature reconstruction model. The feature model employed for the second encoded reconstruction may include encoders such as a self-encoder, a sparse self-encoder, a noise reduction self-encoder, a stacked self-encoder, and the like. The reconstructed transaction pair feature is a feature obtained after feature reconstruction of the transaction pair feature, for example, the feature reconstruction can be performed on the transaction pair feature based on a preset feature reconstruction model, so as to obtain the reconstructed transaction pair feature. In specific implementation, the server can select a target feature reconstruction model from a plurality of feature reconstruction models by combining the data features of the features with transactions to carry out second coding reconstruction, if the accuracy of the reconstructed features needs to be improved, the server can select a feature reconstruction model constructed based on the variation self-encoder from the feature reconstruction model constructed based on the self-encoder, the feature reconstruction model constructed based on the sparse encoder and the feature reconstruction model constructed based on the variation self-encoder, and the second coding reconstruction is carried out through the feature reconstruction model constructed based on the variation self-encoder, so that the accuracy of the feature reconstruction can be improved to a certain extent, and a more accurate second detection result is obtained.
Specifically, the server may perform feature association determination for each original account feature according to a preset feature association relationship to determine a transaction pair feature having a feature association relationship between the original account features, e.g., the server may compare each original account feature according to the feature association relationship to determine a transaction pair feature having a feature association relationship before each original account feature. The server can perform second coding reconstruction on the characteristics aiming at the determined transaction, and particularly can perform second coding reconstruction on the characteristics aiming at the transaction through a pre-trained self-encoder to obtain reconstructed transaction pair characteristics obtained by reconstruction. The server can perform security detection on the features by using the reconstructed transaction obtained by reconstruction to obtain a second detection result. Compared with the first detection result obtained by carrying out safety detection based on the respective reconstructed account characteristics of the user account, the second detection result is obtained by carrying out safety detection on the characteristics based on the reconstructed transaction, so that the correlation between the account characteristics can be fully utilized for carrying out safety detection, and the accuracy of safety detection is improved.
Step 208, based on the first detection result and the second detection result, a security detection result for the transaction data is obtained.
The security detection result may be a result obtained by performing security detection on transaction data, and the security detection result is determined based on the first detection result and the second detection result. Specifically, the server may fuse the first detection result and the second detection result to obtain a security detection result for the transaction data. When the server determines the safety detection result according to the first detection result and the second detection result, comprehensive analysis can be performed on the first detection result and the second detection result, for example, a voting mechanism is adopted to select one of the first detection result and the second detection result as the safety detection result, and weighted fusion processing can also be performed on the first detection result and the second detection result, so that the safety detection result is obtained based on the fusion result.
In one specific application, as shown in fig. 3, a flow chart of a transaction data security detection method is shown. The user accounts related in this embodiment may include a user account 1 and a user account 2 and …, and the transaction data may be data generated by a transaction event triggered by each user account, for example, may be transaction data generated by the user account 1, the user account 2 and the user trigger n through triggering the transaction event.
The server acquires transaction data to be detected, and transaction events triggered by the transaction data are generated. For each user account triggering the transaction event, the characteristics of the original account are respectively corresponding. For user account 1, there may be a corresponding original account feature 1; for user account 2, there may be corresponding original account feature 2 … for user account n, there may be corresponding original account feature n. In a transaction scenario of resource transfer, the server may determine, based on the transaction data, each user account that triggers generation of the transaction data, and query the original account characteristics of each user account. The server can determine the characteristics of the transaction pairs according to the characteristics of the original account numbers of the user accounts. For example, the server may obtain feature intersections of the features of each original account, and take the feature intersections as transaction pair features.
The server can reconstruct the first code by utilizing the original account number characteristics to obtain reconstructed account number characteristics, and perform security detection based on the reconstructed account number characteristics to obtain a first detection result. When the server adopts the original account number features to carry out the first code reconstruction, the original account number features corresponding to all the user accounts triggering the transaction event can be obtained, and the first code reconstruction is unfolded based on the original account number features corresponding to all the user accounts triggering the transaction event. For example, the user accounts triggering the transaction event may include a user account 1, a user account 2, and a user account 3, and the server may obtain an original feature account 1 corresponding to the user account 1, obtain an original feature account 2 corresponding to the user account 2, and obtain an original feature account 3 corresponding to the user account 3. Further, the server may develop the first encoded reconstruction based on the obtained original characteristic account number 1, original characteristic account number 2, and original characteristic account number 3.
The server can reconstruct the characteristics by using the transaction determined based on the original account number characteristics to obtain reconstructed transaction pair characteristics, and perform security detection on the characteristics based on the reconstructed transaction pair characteristics to obtain a second detection result. Specifically, the server may determine the transaction pair feature based on the original feature account number 1, the original feature account number 2, and the original feature account number 3, and perform a second encoding reconstruction on the feature based on the transaction. The server can also screen the original account characteristics corresponding to all the user accounts triggering the transaction event, obtain screened original account characteristics, and develop a first coding reconstruction based on the screened original account characteristics. For example, the user account triggering the transaction event may include a user account 1, a user account 2, a user account 3, and a user account 4, and the server may filter respective original account characteristics of the user account 1, the user account 2, the user account 3, and the user account 4 to obtain filtered original account characteristics, for example, when the feature information amount of the original feature account 1 corresponding to the user account 1 is more, or when the features in the original feature account 3 corresponding to the user account 3 are more stable, the server may obtain the original feature account 1 corresponding to the user account 1 and the original feature account 3 corresponding to the user account 3. Further, the server may develop a first encoded reconstruction based on the obtained original characteristic account number 1 and the original characteristic account number 3. Meanwhile, the server can determine the transaction pair characteristics based on the original characteristic account number 1 and the original characteristic account number 3, and perform second coding reconstruction on the characteristics based on the transaction.
The server rebuilds through the first code to obtain a rebuilding account number characteristic, and determines a first detection result based on the rebuilding account number characteristic. The server obtains the reconstructed transaction pair characteristics through the second coding reconstruction, and determines a second detection result based on the reconstructed transaction pair characteristics. The server may obtain a security detection result for the transaction data based on the first detection result and the second detection result.
In the transaction data security detection method, transaction data generated by triggering transaction events by at least two user accounts are acquired, original account characteristics of the at least two user accounts are acquired based on the transaction data, first coding reconstruction is carried out on the original account characteristics, a first detection result is obtained according to the reconstructed account characteristics obtained through reconstruction, second coding reconstruction is carried out on characteristics according to transactions with characteristic association relations among the original account characteristics, a second detection result is obtained according to the reconstructed transaction pair characteristics obtained through reconstruction, and security detection results for the transaction data are obtained based on the first detection result and the second detection result. In the transaction data security detection process, security detection for coding reconstruction of original account features and security detection for coding reconstruction of features of transactions with feature association relations between the original account features are integrated, multi-dimensional security detection can be performed based on account features of user accounts related to the transaction data, and accuracy of the transaction data security detection is improved.
In one embodiment, as shown in fig. 4, the specific steps of determining the first detection result are shown, performing first encoding reconstruction for each original account feature, and obtaining the first detection result according to the reconstructed account feature obtained by reconstruction, where the steps include:
step 402, performing first coding reconstruction on each original account feature to obtain reconstructed account features.
Specifically, the server may perform a first encoding reconstruction based on each original account feature, to obtain a reconstructed account feature. Before the server performs the first coding reconstruction on each original account feature, each original account feature can be processed to obtain an original account feature for performing feature reconstruction. When the original account number characteristics for the first code reconstruction determined by the server based on the original account number characteristics are different, the types and the numbers of the used characteristic reconstruction models are also different.
When the method is concretely implemented, the server can directly perform feature fusion on all the obtained original account features when processing the original account features, obtain fused original account features after fusion, and perform feature reconstruction based on the fused original account features; the server can also perform feature reconstruction on all the obtained original account features without feature fusion processing based on the original account features of the payer account and the original account features of the payee account respectively; the server can also select the original account characteristics of part of the accounts of the payors from the original account characteristics of the accounts of the payors, and select the original account characteristics of part of the accounts of the payors from the original account characteristics of the accounts of the payors to perform characteristic reconstruction; the server can also select the original account number characteristics of the payer account number from the original account number characteristics to perform characteristic reconstruction, wherein the number of the selected original account number characteristics of the payer account number is at least two, and perform characteristic reconstruction based on the selected original account number characteristics of the at least two payer account numbers; the server may further select, from the original account features, original account features of the payee account to perform feature reconstruction, where the number of the selected original account features of the payee account is at least two, and perform feature reconstruction based on the selected original account features of the at least two payee accounts.
When the server performs feature reconstruction based on the fused original account feature, a first feature reconstruction model can be obtained, feature reconstruction is performed on the fused original account feature based on the first feature reconstruction model, and the reconstructed account feature corresponding to the fused original account feature is determined. When the server directly performs feature reconstruction based on the original account number feature of the payer account number and the original account number feature of the payee account number, or based on the original account number feature of a part of the payer account numbers selected from the original account number features of the payer account numbers and the original account number feature of a part of the payee account numbers selected from the original account number features of the payee account numbers, only one feature reconstruction model may be obtained, for example, only a second feature reconstruction model is obtained, and the original account number feature belonging to the payer account numbers and the original account number feature belonging to the payee account numbers are input into the second feature reconstruction model at different times, so as to obtain the initial reconstruction account number features which are respectively output by the second feature reconstruction model for the original account number feature of the payee account numbers and the original account number feature of the payee account numbers, and the server further processes the initial account number reconstruction features to determine the final reconstruction account number feature. The server may also obtain two feature reconstruction models, such as a feature reconstruction sub-model 1 and a feature reconstruction sub-model 2, and input the original account number features belonging to the payer account number to the feature reconstruction sub-model 1 to obtain a first reconstructed account number feature; and inputting the original account characteristics belonging to the account of the payee into the characteristic reconstruction sub-model 2 to obtain second reconstructed account characteristics, and determining final reconstructed account characteristics according to the first reconstructed account characteristics and the second reconstructed account characteristics. When the server performs feature reconstruction based on the original account features of at least two payer accounts, a third feature reconstruction model can be obtained, feature reconstruction is performed on the original account features of at least two payer accounts based on the third feature reconstruction model, and reconstructed account features are determined. When the server performs feature reconstruction based on the original account features of at least two payee accounts, a fourth feature reconstruction model can be obtained, feature reconstruction is performed on the original account features of at least two payee accounts based on the fourth feature reconstruction model, and reconstructed account features are determined. In this embodiment, when the server actually selects the feature reconstruction model, the same feature reconstruction model may be selected for different original account features, or different feature reconstruction models may be selected, and when the feature reconstruction model is actually selected, the data features of the original account features and the security detection accuracy of the transaction data may be combined to perform adaptive selection.
Step 404, based on the account feature detection judgment conditions, performing account feature security detection on account feature reconstruction differences between the reconstructed account features and the original account features to obtain a first detection result.
The account feature detection and judgment condition may be a condition for judging an account feature reconstruction difference, and the account feature reconstruction difference is processed by the account feature detection and judgment condition, so that a first detection result may be determined. The first detection result may include a result indicating that the transaction data does not have a transaction risk, and may also include a result indicating that the transaction data has a transaction risk. When the account feature detection judgment conditions are set, the account feature detection judgment conditions can be set based on an error threshold value, a similarity threshold value, a distance threshold value and the like among features, and the actual account feature detection judgment conditions can be adaptively set according to the specific form of the account feature reconstruction difference. The account number feature reconstruction difference refers to a reconstruction difference between the reconstructed account number feature and each original account number feature, and the account number feature reconstruction difference specifically may include similarity, distance, error, and the like between the reconstructed account number feature and each original account number feature. The account number feature security detection may refer to a process of determining the account number feature reconstruction difference based on account number feature detection determination conditions, and the first detection result is obtained through account number security feature detection.
Specifically, the server may perform account feature security detection on account feature reconstruction differences based on preset account feature detection determination conditions, where the account feature reconstruction differences are feature differences between reconstructed account features and original account features, and determine the account feature reconstruction differences by the server according to the account feature detection determination conditions, so as to determine a first detection result. In a specific application, the adopted account feature detection and judgment conditions can be the same or different for different feature reconstruction modes. For the fused reconstruction account number characteristics obtained by performing the first coding reconstruction based on the fused original characteristics, a first account number characteristic detection judgment condition can be adopted; aiming at the reconstructed account number characteristics of the payer, which are obtained by performing first coding reconstruction only by adopting the original account number characteristics of the payer account number, a second account number characteristic detection judgment condition can be adopted; for the reconstruction account number characteristics of the payee obtained by performing the first encoding reconstruction only by using the original account number characteristics of the payee account number, a third account number characteristic detection judgment condition can be adopted. Wherein, each different account characteristic detection judgment condition is adaptively set in combination with the specific form of the actual account characteristic reconstruction difference.
In this embodiment, the server obtains the difference between the original characteristic and the reconstructed characteristic by performing encoding reconstruction on the original account characteristic, and performs security detection on the difference by adopting the account characteristic detection judgment condition, so that the accuracy of security detection of transaction data can be improved.
In one embodiment, the at least two user accounts include a resource roll-out account and a resource roll-in account in the transaction event; each original account number feature comprises an original outturn account number feature belonging to the resource outturn account number and an original transfer account number feature belonging to the resource transfer account number; performing first coding reconstruction on each original account feature to obtain reconstructed account features, including: and respectively carrying out coding reconstruction on the original transfer-out account characteristics and the original transfer-in account characteristics to obtain reconstructed transfer-out account characteristics and reconstructed transfer-in account characteristics.
The resource transfer-out account number refers to an account number held by a resource transfer-out party in a transaction event, namely a payment party account number; the resource transfer account number refers to an account number held by a resource transfer party in a transaction event, namely a payee account number. In the transaction scene of resource transfer, at least two user accounts can only comprise one resource transfer-out account and one resource transfer-in account; multiple resource outbound accounts and multiple resource inbound accounts may also be included, and the number, type, etc. of the specific resource outbound accounts and resource inbound accounts may be determined by the specific transaction scenario. The original roll-out account feature may be a feature corresponding to the resource roll-out account, that is, a feature corresponding to the payer account, where the feature corresponding to the payer account may include an account attribute feature of the payer account, a historical transaction feature of the payer account, and a current transaction feature of the payer account in the current transaction event; the original transfer-in account feature may be a feature corresponding to the resource transfer-in account, that is, a feature corresponding to the payee account, and the feature corresponding to the payee account may include an account attribute feature of the payee account, a historical transaction feature of the payee account, a current transaction feature of the payee account in the current transaction event, and the like. The reconstructed outturned account feature may be a feature obtained by encoding and reconstructing the original outturned account by a pointer, and the reconstructed outturned account feature may be a feature obtained by encoding and reconstructing the original outturned account. When the original roll-out account feature and the original roll-in account feature are subjected to feature reconstruction, different feature reconstruction models can be adopted to be unfolded, so that the roll-in account feature and the roll-out account feature can be subjected to feature reconstruction respectively in different feature dimensions.
Specifically, the server may perform encoding reconstruction based on the original transfer-out account characteristics of the resource transfer-out account in the user account, obtain reconstructed transfer-out account characteristics, and perform encoding reconstruction based on the original transfer-in account characteristics of the resource transfer-in account in the user account, and obtain reconstructed transfer-in account characteristics. In one particular application, as shown in FIG. 5, the overlapping features that exist between the original roll-out account feature 502 and the original roll-in account feature 504 are transaction pair features. When the server performs coding reconstruction based on the original roll-out account characteristics of the resource roll-out account, the server can directly select the original roll-out account characteristics 502 to perform coding reconstruction, namely the selected original roll-out account characteristics for coding reconstruction comprise transaction pair characteristics overlapped with the original roll-in account characteristics. When the server performs coding reconstruction based on the original transfer-in account feature of the resource transfer-out account, the server can directly select the original transfer-in account feature 504 to perform coding reconstruction, that is, the selected original transfer-in account feature for coding reconstruction includes a transaction pair feature overlapped with the original transfer-out account feature. By carrying out feature reconstruction in the feature selection mode shown in fig. 5, more comprehensive feature coverage can be carried out aiming at the resource transfer-out party and the resource transfer-in party respectively, and the coding reconstruction precision is effectively improved.
In one specific application, as shown in fig. 6, the transaction pair characteristics of the original roll-out account feature and the original roll-in account feature are removed by processing the original roll-out account feature and the original roll-in account feature, respectively, to obtain a screened original roll-out account feature 602 and a screened original roll-in account feature 604. Wherein, the original roll-out account feature 602 is selected to include only the unique features of the resource roll-out account, and the original roll-in account feature 604 is selected to include only the unique features of the resource roll-in account. When the server performs coding reconstruction based on the original outturn account characteristics of the resource outturn account, the server can select and screen the original outturn account characteristics 602 to perform coding reconstruction, that is, the selected original outturn account characteristics for coding reconstruction only comprise unique characteristics of the resource outturn account. When the server performs coding reconstruction based on the original transfer-in account feature of the resource transfer-out account, the server can select and screen the original transfer-in account feature 604 to perform coding reconstruction, that is, the selected original transfer-in account feature for coding reconstruction only comprises unique features of the resource transfer-in account. Based on the unique characteristics of the resource transfer account and the unique characteristics of the resource transfer account, the encoding reconstruction is respectively carried out, so that reconstruction errors caused by data intersection can be reduced to the greatest extent, and the accuracy of transaction data security detection is improved.
Further, based on account feature detection judgment conditions, account feature safety detection is performed for account feature reconstruction differences between reconstructed account features and original account features, so as to obtain a first detection result, including: based on account feature detection judgment conditions, respectively carrying out account feature safety detection on reconstructed outgoing account features and reconstructed incoming account features to obtain outgoing account feature detection results and incoming account feature detection results; and obtaining a first detection result according to the transfer-out account characteristic detection result and the transfer-in account characteristic detection result.
In the transaction application of resource transfer, the detection result of the characteristics of the transfer account number can be obtained by carrying out the safety detection of the characteristics of the account number based on the reconstruction of the characteristics of the transfer account number, namely the safety detection result aiming at the account number of the paying party; the account number feature detection result can be a detection result obtained by performing account number feature security detection based on reconstructing the account number feature of the transfer account, namely a security detection result aiming at the account number of the payee. The account feature detection determination conditions used in the account feature security detection for the payer account and the feature security detection for the payee account may be the same or different. When the account feature detection and determination conditions of the payer account and the account feature detection and determination conditions of the payee account are different, the payer account may correspond to the first account feature detection and determination condition, and the payee account may correspond to the second account feature detection and determination condition.
Specifically, the server may perform account feature security detection for the reconstructed outgoing account feature based on an account feature detection determination condition to obtain an outgoing account feature detection result, and perform account feature security detection for the reconstructed incoming account feature based on an account feature detection determination condition to obtain an incoming account feature detection result, and obtain a first detection result according to the outgoing account feature detection result and the incoming account feature detection result. In a specific application, the account feature detection and judgment condition can be set based on an error threshold, and the size of the error threshold can be comprehensively determined by combining the service requirement, the performance index of anomaly detection and the like. For example, when the account feature reconstruction difference is greater than the error threshold, the account feature detection judgment condition is not met, otherwise the account feature detection judgment condition is met. The error threshold may be set to 0.3, if the account feature reconstruction difference determined by the server is 0.4, the account feature detection judgment condition is not satisfied, and at this time, the first detection result is a result indicating that transaction risk exists in the transaction data; if the account feature reconstruction difference determined by the server is 0.2, the account feature detection judgment condition is met, and the first detection result is a result indicating that transaction risk does not exist in the transaction data.
In one embodiment, as shown in fig. 7, a block flow diagram is provided for determining the first detection result. The transaction data may be generated by a transaction event triggered by a resource out account and a resource in account. For a resource out account, corresponding to the original out account characteristics; and for the resource transfer-in account, corresponding to the original transfer-in account characteristics. When the server performs coding reconstruction based on the original roll-out account feature and the original roll-in account feature, the original roll-out account feature and the original roll-in account feature can be obtained respectively in a mode shown in fig. 5. The server may also select the original roll-out account feature and the original roll-in account feature separately in the manner shown in fig. 6. When the server specifically obtains the original roll-out account number characteristics and the original roll-in account number characteristics, the server can be combined with the information quantity of the characteristics and adaptively select the security detection requirements of the transaction data. The server can respectively perform coding reconstruction based on the determined original roll-out account characteristics and the original roll-in account characteristics so as to obtain reconstructed roll-out account characteristics corresponding to the original roll-out account characteristics and reconstructed roll-in account characteristics corresponding to the original roll-in account characteristics. Further, the server may perform account feature security detection for the reconstructed outgoing account feature based on the account feature detection determination condition to obtain an outgoing account feature detection result, and perform account feature security detection for the reconstructed incoming account feature based on the account feature detection determination condition to obtain an incoming account feature detection result. The server may obtain the first detection result based on the out-account feature detection result and the in-account feature detection result by adopting a manner such as weighted summation, voting mechanism, and the like.
In this embodiment, the server performs encoding reconstruction on the original outturned account feature and the original turned account feature respectively to obtain a reconstructed outturned account feature and a reconstructed turned account feature, performs account feature security detection on the reconstructed outturned account feature and the reconstructed turned account feature respectively based on account feature detection determination conditions to obtain an outturned account feature detection result and a turned account feature detection result, and finally obtains a first detection result according to the outturned account feature detection result and the turned account feature detection result. By respectively carrying out coding reconstruction aiming at the characteristics of the resource transfer-in party and the resource transfer-out party, the characteristic masking caused by data intersection is reduced, and the accuracy of the safety detection of transaction data is improved.
In one embodiment, the encoding reconstruction is performed on the original outturn account feature and the original outturn account feature respectively to obtain a reconstructed outturn account feature and a reconstructed outturn account feature, which includes: inputting the original outturn account characteristics into an outturn account reconstruction model for carrying out outturn account characteristic coding reconstruction, and obtaining reconstructed outturn account characteristics output by the outturn account reconstruction model; and inputting the original account number turning features into a account number turning reconstruction model to carry out account number turning feature coding reconstruction, and obtaining reconstructed account number turning features output by the account number turning reconstruction model.
The roll-out account number reconstruction model can be a model for reconstructing feature codes of original roll-out account number features, the roll-in account number reconstruction model can be a model for reconstructing feature codes of original roll-in account number features, the roll-out account number reconstruction model and the roll-in account number reconstruction model can be models which are trained in advance and stored in a database of a server, and the roll-out account number features and the roll-in account number features can be directly obtained from the database when the roll-out account number features and the roll-in account number features are required to be reconstructed. In the process of feature reconstruction of the outgoing account reconstruction model and the incoming account reconstruction model, the original outgoing account features and the original incoming account features can be subjected to coding and decoding processing according to a coding mode learned in the model training process, such as dimension reduction, feature extraction, data reconstruction and the like, of the original account incoming features to obtain reconstructed incoming account features, and dimension reduction, feature extraction, data reconstruction and the like of the original account outgoing features to obtain reconstructed outgoing account features.
Specifically, the server may acquire a pre-trained outbound account reconstruction model and an outbound account reconstruction model, input the original outbound account features into the outbound account reconstruction model to reconstruct the outbound account feature codes, obtain reconstructed outbound account features, and input the original inbound account features into the inbound account reconstruction model to reconstruct the inbound account feature codes, thereby obtaining reconstructed inbound account features. In a specific application, the outbound account reconstruction model and the inbound account reconstruction model are trained models, and the server can pre-construct a corresponding account reconstruction model library for the resource inbound account and the resource outbound account based on the trained models. In the transaction application of resource transfer, when the server acquires the account reconstruction model, the server can identify the user account, determine the identification information of the user account, and when the user account is determined to be the resource transfer account, query the account reconstruction model library to obtain a transfer account reconstruction model matched with the resource transfer account.
In this embodiment, the server may perform the reconstruction of the outturn account feature code based on the outturn account reconstruction model to obtain the reconstructed outturn account feature, and perform the reconstruction of the outturn account feature code based on the outturn account reconstruction model to obtain the reconstructed outturn account feature output by the outturn account reconstruction model, and perform the encoding reconstruction by using the model, so that the accuracy and efficiency of the transaction data detection may be improved.
In one embodiment, the roll-out account reconstruction model is obtained by a first reconstruction model training step; the first reconstruction model training step includes: acquiring transaction data samples generated by triggering transaction events by at least two user account samples, and acquiring original roll-out account sample characteristics of resource roll-out account samples in the at least two user account samples based on the transaction data samples; carrying out the reconstruction of the characteristic codes of the outgoing account numbers on the original outgoing account number sample characteristics through a to-be-trained outgoing account number reconstruction model to obtain reconstructed outgoing account number sample characteristics; and according to the difference between the reconstructed outgoing account number sample characteristics and the original outgoing account number sample characteristics, updating the outgoing account number reconstruction model to be trained, and continuing training until training is finished, so as to obtain the outgoing account number reconstruction model.
The first reconstruction model is a neural network model for training to obtain a roll-out account reconstruction model, and the first reconstruction model can be specifically a self-encoder, a sparse self-encoder, a noise reduction self-encoder and encoders in a stacked self-encoder. The transaction data sample may be data generated by triggering transaction events during a historical time period, the transaction data sample may be used to describe historical transaction events triggered between user accounts during the historical time period, and the transaction data sample may include various types of data related to transactions. The resource roll-out account number sample may be an account number held by a resource roll-out party in a historical transaction event. Reconstructing the sample characteristics of the outgoing account number can be the characteristics obtained by extracting key characteristics from the original sample characteristics of the outgoing account number and adopting the extracted key characteristics to reconstruct the characteristics. In the training process of the to-be-trained outgoing account reconstruction model, valuable information in original outgoing account sample characteristics can be learned, wherein the valuable information can comprise effective characteristic categories, structures, probability distribution and the like in the original outgoing account sample characteristics. The difference between the reconstructed outgoing account number sample characteristics and the original outgoing account number sample characteristics may be a loss function value in a training process, and a loss function adopted in the training process may include reconstruction loss, regularization loss, and the like.
Specifically, the server may obtain an original roll-out account number sample feature of the resource roll-out account number sample from the transaction data sample, reconstruct the roll-out account number feature code of the original roll-out account number sample feature through a roll-out account number reconstruction model to be trained, obtain a reconstructed roll-out account number sample feature, update the roll-out account number reconstruction model to be trained according to the difference between the reconstructed roll-out account number sample feature and the original roll-out account number sample feature, and continue training until training is completed, thereby obtaining the roll-out account number reconstruction model. In particular implementations, the server, upon determining the transaction data samples, may select the transaction data samples to include samples that are at risk for the transaction, or may include samples that are not at risk for the transaction. In the transaction application of actual resource transfer, the situation that the number of samples without transaction risk is greater than the number of samples with transaction risk can occur, and the transaction data samples selected by the server can be samples without transaction risk generated by triggering historical transaction events through at least two user account samples in a historical time period. In the process of carrying out model training on a to-be-trained roll-out account reconstruction model based on a transaction data sample, the roll-out account reconstruction model to be trained learns the characteristics of transaction data without transaction risk, and subsequently when the trained roll-out account reconstruction model is adopted for carrying out characteristic reconstruction, the situation that the reconstructed characteristics and the input characteristics have larger difference is presented if the transaction data currently subjected to real-time safety detection are the data with the transaction risk because the account reconstruction model learns the characteristics of the transaction data without the transaction risk.
In a specific application, when the server obtains the original roll-out account sample characteristics of the resource roll-out account sample based on the transaction data sample, the server can remove the characteristics associated with the resource roll-out account sample from the original roll-out account sample characteristics of the resource roll-out account sample, only retains the unique original roll-out account sample characteristics of the resource roll-out account sample, and trains the roll-out account reconstruction model to be trained through the unique original roll-out account sample characteristics, so that the problem of characteristic coverage caused by data intersection can be avoided, and training precision is improved. The server can directly train the outgoing account reconstruction model to be trained based on the original outgoing account sample characteristics of the resource outgoing account sample without performing characteristic removal processing, so that the sample characteristics for model training are more comprehensive, and the problem of important characteristic missing can be effectively avoided.
In one embodiment, the server chooses to train the roll-out account reconstruction model using a self-encoder. The self-encoder learns and captures main characteristics and modes of sample data in combination with training characteristics of the self-encoder, and larger reconstruction difference exists when the types of the original roll-out account number characteristics are inconsistent with the types of the original roll-out account number sample characteristics used in the self-encoder training. For example, the transaction data sample used by the self-encoder during training belongs to a sample without transaction risk, and in a scene of actually performing transaction data security detection, if the original account number features are features extracted from the transaction data without transaction risk, the feature difference between the reconstructed account number features and the original account number features is smaller; if the original account number features are features extracted from transaction data with transaction risk, the feature difference between the reconstructed account number features and the original account number features will be larger. For another example, the sample data used by the self-encoder during training belongs to sample data with transaction risk, and if the original account number features are features extracted from transaction data without transaction risk, the feature difference between the reconstructed account number features and the original account number features is larger; if the original account number features are also features extracted from transaction data with transaction risk, the feature difference between the reconstructed account number features and the original account number features will be small.
In this embodiment, the server trains to obtain the outbound account reconstruction model based on the original outbound account sample characteristics of the resource outbound account sample, and performs security detection based on the pre-trained model, so that security detection efficiency and accuracy of transaction data can be improved.
In one embodiment, obtaining an original roll-out account sample feature of a resource roll-out account sample in at least two user account samples based on a transaction data sample includes: based on the transaction data samples, obtaining account sample data of resource transfer-out account samples in at least two user account samples; screening data features of the account sample data to obtain screened account sample data; and constructing original roll-out account sample characteristics of the resource roll-out account sample based on the screened account sample data.
The account sample data may include various data related to the resource outgoing account sample, for example, the account sample data may include account sample attribute data of the resource outgoing account sample, account sample transaction data, related information of the resource outgoing account sample related to the account sample, and the like, and the account sample attribute data may include registration duration, location, social relationship, and the like of the resource outgoing account. The account sample transaction data can comprise a resource transfer-in condition and a resource transfer-out condition of a resource transfer-out account; the related information of the resource transfer-in account sample related to the resource transfer-out account sample can comprise the number of common friends of the resource transfer-in account and the duration of the friends. The data feature screening can be used for screening features in the account book sample data to obtain data with remarkable information quantity and good stability.
Specifically, the server may obtain account number sample data of the resource transfer-out account number sample from the transaction data sample, perform data feature screening on the account number sample data, obtain screened account number sample data, and construct an original transfer-out account number sample feature of the resource transfer-out account number sample based on the screened account number sample data. In the specific implementation, when the server performs data feature screening on account sample data, screening processing such as denoising and information value calculation can be performed on the account sample data, and account sample data after the screening processing is obtained.
In this embodiment, the server performs data feature screening on account sample data to obtain screened account sample data, and constructs original roll-out account sample features based on the screened account sample data, so that accuracy of model training can be effectively improved.
In one embodiment, the transformed account reconstruction model is obtained through a second modeling type training step; the second modeling type training step comprises the following steps: acquiring transaction data samples generated by triggering transaction events by at least two user account samples, and acquiring original account transfer sample characteristics of resource account transfer samples in the at least two user account samples based on the transaction data samples; carrying out transfer-in account number feature coding reconstruction on original transfer-in account number sample features through a transfer-in account number reconstruction model to be trained to obtain reconstructed transfer-in account number sample features; and according to the difference between the reconstructed account number sample characteristics and the original account number sample characteristics, updating the account number reconstruction model to be trained, and continuing training until the training is finished, so as to obtain the account number reconstruction model.
The second reconstruction model is a neural network model used for training to obtain a turned-into account reconstruction model, and the second reconstruction model can be specifically a self-encoder, a sparse self-encoder, a noise reduction self-encoder and encoders in a stacked self-encoder. The resource transfer-in account number sample may be an account number held by a resource transfer-in party in a historical transaction event. The reconstructed account number sample feature may be a feature obtained by extracting a key feature from the original account number sample feature and performing feature reconstruction by using the extracted key feature. In the training process of the to-be-trained transfer-in account number reconstruction model, valuable information in original transfer-in account number sample characteristics can be learned, wherein the valuable information can comprise effective characteristic types, structures, probability distribution and the like in the original transfer-in account number sample characteristics. The difference between the reconstructed account number sample characteristics and the original account number sample characteristics may be a loss function value in the training process, and the loss function adopted in the training process may include reconstruction loss, regularization loss, and the like.
Specifically, the server may obtain an original account number sample feature of the resource account number sample from the transaction data sample, reconstruct the account number feature code of the original account number sample feature through the account number reconstruction model to be trained, obtain a reconstructed account number sample feature, update the account number reconstruction model to be trained according to the difference between the reconstructed account number sample feature and the original account number sample feature, and then continue training until training is completed, so as to obtain the account number reconstruction model.
In a specific application, when the server obtains the original transfer-in account number sample characteristics of the resource transfer-in account number sample based on the transaction data sample, the server can remove the characteristics associated with the resource transfer-out account number sample from the original transfer-in account number sample characteristics of the resource transfer-in account number sample, only the unique original transfer-in account number sample characteristics of the resource transfer-in account number sample are reserved, and the transfer-in account number reconstruction model to be trained is trained through the unique original transfer-in account number sample characteristics, so that the problem of characteristic coverage caused by data intersection can be avoided, and the training precision is improved. The server can directly train the to-be-trained transfer-in account reconstruction model based on the original transfer-in account sample characteristics of the resource transfer-in account sample without performing characteristic removal processing, so that the sample characteristics for model training are more comprehensive, and the problem of important characteristic missing can be effectively avoided.
In this embodiment, the server trains to obtain the account number reconstruction model by using the original account number sample characteristics of the account number sample based on the resource account number, and performs security detection based on the pre-trained model, so that the security detection efficiency and accuracy of the transaction data can be improved.
In one embodiment, based on account feature detection determination conditions, account feature security detection is performed for reconstructed outgoing account features and reconstructed incoming account features, respectively, to obtain outgoing account feature detection results and incoming account feature detection results, including: determining a roll-out account feature reconstruction difference between the reconstructed roll-out account feature and the original roll-out account feature; determining a transfer-in account feature reconstruction difference between the reconstruction transfer-in account feature and the original transfer-in account feature; based on account feature detection judgment conditions, account feature safety detection is respectively carried out on the outgoing account feature reconstruction difference and the incoming account feature reconstruction difference, and an outgoing account feature detection result and an incoming account feature detection result are obtained.
The change-in account feature reconstruction difference may be a parameter for characterizing a difference between the reconstructed change-in account feature and the original change-in account feature, and the change-in account feature reconstruction difference may be a parameter for characterizing a difference between the reconstructed change-in account feature and the original change-in account feature.
Specifically, the server may determine, for the resource outgoing account, a outgoing account feature reconstruction difference based on the reconstructed outgoing account feature and the original outgoing account feature, determine, for the resource outgoing account, a incoming account feature reconstruction difference based on the reconstructed incoming account feature and the original incoming account feature, and perform account feature security detection on the outgoing account feature reconstruction difference and the incoming account feature reconstruction difference based on an account feature detection determination condition, to obtain an outgoing account feature detection result and an incoming account feature detection result. In the specific implementation, when the server calculates the feature reconstruction difference of the roll-out account number and the feature reconstruction difference of the roll-in account number, the same calculation mode can be adopted, for example, the feature reconstruction difference of the roll-out account number and the feature reconstruction difference of the roll-in account number are obtained through calculating feature distances, or the feature reconstruction difference of the roll-out account number and the feature reconstruction difference of the roll-in account number are obtained through calculating feature similarity. When the server calculates the feature reconstruction difference of the transfer-out account number and the feature reconstruction difference of the transfer-in account number, different calculation modes can be adopted, such as obtaining the feature reconstruction difference of the transfer-out account number through calculating the feature distance and obtaining the feature reconstruction difference of the transfer-in account number through calculating the feature error. When the outgoing account feature reconstruction difference and the incoming account feature reconstruction difference are determined by adopting the same calculation mode, the selected account feature detection judgment conditions can be judgment conditions set based on the same type of parameters. When the outgoing account characteristic reconstruction difference and the incoming account characteristic reconstruction difference are determined by adopting different calculation modes, the selected account characteristic detection judgment conditions are judgment conditions set on the basis of different types of parameters.
In this embodiment, the server calculates corresponding account feature reconstruction differences for the resource outgoing account and the resource incoming account, and uses account feature detection determination conditions to perform account feature security detection for the outgoing account feature reconstruction differences and the incoming account feature reconstruction differences, respectively, so as to obtain an outgoing account feature detection result and an incoming account feature detection result. By respectively carrying out account characteristic security detection on the resource transfer-out account and the resource transfer-in account, the security detection precision of transaction data can be improved.
In one embodiment, based on account feature detection determination conditions, account feature security detection is performed for a roll-out account feature reconstruction difference and a roll-in account feature reconstruction difference, respectively, to obtain a roll-out account feature detection result and a roll-in account feature detection result, including: determining a detection and judgment condition of the characteristics of the account number to be transferred and a detection and judgment condition of the characteristics of the account number to be transferred; obtaining a detection result of the characteristics of the outgoing account according to the comparison result of the reconstruction difference of the characteristics of the outgoing account and the detection judgment condition of the characteristics of the outgoing account; and obtaining a transfer account feature detection result according to the comparison result of the transfer account feature reconstruction difference and the transfer account feature detection judgment condition.
The account feature detection judgment condition may be a judgment condition for performing account feature security detection on the outgoing account feature reconstruction difference, and the incoming account feature detection judgment condition may be a judgment condition for performing account feature security detection on the incoming account feature reconstruction difference. The transfer-out account feature detection result can be determined by comparing the transfer-out account feature reconstruction difference by adopting the transfer-out account feature detection judgment condition, and the transfer-in account feature detection result can be determined by comparing the transfer-in account feature reconstruction difference by adopting the transfer-in account feature detection judgment condition. Specifically, the server may determine a roll-out account feature detection determination condition for the roll-out account feature reconstruction difference, determine a roll-in account feature detection determination condition for the roll-in account feature reconstruction difference, obtain a roll-out account feature detection result based on a comparison result of the roll-out account feature reconstruction difference and the roll-out account feature detection determination condition, and obtain a roll-in account feature detection result based on a comparison result of the roll-in account feature reconstruction difference and the roll-in account feature detection determination condition. In a specific implementation, the reconstruction difference of the characteristics of the outgoing account number may be a characteristic similarity between the reconstructed outgoing account number characteristics and the original outgoing account number characteristics, the detection and judgment condition of the outgoing account number characteristics may be a condition set based on a similarity threshold, the server may compare the characteristic similarity with the similarity threshold, and develop an account number characteristic security detection for reconstructing the outgoing account number characteristics to obtain an outgoing account number characteristic detection result. The reconstruction difference of the account number features can be a feature error between the reconstructed account number features and the original account number features, the detection and judgment condition of the account number features can be a condition set based on an error threshold, the server can compare the feature error with the error threshold, and the account number feature safety detection aiming at the reconstructed account number features is developed to obtain a detection result of the account number features. When the reconstruction difference of the roll-out account features is the calculated feature distance between the reconstructed roll-out account features and the original roll-out account features, the reconstruction difference of the roll-in account features is also the calculated feature distance between the reconstructed roll-in account features and the original roll-in account features, the roll-in account feature detection judgment conditions and the roll-out account feature detection judgment conditions can be conditions set based on error thresholds, the error thresholds of the roll-in account feature detection judgment conditions and the roll-out account feature detection judgment conditions can be different or the same, and the specific error thresholds can be set to be comprehensively evaluated in combination with actual data features, transaction scenes and the like.
In one embodiment, the second encoding reconstruction is performed on the features for the transaction with the feature association relationship between the features of each original account, and a second detection result is obtained on the features according to the reconstructed transaction obtained by reconstruction, including: determining transaction pair characteristics shared among the original account characteristics; performing second coding reconstruction on the transaction pair features to obtain reconstructed transaction pair features; and carrying out transaction pair feature safety detection on the transaction pair feature reconstruction difference between the reconstructed transaction pair feature and the transaction pair feature based on the transaction pair feature detection judgment condition to obtain a second detection result.
The transaction pair feature reconstruction difference refers to a feature difference between a reconstructed transaction pair feature and a transaction pair feature, and the transaction pair feature reconstruction difference specifically may include similarity, distance, error and the like between the reconstructed transaction pair feature and the transaction pair feature. The transaction-to-feature detection determination condition may be a condition for determining a transaction-to-feature reconstruction difference, the transaction-to-feature security detection may refer to a process of determining the transaction-to-feature reconstruction difference based on the transaction-to-feature detection determination condition, and the transaction-to-feature reconstruction difference may be processed by the transaction-to-feature detection determination condition to determine the second detection result. The second detection result may include a result indicating that the transaction data does not have a transaction risk, and may also include a result indicating that the transaction data has a transaction risk. When the transaction-to-feature detection determination condition is set, the transaction-to-feature detection determination condition may be set based on an error threshold value, a similarity threshold value, a distance threshold value, and the like between features, and the actual transaction-to-feature detection determination condition may be adaptively set according to a specific form in which the feature reconstruction difference is easy to be performed.
Specifically, the server may perform transaction-to-feature security detection on the transaction-to-feature reconstruction difference based on a preset transaction-to-feature detection determination condition, where the transaction-to-feature reconstruction difference is a feature difference between a reconstructed transaction-to-feature and a transaction-to-feature, and determine the transaction-to-feature reconstruction difference by the transaction-to-feature detection determination condition, to determine the second detection result. In one specific application, the transaction pair feature detection determination condition may be set based on a distance threshold, and the magnitude of the distance threshold may be comprehensively determined in combination with a service requirement, a performance index of anomaly detection, and the like. For example, it is set that when the transaction-to-feature reconstruction difference is greater than the distance threshold, it means that the transaction-to-feature detection determination condition is not satisfied, otherwise it means that the transaction-to-feature detection determination condition is satisfied. The distance threshold may be set to 0.1, if the difference of the transaction pair characteristic reconstruction determined by the server is 0.2, the difference of the transaction pair characteristic reconstruction is not satisfied, and the second detection result is a result indicating that the transaction data has transaction risk; if the account number feature reconstruction difference determined by the server is 0.09, the fact that the feature detection judgment condition of the transaction is met is indicated, and at the moment, the second detection result is a result indicating that transaction risk does not exist in the transaction data.
In this embodiment, the server performs the transaction pair feature security detection for the transaction pair feature reconstruction difference based on a preset transaction pair feature detection and determination condition, where the transaction pair feature reconstruction difference is a feature difference between the reconstructed transaction pair feature and the transaction pair feature, and determines the transaction pair feature reconstruction difference by the transaction pair feature detection and determination condition, so as to determine the second detection result. By carrying out coding reconstruction on the characteristics aiming at the transaction with the association relationship, the representativeness of the data is improved, and the accuracy of the security detection of the transaction data can be improved to a certain extent.
In one embodiment, the second encoding reconstruction is implemented on a transaction-based reconstruction model; the transaction pair reconstruction model is obtained through a third modeling training step; the third modeling training step includes: acquiring transaction data samples generated by triggering transaction events by at least two user account samples, and acquiring original transfer-out account sample characteristics of resource transfer-out account samples and original transfer-in account sample characteristics of the resource transfer-in account samples in the at least two user account samples based on the transaction data samples; carrying out transaction pair feature reconstruction on the transaction pair sample features shared between the original transfer-out account number sample features and the original transfer-in account number sample features through a transaction pair reconstruction model to be trained to obtain transaction pair reconstructed sample features; and according to the difference between the reconstructed sample characteristics and the transaction pair sample characteristics, updating the reconstructed model of the transaction pair to be trained, and continuing training until training is finished, so as to obtain the reconstructed model of the transaction pair.
The third reconstruction model is a neural network model for training to obtain a transaction pair reconstruction model, and the third reconstruction model can be specifically a self-encoder, a sparse self-encoder, a noise reduction self-encoder and an encoder in a stacked self-encoder. The transaction pair sample characteristics can be selected characteristics which have association relations with the original outgoing account sample characteristics and the original incoming account sample characteristics from the original outgoing account sample characteristics of the resource outgoing account sample and the original incoming account sample characteristics of the resource incoming account sample. The transaction may reconstruct sample features by extracting key features from the sample features of the transaction and performing feature reconstruction using the extracted key features. In training the reconstruction model for the transaction to be trained, valuable information in the transaction-versus-sample feature may be learned, where the valuable information may include feature categories, structures, probability distributions, etc. that are valid in the transaction-versus-sample feature. The difference between the transaction pair reconstructed sample characteristic and the transaction pair sample characteristic may be a loss function value in a training process, and the loss function adopted in the training process may include reconstruction loss, regularization loss, and the like.
Specifically, the server may obtain the transaction pair sample characteristics from the transaction data sample, and reconstruct the transaction pair sample characteristics by performing transaction pair characteristic encoding on the transaction pair sample characteristics through the transaction pair reconstruction model to be trained, so as to obtain transaction pair reconstruction sample characteristics, and continuously train after updating the transaction pair reconstruction model to be trained according to the difference between the transaction pair reconstruction sample characteristics and the transaction pair sample characteristics, until the training is finished, so as to obtain the transaction pair reconstruction model.
In this embodiment, the server trains the original transaction pair sample characteristics based on the transaction pair samples to obtain a transaction pair reconstruction model, and performs security detection based on the pre-trained model, so that security detection efficiency and accuracy of transaction data can be improved.
In one embodiment, obtaining a security detection result for transaction data based on the first detection result and the second detection result includes: determining weighting parameters for the first detection result and the second detection result; and carrying out weighted fusion on the first detection result and the second detection result according to the weighted parameter to obtain a safety detection result aiming at the transaction data.
The weighting parameter may be a coefficient weight given to the first detection result and the second detection result, and the representativeness of the data may be enhanced by setting the coefficient weight. The coefficient weights of the first detection result and the second detection result may be the same or different, and when the coefficient weights are set, the transaction data types to be actually subjected to security detection, and various influencing factors such as the influence degree of the first detection result and the second detection result on the security detection result, and the like, may be combined for adaptively setting. The weighted fusion can be a data fusion mode, and the first detection result and the second detection result can be integrated based on the weighted parameter through the weighted fusion, so that a more accurate and reliable safety detection result can be obtained.
Specifically, the server may determine a weighting parameter for the first detection result and a weighting parameter for the second detection result based on the determined first detection result and second detection result, respectively, and perform weighted fusion on the first detection result and the second detection result according to the weighting parameter of the first detection result and the weighting parameter of the second detection result, to obtain a security detection result for the transaction data. In one specific application, different weight parameters are set for the first sample detection result and the second sample detection result. The first sample detection result corresponds to a first weight, the second sample detection result corresponds to a second weight, and the first weight and the second weight are different. When the first weight and the second weight are different, it may be indicated that the first detection result and the second detection result have relatively more important results, for example, the first weight is 0.6, the second weight is 0.4, which indicates that the first detection result is more important than the second detection result, or the first weight is 0.3, and the second weight is 0.7, which indicates that the second detection result is more important than the first detection result. The server may perform weighted fusion on the first detection result and the first weight corresponding to the first detection result, and perform weighted fusion on the second detection result and the second weight corresponding to the second detection result, so as to obtain a security detection result for the transaction data.
In this embodiment, when the security detection result is determined, the weighting parameters based on the first detection result and the second detection result are used for weighting and fusing, so that the finally obtained security detection result is more accurate and reliable, and the accuracy of transaction data security detection is increased.
In one embodiment, obtaining raw account characteristics for each of at least two user accounts based on transaction data includes: determining account identifiers of at least two user accounts respectively based on transaction data; inquiring historical transaction data and account attribute data of each of at least two user accounts according to the account identification; and respectively constructing and obtaining the original account characteristics of each of the at least two user accounts based on the transaction data, the historical transaction data and the account attribute data of each of the at least two user accounts.
The account identifier may be an identifier for distinguishing the user account, the account identifier may be recorded in transaction data generated by the user account, the account identifier may include a nickname, an ID (Identity document, a proprietary number), and the like, and the data of the corresponding user account may be queried through the user identifier. The historical transaction data can be data generated by triggering a historical transaction event by the user account in a historical time period except the current transaction, and the historical transaction data can comprise historical transaction time, historical resource transfer-in condition, historical resource transfer-out condition and the like of the user account. The account attribute data may include various data related to the account, and the account attribute data may include any information that may describe the user account, such as registration information of the user account itself, device information, network information, and the like.
Specifically, the server may determine an account identifier of each user account based on the transaction data, and query historical transaction data and account attribute data corresponding to each user account based on the account identifier of each user account, and construct original account features of each of the at least two user accounts based on the transaction data, the historical transaction data and the account attribute data of each of the at least two user accounts. In specific implementation, the server may obtain account identifiers for each user account from the transaction data based on the transaction data, query a pre-stored data feature library based on the account identifiers, and obtain historical transaction data and account attribute data matched with the account identifiers from the data feature library.
In a specific application, when the server constructs the original account characteristics of each of the user account 1 and the user account 2, the server may divide the original account characteristics into three types of data based on transaction data, historical transaction data and account attribute data of each of the user account 1 and the user account 2, for example, the transaction data, the historical transaction data and account attribute data of each of the user account 1 and the user account 2 may be divided into three types of data, the three types of data may include data unique to the user account 1, data unique to the user account 2, and data associated with each of the user account 1 and the user account 2, where the unique data may include device identifiers and registration durations corresponding to the user account 1 and the user account 2, and the data associated with each of the user account 1 and the user account 2 may include the number of friends, the added friends, the current transaction time, the historical transaction frequency, and the like. In the model training process, three neural network models can be adopted to respectively develop and train three types of data, and by setting three loss functions, the characteristic can be prevented from being covered, and the prediction precision is improved. When the server constructs the original account characteristics of the user account 1 and the user account 2, only two types of data can be determined, for example, the original account characteristics of the user account 1 and the user account 2 are used as one type of data, the common account characteristics which have association relation with the user account 1 and the user account 2 are used as one type of data, and in the model training process, two neural network models can be adopted to respectively develop training for the two types of data, so that training can be developed based on more complete account characteristics, and the prediction precision can be improved.
In this embodiment, the server respectively constructs and obtains the respective original account characteristics of the at least two user accounts through the transaction data, the respective historical transaction data and the account attribute data of the at least two user accounts, so that the security detection precision of the transaction data can be improved.
In one embodiment, the transaction data security detection method further comprises: and when the security detection result indicates that transaction risk exists in the transaction data, carrying out transaction security maintenance processing on the transaction data.
Specifically, the server may perform transaction security maintenance processing for the transaction data when determining that the transaction data has transaction risk. Wherein conducting transaction security maintenance processing with respect to the transaction data may include intercepting the transaction data, thereby preventing the transaction from occurring. The transaction security maintenance processing for the transaction data can also comprise reminding the user of the resource transfer-out account, so that the user realizes that the transaction risk exists when the transaction is performed, and the transaction is prevented, wherein when reminding the user of the resource transfer-out account, early warning information can be sent in a mode of sending a mail to a mail address associated with a pre-stored resource transfer-out account, or sending a short message to a telephone number associated with the pre-stored resource transfer-out account, and the like, so that related personnel can be prompted.
In this embodiment, when the security detection result indicates that the transaction data has transaction risk, interception, reminding, and the like are performed on the transaction data, so that the user can be deceptively and fund loss can be reduced to a certain extent.
The application also provides an application scene, which applies the transaction data security detection method. Specifically, the application of the transaction data security detection method in the application scene is as follows:
with the development of computer technology, cashless transaction methods have thoroughly changed our lives. Social payments based on third party paymate are widely used in various areas of life. In a transaction application of resource transfer, social payments may include personal payments including, but not limited to, friend transfers, swipe transfers, etc., to individual users or merchants. However, as the payment services of third party paytables continue to expand and go deep, blackout activities become more active, wherein social payment fraud, which may refer to fraud molecules inducing users to pay in a third party platform based social payment scenario, has a particularly serious impact on the payment services of third party paytables. Fraud not only causes significant loss to the user, affecting the user's confidence in the payment of the third party paymate, but may also cause regulatory authorities to supervise and punish.
In the field of third party paymate-based payments, fraud detection and handling is essentially an anomaly detection problem of extreme sample imbalance, i.e., a classification problem. Current anomaly detection relies primarily on supervision, i.e., tagged models and methods, such as logistic regression models (LR, logistic Regression) and integrated tree models (XGBoost). In some cases, it is also possible to use more complex deep learning models. However, in the field of fraud detection, tagged data is often scarce and the collection and labeling process is time consuming and expensive. Furthermore, the obtained tag data may have the problem of being impure, i.e. the tag may be inaccurate or noisy, which will affect the performance and generalization ability of the model. In contrast, unsupervised algorithms do not rely on tag data and therefore have certain advantages in dealing with such problems of fraud detection. The non-supervision learning method mainly identifies potential abnormal modes according to the distribution and the structure of the data, so that the influence caused by the problem of label uncleanness is avoided. In addition, the unsupervised algorithm has better expansibility when processing a large amount of unlabeled data, and can detect fraud in a wider scene.
Currently, fraud detection mainly employs policies based on rule combinations and models and methods that rely on supervised algorithms, i.e. labeled. The rule combination based strategy first discovers suspicious features by analyzing fraudulent cases and then derives an effective feature rule combination based on business experience or decision tree models. If a transaction meets the combination of rules, then the transaction is considered to be at risk of fraud. On the other hand, supervised model methods, such as logistic regression models and integrated tree models, assess transaction risk by constructing a transaction scoring card model. If the model score of a transaction is high, this indicates that the transaction is at a high level of fraud risk. In some cases, more complex deep learning models, such as neural networks, may also be employed. However, due to the high complexity of these models, they are typically calculated and analyzed in an off-line manner.
The current fraud detection has the following problems: the strategy stability of rule combination is poor and easy to be over-fitted, the feature learned by the rule combination based on the decision tree is single, the feature threshold is easy to be over-fitted to the training sample, and the simple rule combination is easy to be attacked, broken through and bypassed by black products. For supervised model methods, in the field of fraud processing, tagged data is often scarce, and the collection and labeling process is time consuming and expensive; the tag data obtained at the same time may have the problem of being impure, i.e., the tag may be inaccurate or noisy, which will affect the performance and generalization ability of the model. The deep neural network is difficult to deploy on line, the real-time requirement on transaction detection in fraud processing is very high, the large-scale deep neural network is difficult to train, the calculation complexity of the evaluation stage is high and time-consuming, the real-time requirement cannot be met, and the storage requirement on a system is very high.
Based on this, the embodiment of the application provides a transaction data security detection method, which can be used for performing security detection on generated transaction data, such as detecting the suspicious nature of social payment based on a third party platform, so as to process suspicious fraudulent behaviors. By the transaction data security detection method provided by the embodiment of the application, the original account characteristics and transaction pair characteristics related to the user account can be reconstructed, the security detection result is determined, the suspicious degree of the transaction data can be effectively evaluated, and corresponding measures are taken for suspicious fraudulent activities. The transaction data security detection method provided by the embodiment of the application can improve the accuracy and stability of fraud detection and reduce the risk and loss faced by a platform and a user.
The transaction data security detection method provided by the embodiment of the application can be applied to the social payment fraud risk monitoring process based on the payment of the third-party platform, and effectively reduces the cheating risk and loss of the platform and the user. As shown in fig. 8, for the policy wind control platform of the transaction data security detection method provided by the embodiment of the application, based on the policy wind control platform, for each transaction paid based on the third party platform, the fraud risk of the transaction is detected by online deployment of the self-encoder model and the matched policy, and when the fact that the transaction has a higher fraud risk is identified, the policy wind control platform can perform operations such as reminding/interception on the user, so as to prevent the user from being cheated and lost in money. The strategy wind control platform can comprise three modules of offline deployment, wind control and payment platform, and in the offline deployment part, the strategy wind control platform can comprise a plurality of modules of feature engineering, self-encoder model training, model effect evaluation, cross-time verification, model scoring deployment and the like. In the wind control section, a wind control strategy and a storage system may be included. The method mainly comprises the steps of analyzing a large amount of data and cases, mining and screening high-saliency features to perform feature engineering, and inputting the mined high-saliency features into a self-encoder model for training. The self-encoder model training may be based on the input feature deployment model training. When model training is completed, the model effect evaluation and cross-time verification may perform effects evaluation and cross-time verification on the trained model, and the model scoring deployment 804 may perform model scoring on the trained model. Finally, the model scores are deployed into a storage system (CKV+TSSD) to facilitate policy use. In the wind control strategy, a corresponding matched strategy can be deployed. When a user transacts, the models in the storage system and the strategies deployed in the wind control strategies 805 monitor fraud risk of the transacts, and when the transaction is identified to have fraud risk, reminding/intercepting and other operations are performed on the user, so that the user is aware of the fraud risk of the transaction to prevent the transaction, and the cheating and fund loss of the user are reduced to a certain extent.
When the self-encoder is used for model training, a self-encoding model can be trained for the characteristics of the account of the payee, and a self-encoding model can be trained for the transaction pair characteristics with the association relationship between the account of the payee and the account of the payee, wherein the transaction pair characteristics can comprise friend adding duration, common friend number, same city or not and the like between the account of the payee and the account of the payee. In the fraud risk detection scene, the obtained transaction data to be detected can be respectively input into the three models, and the final detection result can be obtained by comprehensive evaluation according to the results of the three models. By training the characteristics of different dimensions by adopting three different models, three loss functions can be correspondingly set respectively, so that the condition that part of the characteristics are covered by strong characteristics is avoided, and the fraud risk detection precision can be effectively improved.
The description is developed by training a self-coding model, which involves acquisition of unbalanced sample data. Social payment fraud detection in third party platform based payments can be essentially considered an anomaly detection problem with extreme imbalance of positive and negative samples. Therefore, when the training sample is obtained, the training sample can be subjected to data preprocessing, and the data of the training set needs to be cleaned, so that the sample of normal transaction is mainly adopted as the training sample. In the field of social fraud, it is difficult to obtain more pure fraudulent samples, but obtaining pure normal transaction samples is relatively low in cost, because there are a large number of transactions that can be qualified as normal transactions. Thus, the training set data uses samples of normal transactions so that features of normal transaction samples can be better learned during model training. The training phase includes a training set and a test set. In the data of the test set, a data set containing both positive and negative samples can be used to evaluate the performance of the trained model. A small number of clean fraud samples and a proportion of samples of normal transactions are used here.
In anomaly detection, the self-encoder can be used as an unsupervised learning method to find anomalies in the data. A self-encoder is a neural network whose goal is to learn to encode input data into a low-dimensional potential space and then reconstruct the input from the low-dimensional representation. During training, the main features and patterns in the captured data are learned from the encoder. Since outliers typically differ significantly from normal data points, the self-encoder may generate high reconstruction errors when reconstructing outliers. As shown in fig. 9, a flowchart of anomaly detection using a self-encoder is shown, where fig. 9 may include data preparation 902, constructing a self-encoding network structure 904, training the self-encoder 906, setting a prediction threshold 908, and anomaly detection 910. Wherein, in a data preparation 902 portion, a training set test set may be obtained, wherein the training set uses samples of normal transactions. The test set may use a data set that contains both positive and negative samples to evaluate the performance of the trained model. The self-encoding network structure 904 is built, mainly as a self-encoder network structure, which is composed of an encoder and a decoder. The encoder is responsible for compressing the input data into the potential space, while the decoder maps the representation of the potential space back into the original data space, enabling the self-encoder to learn a low-dimensional representation of the data and capture patterns in the data by reconstructing the input data.
As shown in fig. 10, the network structure of the self-encoder used in the embodiment of the present application is generally divided into three main parts: input layer, encoder, intermediate layer, decoder and output layer. Raw data is received as input from an input layer of an encoder. The number of nodes of the input layer corresponds to the characteristic dimension of the data. The encoder compresses the input data into a low-dimensional potential representation, also referred to as an encoding or concealment layer. The intermediate layer is used to connect the encoder and decoder. An encoder is typically composed of a series of hidden layers, each of which contains a plurality of neurons. The node number of the hidden layer is gradually reduced, and finally the dimension of the code is achieved. The goal of the encoder is to learn a compact representation of the data, extracting key features in the data. The decoder maps the potential representation back into the original data space and attempts to reconstruct the original input data, outputting the reconstructed original input data through the output layer. The decoder has a structure opposite to that of the encoder, and comprises a plurality of hidden layers, and the node number of each layer is gradually increased. The final output layer should have the same number of nodes as the input layer to reconstruct the original data.
When the self-encoder network structure is constructed, the model structure can be flexibly designed by adjusting super parameters such as the number of network layers, the number of neurons of each layer, an activation function and the like so as to adapt to different data characteristics and abnormality detection tasks. In addition, regularization techniques such as Dropout (random inactivation) or L1/L2 regularization can be introduced to prevent overfitting and appropriate loss functions such as mean square error loss can be used to measure reconstruction errors.
The goal of the self-encoder is to minimize reconstruction errors between the input and reconstruction so that the self-encoder can learn a compressed representation of the data and reconstruct the input data. Training the self-encoder 906 mainly includes training portions of the self-encoder. In training the self-encoder, the training may be performed using samples of normal transactions in the training set. The aim is to learn the parameters from the encoder by minimizing the reconstruction error so that the difference between the input data and the reconstructed data is as small as possible. The objective function used here is the usual mean square error loss function. Wherein, the mean square error loss function is as follows:
wherein MSE may be a loss function value, which may refer to the difference between the input data and the reconstructed data, X i Is the actual input data, x i Is the reconstruction input, N is the number of samples in the test set. In the training process, the reconstruction error is transmitted back to the network from the output layer through a back-propagation algorithm, and the network parameters are adjusted according to a gradient descent optimization algorithm. Through multiple iterative training, the self-encoder gradually learns the low-dimensional representation and reconstruction capability of the data, thereby being capable of better capturing patterns and features in the data.
After the self-encoder training is completed, it can be determined whether the samples are abnormal by calculating a threshold value of the reconstruction error. In general, the outlier samples can generate large reconstruction errors during reconstruction because the self-encoder does not learn the intrinsic representation of the outlier data. In the set prediction threshold 908 section, a labeled test set may be used to select a prediction threshold. And selecting the most suitable threshold value by calculating the reconstruction error of the samples in the test set and observing the evaluation indexes such as accuracy, recall rate and the like under different threshold values. It should be noted that the choice of threshold is critical to the performance of anomaly detection. Too high a threshold may lead to false positives, such as failure to detect a truly abnormal sample, while too low a threshold may lead to false positives, such as false marking of a normal sample as abnormal). Therefore, the selection of the threshold needs to comprehensively consider the performance indexes of the service requirement and the anomaly detection.
In the anomaly detection 910 section, for newly generated data to be detected, it may be input from the encoder and a reconstruction error is calculated. The reconstruction error reflects the degree of difference between the data to be detected and the normal data distribution learned from the encoder. And if the reconstruction error exceeds a preset threshold value, marking the data to be detected as abnormal. Among other things, in addition to using a self-encoder model, variations and modifications can be made to the self-encoder to enhance its performance in anomaly detection. For example, sparse encoders may be used to increase sensitivity to abnormal samples, or variational self-encoders may be used to model data distribution to more accurately characterize normal data. These improved methods may be selected and adjusted based on the specific anomaly detection task and data characteristics. In which, as shown in fig. 11, a flow chart for the model processing procedure is shown. The model process flow may include, among other things, data acquisition 1101, data cleansing 1102, feature screening and processing 1103, self-encoder model construction 1104, model training 1105, model online development 1106, model online 1107, model evaluation 1108, and monitoring and messaging 1109. In the data obtaining 1101, the manner of obtaining the data is the same as that of the data preparing 902, and will not be described herein. In the data cleansing 1102, the raw data obtained in the data acquisition 1101 may be mainly cleansed to perform noise removal and the like on the raw data. In the feature screening and processing 1103 section, feature variables with high significance can be screened out by the magnitude of IV (Information Value ) values. IV, also called the information quantity, is the quantity used to represent how much "information" each variable is for the target variable, and is an indicator of the significance of the evaluation variable commonly used in fraud scenarios. In actual business, besides the IV value, we usually need to consider the stability of the variables and reject some variables with poor stability. The self-encoder model construction 1104 is mainly used to construct the model structure of the self-encoder. The data processed in feature screening and processing 1103 is used as input to a model in encoder model building 1104, the model is trained by model training 1105, and model parameters are calculated. Based further on the model online development 1106, model online 1107, model evaluation 1108, and monitoring report 1109 sections, the following processes are developed: the performance of the trained model in the test set was evaluated, and common indicators are IV, AUC (Area under the Curve of ROC, used to reflect the ability of the model to distinguish between good and bad samples) and KS (Kolmogorov-Smirnov, used to measure the degree of differentiation of the model between positive and negative samples). The performance and stability of the model over time samples can be further evaluated. Cross-time samples are samples where a batch of transaction times does not coincide with a training data time. And evaluating the distribution of the model scores on the cross-time sample, and simultaneously increasing the indexes commonly used in two fraud processing services, the case coverage rate and the strategic cost performance so as to better evaluate the identification effect of the model on the fraud cases.
Case coverage = model covered fraudulent transaction amount of orders/total fraudulent transaction amount of orders;
strategic cost performance = model intervening transaction amount/model covered fraudulent transaction amount.
Further, the model is developed and deployed to an online policy system, and when the model verification effect meets the expectation, online development and deployment can be performed, and real-time calculation of the model scores is performed on each social payment transaction based on the third party platform. And building a matched strategy for real-time monitoring and processing.
The transaction data security detection method provided by the embodiment of the application has the advantages that the sample acquisition mode for characterizing the unbalanced scene of the sample is realized, the self-encoder is an unsupervised algorithm, is independent of tag data, has remarkable advantages in processing problems such as fraud detection and the like, reduces the dependence on the tag data, adapts to the characteristic of scarce tag data in the social payment fraud scene, and avoids the difficulty and the expensive cost of labeling abnormal samples. The non-supervision learning method mainly identifies potential abnormal modes according to the distribution and the structure of the data, so that the influence caused by the problem of label uncleanness is avoided, and the robustness and generalization capability of the model are improved. The self-encoder learns the inherent representation of the data by compressing the data into the potential space. Such a representation of the potential space may capture key features and structures of the data such that the outlier data exhibits a pattern in the potential space that deviates significantly from the normal data. The self-encoder has strong nonlinear modeling capability and can learn complex data distribution and modes. Compared with the traditional linear method, the self-encoder is more suitable for processing complex abnormal data distribution, and can be better suitable for the diversity and complexity of data. The self-encoder may be adapted for different types of data, including numeric data, image data, text data, etc. This makes it possible to have a wide application field and expandability, and to be applied to various abnormality detection tasks. The stability of the model is improved by adopting methods such as cross-time verification, the phenomenon of overfitting is avoided, and the model is ensured to have good generalization capability on unknown data. The model is deployed to an online policy system, so that real-time processing of social payment fraud is realized, benefits of a platform and a user are guaranteed, and fraud risk and loss are reduced. The transaction data security detection method provided by the embodiment of the application comprises but is not limited to a social payment fraud identification scene, and can also be used in other risk identification services and the like.
It should be understood that, although the steps in the flowcharts related to the embodiments described above are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.
Based on the same inventive concept, the embodiment of the application also provides a transaction data security detection device for realizing the transaction data security detection method. The implementation of the solution provided by the device is similar to that described in the above method, so the specific limitation in the embodiments of the transaction data security detection device or devices provided below may be referred to the limitation of the transaction data security detection method hereinabove, and will not be repeated herein.
In one embodiment, as shown in FIG. 12, there is provided a transaction data security detection device 1200 comprising: an account feature obtaining module 1202, a first detection result determining module 1204, a second detection result determining module 1206, and a security detection result determining module 1208, wherein:
the account feature obtaining module 1202 is configured to obtain transaction data generated by triggering a transaction event by at least two user accounts, and obtain respective original account features of the at least two user accounts based on the transaction data.
The first detection result determining module 1204 is configured to perform a first encoding reconstruction for each original account feature, and obtain a first detection result according to the reconstructed account feature obtained by the reconstruction.
The second detection result determining module 1206 is configured to reconstruct a second encoding of the features for transactions with feature association relationships between features of each original account, and obtain a second detection result for the features according to reconstructed transactions obtained by reconstruction.
The security detection result determining module 1208 is configured to obtain a security detection result for the transaction data based on the first detection result and the second detection result.
In one embodiment, the first detection result determining module 1204 is further configured to perform a first encoding reconstruction for each original account feature to obtain a reconstructed account feature; based on account feature detection judgment conditions, account feature safety detection is carried out according to account feature reconstruction differences between the reconstructed account features and the original account features, and a first detection result is obtained.
In one embodiment, the at least two user accounts include a resource roll-out account and a resource roll-in account in the transaction event; each original account number feature comprises an original outturn account number feature belonging to the resource outturn account number and an original transfer account number feature belonging to the resource transfer account number; the first detection result determining module 1204 includes a reconstruction feature acquiring module; the reconstruction feature acquisition module is used for respectively carrying out coding reconstruction on the original roll-out account feature and the original roll-in account feature to obtain a reconstruction roll-out account feature and a reconstruction roll-in account feature. The first detection result determining module 1204 is further configured to perform account feature security detection for the reconstructed outgoing account feature and the reconstructed incoming account feature based on the account feature detection determination condition, to obtain an outgoing account feature detection result and an incoming account feature detection result; and obtaining a first detection result according to the transfer-out account characteristic detection result and the transfer-in account characteristic detection result.
In one embodiment, the reconstruction feature acquisition module is further configured to input the original outturned account feature into an outturned account reconstruction model to perform outturned account feature encoding reconstruction, so as to obtain a reconstructed outturned account feature output by the outturned account reconstruction model; and inputting the original account number turning features into a account number turning reconstruction model to carry out account number turning feature coding reconstruction, and obtaining reconstructed account number turning features output by the account number turning reconstruction model.
In one embodiment, the roll-out account reconstruction model is obtained by a first reconstruction model training step; the transaction data security detection further comprises a first model training module; the first model training module is used for acquiring transaction data samples generated by triggering transaction events by at least two user account samples and acquiring original roll-out account sample characteristics of resource roll-out account samples in the at least two user account samples based on the transaction data samples; carrying out the reconstruction of the characteristic codes of the outgoing account numbers on the original outgoing account number sample characteristics through a to-be-trained outgoing account number reconstruction model to obtain reconstructed outgoing account number sample characteristics; and according to the difference between the reconstructed outgoing account number sample characteristics and the original outgoing account number sample characteristics, updating the outgoing account number reconstruction model to be trained, and continuing training until training is finished, so as to obtain the outgoing account number reconstruction model.
In one embodiment, the first model training module is further configured to obtain account sample data of a resource roll-out account sample in at least two user account samples based on the transaction data sample; screening data features of the account sample data to obtain screened account sample data; and constructing original roll-out account sample characteristics of the resource roll-out account sample based on the screened account sample data.
In one embodiment, the check-in number reconstruction model is obtained by a second modeling type training step; the transaction data security detection further comprises a second model training module; the second model training module is used for acquiring transaction data samples generated by triggering transaction events by at least two user account samples and acquiring original account transfer sample characteristics of the resource account transfer samples in the at least two user account samples based on the transaction data samples; carrying out transfer-in account number feature coding reconstruction on original transfer-in account number sample features through a transfer-in account number reconstruction model to be trained to obtain reconstructed transfer-in account number sample features; and according to the difference between the reconstructed account number sample characteristics and the original account number sample characteristics, updating the account number reconstruction model to be trained, and continuing training until the training is finished, so as to obtain the account number reconstruction model.
In one embodiment, the transaction data security detection device further comprises a feature reconstruction difference determination module; the characteristic reconstruction difference determining module is used for determining a reconstruction difference of the characteristics of the outgoing account between the reconstructed outgoing account characteristics and the original outgoing account characteristics; determining a transfer-in account feature reconstruction difference between the reconstruction transfer-in account feature and the original transfer-in account feature; based on account feature detection judgment conditions, account feature safety detection is respectively carried out on the outgoing account feature reconstruction difference and the incoming account feature reconstruction difference, and an outgoing account feature detection result and an incoming account feature detection result are obtained.
In one embodiment, the feature reconstruction difference determining module is further configured to determine a roll-out account feature detection determination condition and a roll-in account feature detection determination condition; obtaining a detection result of the characteristics of the outgoing account according to the comparison result of the reconstruction difference of the characteristics of the outgoing account and the detection judgment condition of the characteristics of the outgoing account; and obtaining a transfer account feature detection result according to the comparison result of the transfer account feature reconstruction difference and the transfer account feature detection judgment condition.
In one embodiment, the second detection result determining module 1206 is further configured to determine a transaction pair feature that is common between the original account features; performing second coding reconstruction on the transaction pair features to obtain reconstructed transaction pair features; and carrying out transaction pair feature safety detection on the transaction pair feature reconstruction difference between the reconstructed transaction pair feature and the transaction pair feature based on the transaction pair feature detection judgment condition to obtain a second detection result.
In one embodiment, the second encoding reconstruction is implemented on a transaction-based reconstruction model; the transaction pair reconstruction model is obtained through a third modeling training step; the transaction data safety detection device also comprises a third model training module; the third model training module is used for acquiring transaction data samples generated by triggering transaction events by at least two user account samples and acquiring original transfer-in account sample characteristics of resource transfer-out account samples and original transfer-in account sample characteristics of the resource transfer-in account samples in the at least two user account samples based on the transaction data samples; carrying out transaction pair feature reconstruction on the transaction pair sample features shared between the original transfer-out account number sample features and the original transfer-in account number sample features through a transaction pair reconstruction model to be trained to obtain transaction pair reconstructed sample features; and according to the difference between the reconstructed sample characteristics and the transaction pair sample characteristics, updating the reconstructed model of the transaction pair to be trained, and continuing training until training is finished, so as to obtain the reconstructed model of the transaction pair.
In one embodiment, the security detection result determining module 1208 is further configured to determine a weighting parameter for the first detection result and the second detection result; and carrying out weighted fusion on the first detection result and the second detection result according to the weighted parameter to obtain a safety detection result aiming at the transaction data.
In one embodiment, the account feature obtaining module 1202 is further configured to determine an account identifier of each of the at least two user accounts based on the transaction data; inquiring historical transaction data and account attribute data of each of at least two user accounts according to the account identification; and respectively constructing and obtaining the original account characteristics of each of the at least two user accounts based on the transaction data, the historical transaction data and the account attribute data of each of the at least two user accounts.
In one embodiment, the transaction data security detection device further comprises a security maintenance module; and the security maintenance module is used for carrying out transaction security maintenance processing on the transaction data when the security detection result indicates that the transaction data has transaction risk.
The modules in the transaction data security devices described above may be implemented in whole or in part by software, hardware, or a combination thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In one embodiment, a computer device is provided, which may be a server or a terminal, and the internal structure of which may be as shown in fig. 13. The computer device includes a processor, a memory, an Input/Output interface (I/O) and a communication interface. The processor, the memory and the input/output interface are connected through a system bus, and the communication interface is connected to the system bus through the input/output interface. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The database of the computer device is used for storing transaction data and the input/output interface of the computer device is used for exchanging information between the processor and the external device. The communication interface of the computer device is used for communicating with an external terminal through a network connection. The computer program, when executed by a processor, implements a transaction data security detection method.
It will be appreciated by those skilled in the art that the structure shown in FIG. 13 is merely a block diagram of some of the structures associated with the present inventive arrangements and is not limiting of the computer device to which the present inventive arrangements may be applied, and that a particular computer device may include more or fewer components than shown, or may combine some of the components, or have a different arrangement of components.
In an embodiment, there is also provided a computer device comprising a memory and a processor, the memory having stored therein a computer program, the processor implementing the steps of the method embodiments described above when the computer program is executed.
In one embodiment, a computer-readable storage medium is provided, storing a computer program which, when executed by a processor, implements the steps of the method embodiments described above.
In an embodiment, a computer program product is provided, comprising a computer program which, when executed by a processor, implements the steps of the method embodiments described above.
It should be noted that, the user information (including but not limited to user equipment information, user personal information, etc.) and the data (including but not limited to data for analysis, stored data, presented data, etc.) related to the present application are information and data authorized by the user or sufficiently authorized by each party, and the collection, use and processing of the related data need to comply with the related laws and regulations and standards of the related country and region.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (ReRAM), magnetic random access Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric Random Access Memory, FRAM), phase change Memory (Phase Change Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in the form of a variety of forms, such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), and the like. The databases referred to in the embodiments provided herein may include at least one of a relational database and a non-relational database. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processor referred to in the embodiments provided in the present application may be a general-purpose processor, a central processing unit, a graphics processor, a digital signal processor, a programmable logic unit, a data processing logic unit based on quantum computing, or the like, but is not limited thereto.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The foregoing examples illustrate only a few embodiments of the application and are described in detail herein without thereby limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of the application should be assessed as that of the appended claims.
Claims (18)
1. A transaction data security detection method, the method comprising:
acquiring transaction data generated by at least two user accounts through triggering a transaction event, and acquiring respective original account characteristics of the at least two user accounts based on the transaction data;
performing first coding reconstruction on each original account number feature, and obtaining a first detection result according to reconstructed account number features obtained by reconstruction;
Performing second coding reconstruction on the characteristics aiming at the transactions with characteristic association relations among the original account characteristics, and obtaining a second detection result according to the reconstructed transaction pairs obtained by reconstruction;
based on the first detection result and the second detection result, a security detection result for the transaction data is obtained.
2. The method according to claim 1, wherein the performing a first encoding reconstruction for each of the original account features and obtaining a first detection result according to the reconstructed account features obtained by the reconstruction includes:
performing first coding reconstruction on each original account number feature to obtain reconstructed account number features;
based on account feature detection judgment conditions, account feature safety detection is carried out according to account feature reconstruction differences between the reconstructed account features and the original account features, and a first detection result is obtained.
3. The method of claim 2, wherein the at least two user accounts include a resource roll-out account and a resource roll-in account in the transaction event; each original account feature comprises an original roll-out account feature belonging to the resource roll-out account and an original roll-in account feature belonging to the resource roll-in account;
Performing first encoding reconstruction on each original account feature to obtain reconstructed account features, including:
respectively carrying out coding reconstruction on the original roll-out account number characteristics and the original roll-in account number characteristics to obtain reconstructed roll-out account number characteristics and reconstructed roll-in account number characteristics;
the account feature security detection is performed on account feature reconstruction differences between the reconstructed account features and the original account features based on account feature detection judgment conditions, so as to obtain a first detection result, including:
based on account feature detection judgment conditions, respectively carrying out account feature safety detection on the reconstructed outgoing account feature and the reconstructed incoming account feature to obtain an outgoing account feature detection result and an incoming account feature detection result;
and obtaining a first detection result according to the characteristic detection result of the roll-out account and the characteristic detection result of the roll-in account.
4. The method of claim 3, wherein the performing the encoding reconstruction for the original roll-out account feature and the original roll-in account feature to obtain a reconstructed roll-out account feature and a reconstructed roll-in account feature, respectively, includes:
Inputting the original outturn account characteristics into an outturn account reconstruction model to reconstruct outturn account characteristic codes, and obtaining reconstructed outturn account characteristics output by the outturn account reconstruction model;
and inputting the original account number turning feature into a account number turning reconstruction model to carry out account number turning feature coding reconstruction, and obtaining a reconstructed account number turning feature output by the account number turning reconstruction model.
5. The method of claim 4, wherein the roll-out account reconstruction model is obtained by a first reconstruction model training step; the first reconstruction model training step comprises:
acquiring transaction data samples generated by triggering transaction events by at least two user account samples, and acquiring original transfer-out account sample characteristics of resource transfer-out account samples in the at least two user account samples based on the transaction data samples;
carrying out the reconstruction of the roll-out account feature codes on the original roll-out account sample features through a roll-out account reconstruction model to be trained, and obtaining reconstructed roll-out account sample features;
and updating the to-be-trained outgoing account reconstruction model according to the difference between the reconstructed outgoing account sample characteristics and the original outgoing account sample characteristics, and continuing training until training is finished, so as to obtain the outgoing account reconstruction model.
6. The method of claim 5, wherein the obtaining, based on the transaction data samples, original roll-out account sample characteristics of resource roll-out account samples in the at least two user account samples comprises:
acquiring account sample data of a resource transfer-out account sample in the at least two user account samples based on the transaction data samples;
screening data features of the account sample data to obtain screened account sample data;
and constructing original roll-out account sample characteristics of the resource roll-out account sample based on the screened account sample data.
7. The method of claim 4, wherein the in-account reconstruction model is obtained by a second modeling-type training step; the second modeling training step comprises the following steps:
acquiring transaction data samples generated by triggering transaction events by at least two user account samples, and acquiring original account transfer sample characteristics of resource account transfer samples in the at least two user account samples based on the transaction data samples;
performing transfer-in account number feature coding reconstruction on the original transfer-in account number sample features through a transfer-in account number reconstruction model to be trained to obtain reconstructed transfer-in account number sample features;
And according to the difference between the reconstructed account number sample characteristics and the original account number sample characteristics, updating the account number reconstruction model to be trained, and continuing training until training is finished, so as to obtain the account number reconstruction model.
8. The method according to claim 3, wherein the performing, based on account feature detection determination conditions, account feature security detection for the reconstructed outgoing account feature and the reconstructed incoming account feature to obtain an outgoing account feature detection result and an incoming account feature detection result includes:
determining a roll-out account feature reconstruction difference between the reconstructed roll-out account feature and the original roll-out account feature;
determining a reconstruction difference of the transfer-in account number characteristics between the reconstruction transfer-in account number characteristics and the original transfer-in account number characteristics;
and based on account feature detection judgment conditions, carrying out account feature safety detection on the outgoing account feature reconstruction difference and the incoming account feature reconstruction difference respectively to obtain an outgoing account feature detection result and an incoming account feature detection result.
9. The method according to claim 8, wherein the performing, based on account feature detection determination conditions, account feature security detection for the outgoing account feature reconstruction difference and the incoming account feature reconstruction difference to obtain an outgoing account feature detection result and an incoming account feature detection result, respectively, includes:
Determining a detection and judgment condition of the characteristics of the account number to be transferred and a detection and judgment condition of the characteristics of the account number to be transferred;
obtaining a roll-out account feature detection result according to a comparison result of the roll-out account feature reconstruction difference and the roll-out account feature detection judgment condition;
and obtaining a transfer account feature detection result according to a comparison result of the transfer account feature reconstruction difference and the transfer account feature detection judgment condition.
10. The method according to claim 1, wherein the reconstructing the features for the transaction having the feature association relationship between the features of the original account number according to the second encoding, and obtaining the second detection result according to the reconstructed transaction pair features obtained by the reconstructing, includes:
determining transaction pair characteristics shared among the original account characteristics;
performing second coding reconstruction on the transaction pair features to obtain reconstructed transaction pair features;
and carrying out transaction pair feature safety detection on the transaction pair feature reconstruction difference between the reconstructed transaction pair feature and the transaction pair feature based on the transaction pair feature detection judgment condition to obtain a second detection result.
11. The method of claim 10, wherein the second encoded reconstruction is implemented on a transaction-based reconstruction model; the transaction pair reconstruction model is obtained through a third modeling training step; the third modeling type training step includes:
Acquiring transaction data samples generated by triggering transaction events by at least two user account samples, and acquiring original transfer-out account sample characteristics of resource transfer-out account samples and original transfer-in account sample characteristics of the resource transfer-in account samples in the at least two user account samples based on the transaction data samples;
carrying out transaction pair feature reconstruction on the transaction pair sample features shared between the original transfer-out account number sample features and the original transfer-in account number sample features through a transaction pair reconstruction model to be trained to obtain transaction pair reconstructed sample features;
and according to the difference between the transaction pair reconstruction sample characteristics and the transaction pair sample characteristics, updating the transaction pair reconstruction model to be trained, and continuing training until training is finished, so as to obtain the transaction pair reconstruction model.
12. The method according to any one of claims 1 to 11, wherein the obtaining a security detection result for the transaction data based on the first detection result and the second detection result comprises:
determining weighting parameters for the first detection result and the second detection result;
And carrying out weighted fusion on the first detection result and the second detection result according to the weighted parameter to obtain a safety detection result aiming at the transaction data.
13. The method according to any one of claims 1 to 12, wherein said obtaining raw account characteristics of each of said at least two user accounts based on said transaction data comprises:
determining account identifiers of the at least two user accounts respectively based on the transaction data;
inquiring historical transaction data and account attribute data of each of the at least two user accounts according to the account identification;
and respectively constructing and obtaining the original account characteristics of each of the at least two user accounts based on the transaction data, the historical transaction data and the account attribute data of each of the at least two user accounts.
14. The method according to any one of claims 1 to 13, further comprising:
and when the security detection result indicates that the transaction data has transaction risk, carrying out transaction security maintenance processing on the transaction data.
15. A transaction data security sensing device, the device comprising:
The account feature acquisition module is used for acquiring transaction data generated by triggering transaction events by at least two user accounts and acquiring the respective original account features of the at least two user accounts based on the transaction data;
the first detection result determining module is used for carrying out first coding reconstruction on the original account number characteristics, and obtaining a first detection result according to the reconstructed account number characteristics obtained by reconstruction;
the second detection result determining module is used for carrying out second coding reconstruction on the characteristics aiming at the transaction with the characteristic association relation among the original account characteristics, and obtaining a second detection result according to the reconstructed transaction pair characteristics obtained by reconstruction;
and the security detection result determining module is used for obtaining a security detection result aiming at the transaction data based on the first detection result and the second detection result.
16. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any one of claims 1 to 14 when the computer program is executed.
17. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 14.
18. A computer program product comprising a computer program, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any one of claims 1 to 14.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311061718.7A CN117078266A (en) | 2023-08-22 | 2023-08-22 | Transaction data security detection method, device, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311061718.7A CN117078266A (en) | 2023-08-22 | 2023-08-22 | Transaction data security detection method, device, computer equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117078266A true CN117078266A (en) | 2023-11-17 |
Family
ID=88705678
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311061718.7A Pending CN117078266A (en) | 2023-08-22 | 2023-08-22 | Transaction data security detection method, device, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117078266A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117972666A (en) * | 2024-02-05 | 2024-05-03 | 山东铭云信息技术有限公司 | Privilege account auditing system based on block chain |
-
2023
- 2023-08-22 CN CN202311061718.7A patent/CN117078266A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117972666A (en) * | 2024-02-05 | 2024-05-03 | 山东铭云信息技术有限公司 | Privilege account auditing system based on block chain |
| CN117972666B (en) * | 2024-02-05 | 2024-07-26 | 山东铭云信息技术有限公司 | Privilege account auditing system based on block chain |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110009174B (en) | Risk recognition model training method and device and server | |
| US11263644B2 (en) | Systems and methods for detecting unauthorized or suspicious financial activity | |
| CN110378786B (en) | Model training method, default transmission risk identification method, device and storage medium | |
| CN113011973B (en) | Method and equipment for financial transaction supervision model based on intelligent contract data lake | |
| CN103678659A (en) | E-commerce website cheat user identification method and system based on random forest algorithm | |
| Fang et al. | Deep learning anti-fraud model for internet loan: Where we are going | |
| US20220358493A1 (en) | Data acquisition method and apparatus for analyzing cryptocurrency transaction | |
| CN114818999B (en) | Account identification method and system based on self-encoder and generation countermeasure network | |
| CN112767136A (en) | Credit anti-fraud identification method, credit anti-fraud identification device, credit anti-fraud identification equipment and credit anti-fraud identification medium based on big data | |
| CN117078266A (en) | Transaction data security detection method, device, computer equipment and storage medium | |
| Jonnalagadda et al. | Credit card fraud detection using Random Forest Algorithm | |
| CN114202336A (en) | Risk behavior monitoring method and system in financial scene | |
| WO2022228688A1 (en) | Automated fraud monitoring and trigger-system for detecting unusual patterns associated with fraudulent activity, and corresponding method thereof | |
| CN116307671A (en) | Risk early warning method, risk early warning device, computer equipment and storage medium | |
| CN118094439A (en) | Bank abnormal transaction detection method, system and device | |
| Min et al. | Behavior language processing with graph based feature generation for fraud detection in online lending | |
| CN112907308B (en) | Data detection method and device, and computer readable storage medium | |
| KR102199587B1 (en) | Method and apparatus for analyzing transaction of cryptocurrency | |
| Xiao et al. | Explainable fraud detection for few labeled time series data | |
| CN115907954A (en) | Account identification method and device, computer equipment and storage medium | |
| Besenbruch | Fraud detection using machine learning techniques | |
| CN112950222A (en) | Resource processing abnormity detection method and device, electronic equipment and storage medium | |
| CN115187252A (en) | Method for identifying fraud in network transaction system, server and storage medium | |
| Ruan et al. | Financial distress prediction using GA-BP neural network model | |
| CN117709967B (en) | Backwash money detection method and backwash money detection system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication |