CN117689385A - Transaction account security prediction method, device, equipment and storage medium - Google Patents
Transaction account security prediction method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN117689385A CN117689385A CN202311484871.0A CN202311484871A CN117689385A CN 117689385 A CN117689385 A CN 117689385A CN 202311484871 A CN202311484871 A CN 202311484871A CN 117689385 A CN117689385 A CN 117689385A
- Authority
- CN
- China
- Prior art keywords
- transaction
- account
- data
- prediction
- model
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 92
- 238000003860 storage Methods 0.000 title claims abstract description 27
- 230000002159 abnormal effect Effects 0.000 claims abstract description 41
- 238000012795 verification Methods 0.000 claims description 45
- 239000013598 vector Substances 0.000 claims description 38
- 238000004590 computer program Methods 0.000 claims description 12
- 238000003066 decision tree Methods 0.000 claims description 8
- 238000012706 support-vector machine Methods 0.000 claims description 8
- 238000007477 logistic regression Methods 0.000 claims description 6
- 239000011159 matrix material Substances 0.000 claims description 6
- 230000008569 process Effects 0.000 abstract description 35
- 238000013473 artificial intelligence Methods 0.000 abstract description 16
- 238000005516 engineering process Methods 0.000 description 15
- 238000004891 communication Methods 0.000 description 11
- 238000009826 distribution Methods 0.000 description 11
- 238000012549 training Methods 0.000 description 11
- 238000012545 processing Methods 0.000 description 9
- 230000006399 behavior Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 7
- 238000004422 calculation algorithm Methods 0.000 description 6
- 238000004458 analytical method Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 5
- 230000008901 benefit Effects 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000000638 solvent extraction Methods 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 230000004913 activation Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000012790 confirmation Methods 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000003058 natural language processing Methods 0.000 description 2
- 238000007781 pre-processing Methods 0.000 description 2
- 230000000750 progressive effect Effects 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 238000012954 risk control Methods 0.000 description 2
- RWSOTUBLDIXVET-UHFFFAOYSA-N Dihydrogen sulfide Chemical compound S RWSOTUBLDIXVET-UHFFFAOYSA-N 0.000 description 1
- 230000004888 barrier function Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000004140 cleaning Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013075 data extraction Methods 0.000 description 1
- 238000007418 data mining Methods 0.000 description 1
- 238000013135 deep learning Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000035945 sensitivity Effects 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 230000007704 transition Effects 0.000 description 1
Landscapes
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
Abstract
The embodiment of the application provides a transaction account security prediction method, a transaction account security prediction device, transaction account security prediction equipment and a transaction account security prediction storage medium, and relates to the technical field of artificial intelligence. The method comprises the following steps: acquiring first transaction data of an initial account, inputting the first transaction data into a first safety prediction sub-model to conduct linear prediction to obtain a first safety prediction result, inputting the first transaction data and the first safety prediction result into a second safety prediction sub-model to conduct nonlinear classification prediction to obtain a second safety prediction result, and inputting the first transaction data, the first safety prediction result and the second safety prediction result into a third safety prediction sub-model to conduct comprehensive classification prediction to obtain a safety prediction result. The obvious abnormal mode is determined by utilizing linear prediction, the nonlinear prediction process continues to extract higher-order complex features to predict, then the comprehensive prediction process comprehensively analyzes based on the two previous prediction results and transaction data of the primary account, and the prediction results are progressively enhanced, so that the accuracy of the prediction results is improved.
Description
Technical Field
The present application relates to the field of artificial intelligence technologies, and in particular, to a transaction account security prediction method, apparatus, device, and storage medium.
Background
In the financial transaction process, risk control is performed on a transaction account according to transaction data of the payment account, and it is necessary to select to continue or suspend related transaction actions according to analysis results. Generally, abnormal transaction data may suggest that the transaction account presents security risks, such as unauthorized transactions, abnormal presentation behavior, etc. Therefore, the transaction account is monitored and analyzed based on the transaction data, and corresponding measures can be timely taken to protect the fund safety of the user.
In the related art, the early warning of the transaction account is mostly based on expert experience setting expert rules, the mode relies on the expert experience, the cost of the wind control auditing is high, the error judgment probability of the obtained early warning result is high, and the transaction behavior of a normal user is easy to interfere.
Disclosure of Invention
The embodiment of the application mainly aims to provide a transaction account security prediction method, device, equipment and storage medium, which can improve the accuracy of a transaction account early warning result.
To achieve the above object, a first aspect of an embodiment of the present application provides a transaction account security prediction method, including:
Acquiring first transaction data of an initial account;
inputting the first transaction data into a first safety prediction sub-model for linear classification prediction to obtain a first safety prediction result, and generating second transaction data according to the first transaction data and the first safety prediction result;
inputting the second transaction data into a second safety prediction sub-model to conduct nonlinear classification prediction to obtain a second safety prediction result, and generating third transaction data according to the first transaction data, the first safety prediction result and the second safety prediction result;
and inputting the third transaction data into a third security prediction sub-model to perform comprehensive classification prediction to obtain a security prediction result used for representing that the primary account is a normal transaction account or the primary account is an abnormal transaction account.
In some embodiments, the first transaction data includes a first number of transaction indicators; the first security prediction sub-model is a logistic regression model, and the inputting the first transaction data into the first security prediction sub-model for linear classification prediction to obtain a first security prediction result comprises the following steps:
acquiring an index weight corresponding to each transaction index;
Calculating a linear parameter value of the trade index based on the index weight;
and obtaining a first classification probability according to the first number of the linear parameter values, and taking a classification result corresponding to the first classification probability as the first safety prediction result.
In some embodiments, the first transaction data includes a first number of transaction indicators; the second safety predictor model is a support vector machine model; inputting the second transaction data into a second security prediction sub-model for nonlinear classification prediction to obtain a second security prediction result, wherein the method comprises the following steps of:
generating a second transaction vector of the second transaction data according to the transaction index and the first security prediction result;
acquiring normal vectors and intercepts of hyperplanes in the second safety predictor model;
and obtaining a second classification value based on the normal vector, the second transaction vector and the intercept, and generating the second safety prediction result according to the relation between the second classification value and zero.
In some embodiments, the first transaction data includes a first number of transaction indicators; the third safety predictor model is a gradient lifting model; the step of inputting the third transaction data into a third security prediction sub-model for comprehensive classification prediction to obtain a security prediction result for representing that the primary account is a normal transaction account or the primary account is an abnormal transaction account, comprising the following steps:
Generating a third feature matrix of the third transaction data according to the feature values respectively corresponding to the transaction index, the first safety prediction result and the second safety prediction result;
acquiring decision nodes and leaf nodes of a decision tree in the third safety predictor model;
and selecting a target leaf node from the leaf nodes based on the splitting condition of the decision node and the third feature matrix, and taking the weight of the target leaf node as the safety prediction result.
In some embodiments, the first security predictor model, the second security predictor model, and the third security predictor model form a security predictor model, and the method further comprises, prior to inputting the first transaction data into the first security predictor model for linear classification prediction:
constructing an account transaction sample set; the account transaction sample set comprises a transaction account sample and an account label, wherein the transaction account sample comprises a plurality of account data;
acquiring the data weight of the account data, and acquiring a transaction sample vector of the transaction account sample according to the data weight and the account data;
inputting the transaction sample vector into the safety prediction model to perform result prediction to obtain an account prediction value;
And comparing the account predicted value with the account label, generating a loss value according to a comparison result, and adjusting the model weight of each sub-model in the safety prediction model based on the loss value until an iteration termination condition is reached, so as to obtain the trained safety prediction model.
In some embodiments, the set of account transaction samples further includes a verification account sample and a verification account tag, the verification account sample including a plurality of verification data, the verification data corresponding to the account data; the obtaining of the data weight of the account data comprises the following steps:
obtaining a verification sample vector according to the verification data and the initial value of the data weight; the initial value is 1;
inputting the verification sample vector into the safety prediction model to perform result prediction to obtain a verification prediction value;
comparing the verification predicted value with the verification account label to obtain a result confidence coefficient;
and updating the data weight according to the result confidence.
In some embodiments, the constructing an account transaction sample set includes:
acquiring a plurality of initial transaction data, wherein the initial transaction data comprise first initial data obtained according to transaction data of a normal account and second initial data obtained according to transaction data of an abnormal account;
Performing outlier replacement based on the discrete degree of the initial transaction data to obtain first replacement data of the first initial data and second replacement data of the second initial data, and performing sample expansion on the second replacement data to obtain second expansion data;
selecting account attribute data, transaction amount data, transaction quantity data and transaction time data from each piece of first replacement data to obtain first account data, generating a first transaction account sample, and setting an account label of the first transaction account sample as a normal account;
selecting account attribute data, transaction amount data, transaction quantity data and transaction time data from each second expansion data to obtain second account data, generating a second transaction account sample, and setting account labels of the second transaction account sample as abnormal accounts;
obtaining the account transaction sample set according to the first transaction account sample and the second transaction account sample.
To achieve the above object, a second aspect of the embodiments of the present application provides a transaction account security prediction device, including:
a transaction data acquisition module: first transaction data for acquiring an initial account;
Linear prediction module: the method comprises the steps of inputting first transaction data into a first safety prediction sub-model to conduct linear classification prediction to obtain a first safety prediction result, and generating second transaction data according to the first transaction data and the first safety prediction result;
nonlinear prediction module: the second transaction data is input into a second safety prediction sub-model to conduct nonlinear classification prediction, a second safety prediction result is obtained, and third transaction data is generated according to the first transaction data, the first safety prediction result and the second safety prediction result;
and the comprehensive prediction module is used for: and the third transaction data are input into a third security prediction sub-model to carry out comprehensive classification prediction, so that a security prediction result used for representing that the primary account is a normal transaction account or the primary account is an abnormal transaction account is obtained.
To achieve the above object, a third aspect of the embodiments of the present application proposes an electronic device, which includes a memory and a processor, the memory storing a computer program, the processor implementing the method according to the first aspect when executing the computer program.
To achieve the above object, a fourth aspect of the embodiments of the present application proposes a storage medium, which is a storage medium storing a computer program that when executed by a processor implements the method described in the first aspect.
According to the transaction account security prediction method, device, equipment and storage medium, first transaction data of an initial account are obtained, then the first transaction data are input into a first security prediction sub-model to conduct linear classification prediction, a first security prediction result is obtained, second transaction data are generated according to the first transaction data and the first security prediction result, then the second transaction data are input into a second security prediction sub-model to conduct nonlinear classification prediction, a second security prediction result is obtained, third transaction data are generated according to the first transaction data, the first security prediction result and the second security prediction result, finally the third transaction data are input into a third security prediction sub-model to conduct comprehensive classification prediction, and a security prediction result used for representing that the initial account is a normal transaction account or the initial account is an abnormal transaction account is obtained. In the embodiment of the application, three complete independent predictions are sequentially performed by using three safety prediction sub-models, wherein the linear prediction process can determine an obvious abnormal mode, the nonlinear prediction process continues to extract higher-order complex features to predict on the basis of the linear prediction result, then the comprehensive prediction process comprehensively analyzes based on the two previous prediction results and transaction data of an initial account, a plurality of influence factors are comprehensively considered, the prediction result is progressively enhanced, and the accuracy of the prediction result is improved.
Drawings
Fig. 1 is a schematic structural diagram of a safety prediction model in an embodiment of the present application.
FIG. 2 is a flow chart of a training process of a safety prediction model in an embodiment of the present application.
Fig. 3 is a flowchart of step S210 in fig. 2.
Fig. 4 is a flowchart of step S220 in fig. 2.
Fig. 5 is a flowchart of a transaction account security prediction method provided in an embodiment of the present application.
FIG. 6 is a further schematic diagram of a training process of a safety prediction model in an embodiment of the present application.
Fig. 7 is a schematic diagram of transaction details of different users in a specific scenario in an embodiment of the present application.
Fig. 8 is a block diagram of a transaction account security prediction device according to another embodiment of the present application.
Fig. 9 is a schematic hardware structure of an electronic device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application.
It should be noted that although functional block division is performed in a device diagram and a logic sequence is shown in a flowchart, in some cases, the steps shown or described may be performed in a different order than the block division in the device, or in the flowchart.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein is for the purpose of describing embodiments of the present application only and is not intended to be limiting of the present application.
First, several nouns referred to in this application are parsed:
artificial intelligence (artificial intelligence, AI): is a new technical science for researching and developing theories, methods, technologies and application systems for simulating, extending and expanding the intelligence of people; artificial intelligence is a branch of computer science that attempts to understand the nature of intelligence and to produce a new intelligent machine that can react in a manner similar to human intelligence, research in this field including robotics, language recognition, image recognition, natural language processing, and expert systems. Artificial intelligence can simulate the information process of consciousness and thinking of people. Artificial intelligence is also a theory, method, technique, and application system that utilizes a digital computer or digital computer-controlled machine to simulate, extend, and expand human intelligence, sense the environment, acquire knowledge, and use knowledge to obtain optimal results.
In the financial transaction process, risk control is performed on a transaction account according to transaction data of the payment account, and it is necessary to select to continue or suspend related transaction actions according to analysis results. Generally, abnormal transaction data may suggest that the transaction account presents security risks, such as unauthorized transactions, abnormal presentation behavior, etc. Therefore, the transaction account is monitored and analyzed based on the transaction data, and corresponding measures can be timely taken to protect the fund safety of the user.
In the related art, the early warning of the transaction account is mostly based on expert experience setting expert rules, the mode relies on the expert experience, the cost of the wind control auditing is high, the error judgment probability of the obtained early warning result is high, and the transaction behavior of a normal user is easy to interfere.
Based on the above, the embodiment of the application provides a transaction account security prediction method, device, equipment and storage medium, which sequentially perform three complete independent predictions by using three security predictor models, wherein the linear prediction process can determine an obvious abnormal mode, the nonlinear prediction process continues to extract higher-order complex features to predict on the basis of the linear prediction result, then the comprehensive prediction process performs comprehensive analysis based on the two prediction results and transaction data of an initial account, comprehensively considers a plurality of influencing factors, progressively enhances the prediction result, and improves the accuracy of the prediction result.
The embodiment of the application provides a transaction account security prediction method, a device, equipment and a storage medium, and specifically, the following embodiment is used for explaining, and firstly describes the transaction account security prediction method in the embodiment of the application.
The embodiment of the application can acquire and process the related data based on the artificial intelligence technology. Among these, artificial intelligence (ArtificialIntelligence, AI) is the theory, method, technique and application system that uses a digital computer or a digital computer-controlled machine to simulate, extend and expand human intelligence, sense the environment, acquire knowledge and use knowledge to obtain optimal results. In other words, artificial intelligence is an integrated technology of computer science that attempts to understand the essence of intelligence and to produce a new intelligent machine that can react in a similar way to human intelligence. Artificial intelligence, i.e. research on design principles and implementation methods of various intelligent machines, enables the machines to have functions of sensing, reasoning and decision.
The artificial intelligence technology is a comprehensive subject, and relates to the technology with wide fields, namely the technology with a hardware level and the technology with a software level. Artificial intelligence infrastructure technologies generally include technologies such as sensors, dedicated artificial intelligence chips, cloud computing, distributed storage, big data processing technologies, operation/interaction systems, mechatronics, and the like. The artificial intelligence software technology mainly comprises a computer vision technology, a voice processing technology, a natural language processing technology, machine learning/deep learning and other directions.
The embodiment of the application provides a transaction account security prediction method, which relates to the technical field of artificial intelligence, in particular to the technical field of data mining. The transaction account security prediction method provided by the embodiment of the application can be applied to a terminal, a server side and a computer program running in the terminal or the server side. For example, the computer program may be a native program or a software module in an operating system; the Application may be a local (Native) Application (APP), i.e. a program that needs to be installed in an operating system to run, such as a client that supports transaction account security prediction, or an applet, i.e. a program that only needs to be downloaded to a browser environment to run; but also an applet that can be embedded in any APP. In general, the computer programs described above may be any form of application, module or plug-in. Wherein the terminal communicates with the server through a network. The transaction account security prediction method may be performed by a terminal or a server, or performed in conjunction with the terminal and the server.
In some embodiments, the terminal may be a smart phone, tablet, notebook, desktop, or smart watch, or the like. The server can be an independent server, and can also be a cloud server for providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, content delivery networks (Content Delivery Network, CDNs), basic cloud computing services such as big data and artificial intelligent platforms, and the like; or may be service nodes in a blockchain system, where each service node in the blockchain system forms a Peer-To-Peer (P2P) network, and the P2P protocol is an application layer protocol that runs on top of a transmission control protocol (Transmission Control Protocol, TCP) protocol. The terminal and the server may be connected through communication connection modes such as bluetooth, universal serial bus (Universal Serial Bus, USB) or network, which is not limited herein.
The subject application is operational with numerous general purpose or special purpose computer system environments or configurations. For example: personal computers, server computers, hand-held or portable devices, tablet devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable consumer electronics, network PCs, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like. The application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
In the embodiments of the present application, when related processing is required according to user information, user behavior data, user history data, user location information, and other data related to user identity or characteristics, permission or consent of the user is obtained first, and the collection, use, processing, and the like of the data comply with related laws and regulations and standards of related countries and regions. In addition, when the embodiment of the application needs to acquire the sensitive personal information of the user, the independent permission or independent consent of the user is acquired through a popup window or a jump to a confirmation page or the like, and after the independent permission or independent consent of the user is explicitly acquired, necessary user related data for enabling the embodiment of the application to normally operate is acquired.
First, a security prediction model used in the transaction account security prediction method in the embodiment of the present application is described.
Fig. 1 is a schematic structural diagram of a safety prediction model in an embodiment of the present application. Referring to fig. 1, the security prediction model in this embodiment includes a first security prediction sub-model 110, a second security prediction sub-model 120, and a third security prediction sub-model 130, where input data of the first security prediction sub-model 110 is first transaction data, output is a first security prediction result, then the first transaction data and the first security prediction result are jointly used as input of the second security prediction sub-model 120, output is a second security prediction result, and then the first security prediction result, the second security prediction result, and the first transaction data are jointly used as input of the third security prediction sub-model 130, and output is a security prediction result.
The first security predictor model 110 is used for performing linear prediction, and may be a linear feature model, for example, a logistic regression model, capable of extracting linear features in the transaction data, and performing analysis prediction on the transaction data based on the linear features. The first security predictor model 110 is capable of detecting some obvious pattern of anomalies, such as abnormal transaction amounts or frequencies, and deriving corresponding first security predictions. The second safety predictor model 120 is used for nonlinear detection, and may be a nonlinear feature model, such as a support vector machine model, and is mainly used for predicting complex nonlinear modes which cannot be captured by using the linear feature model. The second security predictor model 120 may extract higher-order, more complex features from the transaction data to predict further anomalies, such as changes in transaction patterns, abnormal transaction combinations, etc., to obtain corresponding second security predictions. The third safety predictor model 130 is used for comprehensive prediction based on the first two models, and may be, for example, a gradient lifting model. The third security prediction sub-model 130 comprehensively predicts the first security prediction result, the second security prediction result, and the transaction data of the first two sub-models. The third security predictor model 130 may analyze the transaction data more fully, comprehensively consider the influence of multiple features, and improve the accuracy of the prediction.
In the embodiment of the present application, although the fitting of the first safety predictor model 110 is rapid, the accuracy is too low, the fitting of the second safety predictor model 120 is better, but the recall is too low, and the third safety predictor model 130 is easy to be overfitted while guaranteeing the accuracy and recall, so that the prediction result of the former model can be used as the input of the latter model by using the cascade mode shown in fig. 1 and utilizing the safety predictor models of three different prediction angles, and even if a certain single algorithm has errors and noise, the overall result is not affected, thereby progressively enhancing the accuracy of the prediction result. For example, if some abnormal modes are found in the first safety prediction sub-model 110, then these abnormal modes are further transferred to the second safety prediction sub-model 120 in the manner of the first safety prediction result to be further analyzed and predicted, and finally, the result is summarized and predicted by the third safety prediction sub-model 130, so that the sensitivity and accuracy of the prediction can be improved.
The following describes the training process of the safety prediction model in the embodiment of the present application.
Referring to fig. 2, the training process of the safety prediction model includes the following steps S210 to S240:
Step S210: an account transaction sample set is constructed.
In an embodiment, the account transaction sample set includes a transaction account sample and an account tag, the transaction account sample includes a plurality of account data, wherein the account tag includes: the transaction account samples comprise a first transaction account sample and a second transaction account sample, wherein the account label of the first transaction account sample is a normal account, and the account label of the second transaction account sample is an abnormal account.
In one embodiment, referring to fig. 3, step S210 includes the following steps S211 to S215:
step S211: a plurality of initial transaction data is obtained.
In one embodiment, the initial transaction data includes first initial data obtained from transaction data of a normal account number and second initial data obtained from transaction data of an abnormal account number. For example, all transaction data of the abnormal account which is judged by the wind control process in the last half year is obtained, transaction behavior related information and account related information are extracted from the transaction data as second initial data, and the transaction data of the normal account in the same period is randomly selected by the same method to obtain first initial data.
In an embodiment, due to the various amounts of transaction data, in order to reduce training time of the model, the transaction data is filtered according to actual business experience to obtain first initial data and corresponding second initial data. Wherein the first initial data and the second initial data may include, but are not limited to: age distribution, network access duration distribution, binding card unbinding number distribution, transaction amount interval distribution (total amount, failure amount and success amount), transaction condition distribution of various payment modes, transaction number distribution, transaction period distribution and the like.
Step S212: and performing outlier replacement based on the discrete degree of the initial transaction data to obtain first replacement data of the first initial data and second replacement data of the second initial data, and performing sample expansion on the second replacement data to obtain second expansion data.
In one embodiment, data related to transaction time and transaction amount, such as transaction amount interval distribution (total amount, failure amount, success amount), various payment transaction condition distribution, transaction count distribution, transaction period distribution, etc., is first obtained from initial transaction data, and data binning is performed on the data to obtain binning data. The data binning is performed according to a bin discretization index, for example, the bin discretization index corresponding to the transaction time may be: early morning [0, 6), morning [6, 12), afternoon [12, 18), and evening [18, 24), i.e. dividing the transaction time into 4 time segments according to natural time; the bin discretization index corresponding to the transaction amount may be: micro-amount transaction [0 element, 500 element), micro-amount transaction [500 element, 1000 element), medium-amount transaction [1000 element, 5000 element), and large-amount transaction [5000 element, or more), i.e. the transaction amount is divided into 4 parts according to the total amount in a certain time, wherein the time can be one month. It can be understood that the bin discretization index can be set according to actual requirements.
For example, in one embodiment, the transaction amount related data includes: the total transaction amount, deduction amount, recharging amount, cash withdrawal amount, deduction amount, quick payment amount, morning payment amount, afternoon payment amount, evening payment amount, and the bin data of the following table 1 and the following table 2 can be obtained according to the bin discretization index, and the separation into the following table 2 is only for illustration and clarity.
The binning data of Table 1
The binning data of Table 2
The binning data of the initial transaction data is obtained in the binning mode described above, and then the binning data is encoded, for example, one-hot encoded, which is a method of converting discrete features into binary vector representations. The data of the sub-boxes are converted into numerical data through coding, so that subsequent calculation is convenient.
And then measuring the discrete degree of the initial transaction data by utilizing the quartile distance, representing the discrete degree by calculating the difference between the upper quartile and the lower quartile in the data set of the initial transaction data, then taking the data exceeding the upper quartile and the lower quartile as an outlier, and replacing the outlier with the upper quartile or the lower quartile closest to the outlier to obtain the first replacement data of the first initial data and the second replacement data of the second initial data.
Because the transaction data of the abnormal account is far less than the transaction data of the normal account, namely the second initial data is far less than the first initial data, and the data of the abnormal account and the first initial data are unbalanced, the second replacement data needs to be subjected to sample expansion to obtain second expansion data.
The specific sample expansion can adopt an SMOTE algorithm to carry out oversampling, and new synthesized samples are generated by interpolating the second replacement data of a minority class, so that the number of the second replacement data is increased, and the effect of balancing the proportion between the second replacement data and the first replacement data is achieved. For example, the parameter k_neighbors in the SMOTE algorithm is set to 10, that is, the 10 neighboring points are taken to make the difference, a new sample point is synthesized, and the random seed parameter random_state is set to 0.
And obtaining first replacement data corresponding to the first initial data and second expansion data obtained after sample expansion of the second initial data through the data preprocessing process.
Step S213: and selecting account attribute data, transaction amount data, transaction quantity data and transaction time data from each piece of first replacement data to obtain first account data, generating a first transaction account sample, and setting an account label of the first transaction account sample as a normal account.
Step S214: and selecting account attribute data, transaction amount data, transaction quantity data and transaction time data from each second expansion data to obtain second account data, generating a second transaction account sample, and setting an account label of the second transaction account sample as an abnormal account.
Step S215: and obtaining an account transaction sample set according to the first transaction account sample and the second transaction account sample.
In an embodiment, the data extraction is performed on the first replacement data or the second expansion data, so as to select data with higher relevance to the prediction result from the first replacement data or the second expansion data, thereby reducing irrelevant data and improving efficiency and accuracy of subsequent data processing. In this embodiment, account attribute data, transaction amount data, transaction quantity data and transaction time data are selected to generate corresponding transaction account samples, where the account attribute data may include: registering the age and the binding number; the transaction amount data may include: transaction failure amount, deduction amount, recharge amount, quick payment amount, micropayment amount, and the like; the transaction amount data may include: total transaction number, successful number, substitute number, present number, recharge number, quick payment number, etc.; the transaction time data includes: the number of the morning payments, the number of the online payments, etc. It will be appreciated that the first account data and the second account data each include transaction indicators corresponding to the 19 specific data types, but are only schematic herein, and are not meant to be limiting in number and type.
Assuming that, for example, one month is taken as an example, data in a mobile window month is selected to form the first account data and the second account data, the meaning of the transaction index in the transaction account sample is as follows. Registration age: i.e. the actual age converted by the corresponding birth date on the identity card when the user registers the payment account. Binding card number: i.e. the number of bank cards (deduplication) bound in the last month (mobile window month) of the user's payment account. Transaction failure amount: i.e. the total number of amounts (units: units) the user failed to transact in the last month (moving window month). Deduction amount: i.e. the total amount (units: units) of the deduction transaction that the user has occurred in the last month (moving window month). Recharging amount: i.e. the total amount (units: units) of money for which the user has a refill transaction in the last month (moving window month). Quick payment amount: i.e. the total amount (units: units) of the fast payment transaction that the user has made in the last month (moving window month). Micropayment amount: that is, the user has a small amount transaction (the amount of the transaction unit is less than or equal to 500 yuan) in the last month (the moving window month). Micropayment amount: i.e., the user has a small transaction (the amount of the single transaction is less than or equal to 1000 yuan, > 500 yuan) in the last month (the moving window month). Medium payment amount: i.e. the user has a medium transaction (the single transaction amount is less than or equal to 5000 yuan, > 1000 yuan) in the last month (moving window month). Total transaction number: i.e., the transaction number (de-duplication by transaction order number) of the transaction that the user has transacted in the last month (moving window month). Successful number of strokes: i.e. the number of successful transactions that the user has transacted in the last month (moving window month). Number of paid notes: i.e., the number of transactions in which the user has made a payment transaction in the last month (moving window month). Number of pen-replacing button: i.e., the number of transactions that the user has made a withholding transaction in the last month (moving window month). Number of notes: i.e. the number of transactions that the user has made a present transaction in the last month (moving window month). Number of recharging strokes: i.e., the number of transactions in which the user has completed the refill transaction in the last month (the moving window month). Quick payment number: i.e. the transaction number of a quick payment transaction that the user has made in the last month (moving window month). The number of payments in the early morning: i.e. the number of transactions that the user has made in the morning 0, 6 in the last month (moving window month). Pay for the number of rounds in the morning: i.e., the number of transactions that the user has made in the last month (moving window month), at 6 am, 12 am. Pay the number of strokes at night: i.e. the number of transactions that the user has made in the last month (moving window month) and at night [18, 24 points). It will be appreciated that the number of strokes here needs to be de-duplicated according to the transaction order number.
Step S220: and acquiring the data weight of the account data, and acquiring a transaction sample vector of the transaction account sample according to the data weight and the account data.
In an embodiment, the influence degree of different account data on the prediction result in the prediction process is different, so that the embodiment of the application determines a dynamic data weight for each account data, and before the account data is used as a transaction account sample to be input into the safe prediction model, each account data is reconstructed according to the data weight, a transaction sample vector of the transaction account sample is obtained according to the data weight and the account data, the influence degree of the account data on the prediction result is reflected in the transaction sample vector, and the accuracy of the prediction result is further improved.
In an embodiment, the data weight of the account data may be obtained in advance by using the test data. And selecting a part of the first transaction account sample and the second transaction account sample from the account transaction sample set to form verification account samples, wherein each verification account sample comprises a corresponding verification account label. Each sample of the verification account thus likewise comprises a plurality of verification data, the verification data corresponding to the account data. Referring to fig. 4, in this embodiment, the process of acquiring the data weight of the account data specifically includes steps S221 to S224:
Step S221: and obtaining a verification sample vector according to the verification data and the initial value of the data weight.
The initial value of the data weight may be set to 1, and the verification sample vector may be obtained by multiplying the verification data and the corresponding data weight.
Step S222: and inputting the verification sample vector into a safety prediction model for result prediction to obtain a verification prediction value.
Step S223: and comparing the verification predicted value with the verification account label to obtain the result confidence coefficient.
After the verification sample vector is predicted, comparing the verification predicted value with the verification account label, if the verification predicted value is close to the verification account label, generating higher result confidence coefficient, otherwise, generating smaller result confidence coefficient;
step S224: and updating the data weight according to the result confidence.
Wherein, the adjustment amount of the data weight is determined according to the difference value between the confidence coefficient of the result and the confidence coefficient threshold (for example, 0.8). Since the number of verification sample vectors is greater than 1, the data weight can be updated according to the verification prediction value after each prediction of the verification sample vector. It is understood that the safety prediction model herein is a safety prediction model whose prediction accuracy meets the standard. For example, the data weight can be set to be 1, then the account transaction sample set is utilized to train the security prediction model to obtain the security prediction model meeting the requirements, then a part of the account transaction sample set is selected as a verification account sample, the data weight is updated, and then the updated data weight is utilized to retrain the security prediction model. The data weight may be an empirical value.
Step S230: and inputting the transaction sample vector into a security prediction model to perform result prediction to obtain an account prediction value.
Step S240: and comparing the account predicted value with the account label, generating a loss value according to the comparison result, and adjusting the model weight of each sub-model in the safety prediction model based on the loss value until the iteration termination condition is reached, so as to obtain the trained safety prediction model.
In an embodiment, the iteration termination condition may be that the iteration number reaches a preset number, or that the loss value meets a preset requirement, which is not limited in this embodiment.
In one embodiment, the safety prediction model is subjected to model evaluation, the prediction accuracy rate reaches 98%, the recall rate also reaches 98%, and the use requirement can be met.
The trained first safety predictor model, the trained second safety predictor model and the trained third safety predictor model are obtained through the mode. The transaction account security prediction method in the embodiment of the present application is described below.
Fig. 5 is an optional flowchart of a transaction account security prediction method provided in an embodiment of the present application, where the method in fig. 5 may include, but is not limited to, steps S510 to S540. It should be understood that the order of steps S510 to S540 in fig. 5 is not particularly limited, and the order of steps may be adjusted, or some steps may be reduced or increased according to actual requirements.
Step S510: first transaction data of the primary account is obtained.
In one embodiment, the primary account is a target account for which risk determination is required, transaction data is obtained, and the first transaction data is input into a security prediction model.
Step S520: and inputting the first transaction data into a first security prediction sub-model to conduct linear classification prediction to obtain a first security prediction result, and generating second transaction data according to the first transaction data and the first security prediction result.
In one embodiment, since the first safety predictor model is a logistic regression model, the specific process of step S520 includes: and acquiring index weights corresponding to each transaction index, calculating linear parameter values of the transaction index based on the index weights, obtaining first classification probability according to the first number of linear parameter values, and taking a classification result corresponding to the first classification probability as a first safety prediction result.
The expression of the first safety predictor model is as follows: z1=ω 0 +ω 1 x 1 +ω 2 x 2 +L+ω n x n Wherein z1 represents the regression result and n represents the first number, i.e. 19, ω in the above examples i An ith index weight representing the first safety predictor model, the index weight being obtained by model training, x i Represents the ith trade index omega i x i Representing the ith linear parameter value.
Wherein the activation function is a sigmoid activation function, expressed as:
wherein y1 represents a first security prediction result, that is, whether the primary account corresponding to the input first transaction data is a normal account or an abnormal account.
The first safety prediction result obtained through the linear prediction process of the first safety prediction sub-model may have false detection, so that further confirmation is required.
Step S530: and inputting the second transaction data into a second security prediction sub-model to conduct nonlinear classification prediction to obtain a second security prediction result, and generating third transaction data according to the first transaction data, the first security prediction result and the second security prediction result.
In one embodiment, the second security predictor model is a support vector machine model, and step S530 specifically includes: generating a second transaction vector of second transaction data according to the transaction index and the first security prediction result, acquiring a normal vector and an intercept of a hyperplane equation in the second security prediction sub-model, acquiring a second classification value based on the normal vector, the second transaction vector and the intercept, and generating a second security prediction result according to the relation between the second classification value and zero.
The trained support vector machine model can obtain a hyperplane, which is expressed as: w (w) T * x+b=0, where w represents the normal vector to the hyperplane and b represents the intercept. The transaction index and the first safety prediction result are spliced to generate a second transaction vector, the second transaction vector is taken as an independent variable x to be input into a hyperplane equation to obtain a second classification value, if the second classification value is greater than 0, the input is indicated to belong to the positive side of the hyperplane, namely, the second safety prediction result represents a normal account; if the second classification value is smaller than 0, it indicates that the input belongs to the negative side of the hyperplane, that is, the second security prediction result represents an abnormal account, and if the value is equal to 0, it indicates that the input belongs to the pending result on the hyperplane, which can be further determined in the third security prediction sub-model.
Step S540: and inputting the third transaction data into a third security prediction sub-model to perform comprehensive classification prediction to obtain a security prediction result used for representing that the primary account is a normal transaction account or the primary account is an abnormal transaction account.
The third safety predictor model is a gradient lifting model, so step S540 specifically includes: generating a third feature matrix of third transaction data according to feature values respectively corresponding to the transaction index, the first safety prediction result and the second safety prediction result, acquiring decision nodes and leaf nodes of a decision tree in a third safety prediction sub-model, selecting a target leaf node from the leaf nodes based on splitting conditions of the decision nodes and the third feature matrix, and taking the weight of the target leaf node as the safety prediction result.
In one embodiment, the trained third safety predictor model results in a decision tree comprising a plurality of sub-trees, each sub-tree being a classification and regression tree (Classification And Regression Tree, CART), the inputs and outputs of the classification and regression tree (CART) being classification variables, and the feature classification being continued for growth during construction. During training, a feature and a corresponding splitting condition are selected from the training data set, so that the concentration of the subset can be improved to the greatest extent based on the division of the feature and the splitting condition. The data set is then partitioned into two subsets using the selected optimal partitioning characteristics and splitting conditions, each subset containing samples that are classified into different categories according to the partitioning conditions. The above steps are then repeated for each subset until a stop condition is met, such as the number of samples in the node is less than a predetermined threshold, the depth of the tree reaches a predetermined value, or no effective partitioning can be performed any more. When the stop condition is met, the current node is marked as a leaf node, and the class label of the leaf node is determined, which is usually the majority vote result of the class to which the sample belongs in the node. The above steps continue to be recursively performed until all leaf nodes are generated, forming a complete decision tree. In the embodiment of the application, after training is completed, the third safety prediction sub-model gradually traverses each decision node in the decision tree according to the characteristic value of the input third transaction data when predicting, and finally reaches a certain leaf node. Upon reaching a leaf node, the third security predictor model outputs the weight of the leaf node as a predictor of the third transaction data. Specifically, the third security predictor model gradually compares the magnitude relation between the value of each feature in the third transaction data and the splitting condition of the decision node according to the structure of the decision tree, so as to decide whether to traverse the decision tree leftwards or rightwards. When a certain leaf node is reached, the third security prediction sub-model uses the weight of the leaf node as the security prediction result output by the third transaction data. In the classification problem of the present embodiment, the security prediction result is a probability value corresponding to whether the primary account is a normal account or an abnormal account. At this time, the weight of each leaf node in the third security predictor model represents the normalized value of the probability values of all the transaction account samples included in the training process, that is, the average value of the account labels of the transaction account samples on the leaf node.
According to the process, the accuracy of the prediction result of the primary account obtained through progressive prediction of the three sub-models is higher than that of the single model, and the accuracy of the result obtained through the common model cascading mode is also higher than that of the result obtained through progressive prediction of the single model.
In an embodiment, referring to fig. 6, fig. 6 is a schematic diagram of a training process of a safety prediction model in an embodiment of the present application.
Firstly, acquiring first initial data obtained according to transaction data of a normal account and second initial data obtained according to transaction data of an abnormal account, extracting attributes of the first initial data and the second initial data, performing descriptive analysis on the data, performing preprocessing operations such as outlier cleaning, missing value filling, data binning, ONE-Hot encoding, sample expansion and the like, and selecting account data to obtain a first transaction account sample and a second transaction account sample.
And then, acquiring account data and data weight of the transaction account sample to obtain a transaction sample vector of the transaction account sample, and inputting the transaction sample vector into a first security prediction sub-model to conduct linear classification prediction to obtain a first prediction result. And then, the first prediction result and the transaction sample vector are simultaneously input into a second safety prediction sub-model to conduct nonlinear classification prediction, so that a second prediction result is obtained. And then the first prediction result, the second prediction result and the transaction sample vector are input into a third safety prediction sub-model together for comprehensive classification prediction, so that the characteristic recognition result is obtained. And then sending the identification result to an air control system, acquiring a rechecking result obtained by rechecking the identification result by an air control expert, updating an account transaction sample set according to the rechecking result, and performing iterative optimization of the safety prediction model.
In a specific application scenario, taking a transaction of customer numbers of 1494 (hereinafter abbreviated as "tail number 1494 users") and 1875 (hereinafter abbreviated as "tail number 1875 users") in month 4 of xx as an example, a transaction list of 2 users is counted as shown in fig. 7.
The first transaction data corresponding to the two user accounts obtained from the transaction details in fig. 7 is shown in table 3 below.
/>
The security prediction results obtained by inputting the first transaction data into the security prediction model are shown in table 4.
| Member number | ****1875 | ****1494 |
| First safety prediction result | 0 | 1 |
| Second safety prediction result | 0 | 1 |
| Safety prediction result | 0 | 1 |
| Final result | 0 | 1 |
In summary, the security prediction model identifies "Tail No. 1494 user" as an abnormal transaction account and "Tail No. 1875 user" as a normal transaction account. It is actually easy to see from the transaction behavior that the "tail number 1494 user" only has 4 transactions in one month, and the in and out amounts are equal, wherein three transactions are fast-in and fast-out transactions with the same amount, and the suspected transition account transaction can be guessed.
The safety prediction model of the embodiment of the application fuses three different types of submodels of logistic regression, support vector machine and extreme gradient lifting tree, and has the advantages of the three model algorithms. Wherein logistic regression can handle two classification problems and has interpretability; the support vector machine model can process high-dimensional data and nonlinear data; an extreme gradient-lifted tree may capture complex relationships between variables. Because the embodiment of the application uses a plurality of sub-models and combines the sub-models to form a comprehensive safety prediction model, the safety prediction model can better utilize the advantages of respective algorithms relative to a single model and improves the overall prediction accuracy. The safety prediction model combines different basic learners to predict, and even if errors and noise exist in a single algorithm, the overall result is not affected. Meanwhile, the support vector machine and the extreme gradient lifting tree have the capability of processing large-scale data sets, so that the safety prediction model of the embodiment of the application can also rapidly process large-scale data and generate high-quality and reliable results in a short time.
According to the technical scheme provided by the embodiment of the application, the first transaction data of the primary account is obtained, then the first transaction data is input into the first security prediction sub-model to conduct linear classification prediction to obtain a first security prediction result, second transaction data is generated according to the first transaction data and the first security prediction result, then the second transaction data is input into the second security prediction sub-model to conduct nonlinear classification prediction to obtain a second security prediction result, third transaction data is generated according to the first transaction data, the first security prediction result and the second security prediction result, finally the third transaction data is input into the third security prediction sub-model to conduct comprehensive classification prediction to obtain the security prediction result used for representing that the primary account is a normal transaction account or that the primary account is an abnormal transaction account. In the embodiment of the application, three complete independent predictions are sequentially performed by using three safety prediction sub-models, wherein the linear prediction process can determine an obvious abnormal mode, the nonlinear prediction process continues to extract higher-order complex features to predict on the basis of the linear prediction result, then the comprehensive prediction process comprehensively analyzes based on the two previous prediction results and transaction data of an initial account, a plurality of influence factors are comprehensively considered, the prediction result is progressively enhanced, and the accuracy of the prediction result is improved.
In addition, the risk early warning method and device can improve the accuracy of risk early warning, reduce the workload of wind control auditing and guarantee the user experience of normal transaction accounts on the basis of guaranteeing correct early warning of abnormal transaction accounts; the recall rate of risk early warning can be improved, more abnormal transaction accounts can be early warned than the rules of the wind control expert on the basis of ensuring the early warning accuracy rate, and a protection barrier is added for the continuous and steady development of business; the method is applicable to different payment account transaction scenes, and has the advantages of high universality and strong expansibility.
The embodiment of the application also provides a transaction account security prediction device, which can implement the transaction account security prediction method, and referring to fig. 8, the device includes:
transaction data acquisition module 810: for obtaining first transaction data for the primary account.
Linear prediction module 820: and the first transaction data is input into the first security prediction sub-model to conduct linear classification prediction, a first security prediction result is obtained, and second transaction data is generated according to the first transaction data and the first security prediction result.
Nonlinear prediction module 830: and the second transaction data is input into the second security prediction sub-model to conduct nonlinear classification prediction, a second security prediction result is obtained, and third transaction data is generated according to the first transaction data, the first security prediction result and the second security prediction result.
Comprehensive prediction module 840: and the third transaction data is input into a third security prediction sub-model to carry out comprehensive classification prediction, so that a security prediction result used for representing that the primary account is a normal transaction account or the primary account is an abnormal transaction account is obtained.
The specific implementation of the transaction account security prediction device in this embodiment is substantially identical to the specific implementation of the transaction account security prediction method described above, and will not be described herein.
The embodiment of the application also provides electronic equipment, which comprises: at least one memory; at least one processor; at least one program; the program is stored in the memory, and the processor executes the at least one program to implement the transaction account security prediction method described above. The electronic equipment can be any intelligent terminal including a mobile phone, a tablet personal computer, a personal digital assistant (Personal Digital Assistant, PDA for short), a vehicle-mounted computer and the like.
Referring to fig. 9, fig. 9 illustrates a hardware structure of an electronic device according to another embodiment, the electronic device includes: the processor 901 may be implemented by a general purpose CPU (central processing unit), a microprocessor, an application specific integrated circuit (ApplicationSpecificIntegratedCircuit, ASIC), or one or more integrated circuits, etc. for executing related programs to implement the technical solutions provided by the embodiments of the present application; the memory 902 may be implemented in the form of a ROM (read only memory), a static storage device, a dynamic storage device, or a RAM (random access memory). The memory 902 may store an operating system and other application programs, and when the technical solutions provided in the embodiments of the present application are implemented by software or firmware, relevant program codes are stored in the memory 902, and the processor 901 invokes the transaction account security prediction method to execute the embodiments of the present application; an input/output interface 903 for inputting and outputting information; the communication interface 904 is configured to implement communication interaction between the device and other devices, and may implement communication in a wired manner (e.g. USB, network cable, etc.), or may implement communication in a wireless manner (e.g. mobile network, WIFI, bluetooth, etc.); and a bus 905 for transferring information between the various components of the device (e.g., the processor 901, the memory 902, the input/output interface 903, and the communication interface 904); wherein the processor 901, the memory 902, the input/output interface 903 and the communication interface 904 are communicatively coupled to each other within the device via a bus 905.
The embodiment of the application also provides a storage medium, wherein the storage medium is a storage medium, and a computer program is stored in the storage medium, and when the computer program is executed by a processor, the transaction account security prediction method is realized.
The memory, as a non-transitory storage medium, may be used to store non-transitory software programs as well as non-transitory computer-executable programs. In addition, the memory may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory optionally includes memory remotely located relative to the processor, the remote memory being connectable to the processor through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
According to the transaction account security prediction method, the transaction account security prediction device, the electronic equipment and the storage medium, first transaction data of an initial account are obtained, then the first transaction data are input into a first security prediction sub-model to conduct linear classification prediction to obtain a first security prediction result, second transaction data are generated according to the first transaction data and the first security prediction result, then the second transaction data are input into a second security prediction sub-model to conduct nonlinear classification prediction to obtain a second security prediction result, third transaction data are generated according to the first transaction data, the first security prediction result and the second security prediction result, finally the third transaction data are input into a third security prediction sub-model to conduct comprehensive classification prediction to obtain the security prediction result used for representing that the initial account is a normal transaction account or the initial account is an abnormal transaction account. In the embodiment of the application, three complete independent predictions are sequentially performed by using three safety prediction sub-models, wherein the linear prediction process can determine an obvious abnormal mode, the nonlinear prediction process continues to extract higher-order complex features to predict on the basis of the linear prediction result, then the comprehensive prediction process comprehensively analyzes based on the two previous prediction results and transaction data of an initial account, a plurality of influence factors are comprehensively considered, the prediction result is progressively enhanced, and the accuracy of the prediction result is improved.
The embodiments described in the embodiments of the present application are for more clearly describing the technical solutions of the embodiments of the present application, and do not constitute a limitation on the technical solutions provided by the embodiments of the present application, and as those skilled in the art can know that, with the evolution of technology and the appearance of new application scenarios, the technical solutions provided by the embodiments of the present application are equally applicable to similar technical problems.
It will be appreciated by those skilled in the art that the technical solutions shown in the figures do not constitute limitations of the embodiments of the present application, and may include more or fewer steps than shown, or may combine certain steps, or different steps.
The above described apparatus embodiments are merely illustrative, wherein the units illustrated as separate components may or may not be physically separate, i.e. may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
Those of ordinary skill in the art will appreciate that all or some of the steps of the methods, systems, functional modules/units in the devices disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof.
The terms "first," "second," "third," "fourth," and the like in the description of the present application and in the above-described figures, if any, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that embodiments of the present application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It should be understood that in this application, "at least one" means one or more, and "a plurality" means two or more. "and/or" for describing the association relationship of the association object, the representation may have three relationships, for example, "a and/or B" may represent: only a, only B and both a and B are present, wherein a, B may be singular or plural. The character "/" generally indicates that the context-dependent object is an "or" relationship. "at least one of" or the like means any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one (one) of a, b or c may represent: a, b, c, "a and b", "a and c", "b and c", or "a and b and c", wherein a, b, c may be single or plural.
In the several embodiments provided in this application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the above-described division of units is merely a logical function division, and there may be another division manner in actual implementation, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described above as separate components may or may not be physically separate, and components shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in part or all of the technical solution or in part in the form of a software product stored in a storage medium, including multiple instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods of the various embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing a program.
Preferred embodiments of the present application are described above with reference to the accompanying drawings, and thus do not limit the scope of the claims of the embodiments of the present application. Any modifications, equivalent substitutions and improvements made by those skilled in the art without departing from the scope and spirit of the embodiments of the present application shall fall within the scope of the claims of the embodiments of the present application.
Claims (10)
1. A transaction account security prediction method, comprising:
acquiring first transaction data of an initial account;
inputting the first transaction data into a first safety prediction sub-model for linear classification prediction to obtain a first safety prediction result, and generating second transaction data according to the first transaction data and the first safety prediction result;
inputting the second transaction data into a second safety prediction sub-model to conduct nonlinear classification prediction to obtain a second safety prediction result, and generating third transaction data according to the first transaction data, the first safety prediction result and the second safety prediction result;
and inputting the third transaction data into a third security prediction sub-model to perform comprehensive classification prediction to obtain a security prediction result used for representing that the primary account is a normal transaction account or the primary account is an abnormal transaction account.
2. The transaction account security prediction method according to claim 1, wherein the first transaction data includes a first number of transaction indicators; the first security prediction sub-model is a logistic regression model, and the inputting the first transaction data into the first security prediction sub-model for linear classification prediction to obtain a first security prediction result comprises the following steps:
Acquiring an index weight corresponding to each transaction index;
calculating a linear parameter value of the trade index based on the index weight;
and obtaining a first classification probability according to the first number of the linear parameter values, and taking a classification result corresponding to the first classification probability as the first safety prediction result.
3. The transaction account security prediction method according to claim 1, wherein the first transaction data includes a first number of transaction indicators; the second safety predictor model is a support vector machine model; inputting the second transaction data into a second security prediction sub-model for nonlinear classification prediction to obtain a second security prediction result, wherein the method comprises the following steps of:
generating a second transaction vector of the second transaction data according to the transaction index and the first security prediction result;
acquiring normal vectors and intercepts of hyperplanes in the second safety predictor model;
and obtaining a second classification value based on the normal vector, the second transaction vector and the intercept, and generating the second safety prediction result according to the relation between the second classification value and zero.
4. The transaction account security prediction method according to claim 1, wherein the first transaction data includes a first number of transaction indicators; the third safety predictor model is a gradient lifting model; the step of inputting the third transaction data into a third security prediction sub-model for comprehensive classification prediction to obtain a security prediction result for representing that the primary account is a normal transaction account or the primary account is an abnormal transaction account, comprising the following steps:
Generating a third feature matrix of the third transaction data according to the feature values respectively corresponding to the transaction index, the first safety prediction result and the second safety prediction result;
acquiring decision nodes and leaf nodes of a decision tree in the third safety predictor model;
and selecting a target leaf node from the leaf nodes based on the splitting condition of the decision node and the third feature matrix, and taking the weight of the target leaf node as the safety prediction result.
5. The transaction account security prediction method according to any one of claims 1 to 4, wherein the first, second and third security predictor models constitute a security predictor model, the method further comprising, prior to inputting the first transaction data into the first security predictor model for linear classification prediction:
constructing an account transaction sample set; the account transaction sample set comprises a transaction account sample and an account label, wherein the transaction account sample comprises a plurality of account data;
acquiring the data weight of the account data, and acquiring a transaction sample vector of the transaction account sample according to the data weight and the account data;
Inputting the transaction sample vector into the safety prediction model to perform result prediction to obtain an account prediction value;
and comparing the account predicted value with the account label, generating a loss value according to a comparison result, and adjusting the model weight of each sub-model in the safety prediction model based on the loss value until an iteration termination condition is reached, so as to obtain the trained safety prediction model.
6. The transaction account security prediction method according to claim 5, wherein the set of account transaction samples further comprises a verification account sample and a verification account tag, the verification account sample comprising a plurality of verification data, the verification data corresponding to the account data; the obtaining of the data weight of the account data comprises the following steps:
obtaining a verification sample vector according to the verification data and the initial value of the data weight; the initial value is 1;
inputting the verification sample vector into the safety prediction model to perform result prediction to obtain a verification prediction value;
comparing the verification predicted value with the verification account label to obtain a result confidence coefficient;
and updating the data weight according to the result confidence.
7. The transaction account security prediction method according to claim 5, wherein the constructing an account transaction sample set includes:
acquiring a plurality of initial transaction data, wherein the initial transaction data comprise first initial data obtained according to transaction data of a normal account and second initial data obtained according to transaction data of an abnormal account;
performing outlier replacement based on the discrete degree of the initial transaction data to obtain first replacement data of the first initial data and second replacement data of the second initial data, and performing sample expansion on the second replacement data to obtain second expansion data;
selecting account attribute data, transaction amount data, transaction quantity data and transaction time data from each piece of first replacement data to obtain first account data, generating a first transaction account sample, and setting an account label of the first transaction account sample as a normal account;
selecting account attribute data, transaction amount data, transaction quantity data and transaction time data from each second expansion data to obtain second account data, generating a second transaction account sample, and setting account labels of the second transaction account sample as abnormal accounts;
Obtaining the account transaction sample set according to the first transaction account sample and the second transaction account sample.
8. A transaction account security prediction device, comprising:
a transaction data acquisition module: first transaction data for acquiring an initial account;
linear prediction module: the method comprises the steps of inputting first transaction data into a first safety prediction sub-model to conduct linear classification prediction to obtain a first safety prediction result, and generating second transaction data according to the first transaction data and the first safety prediction result;
nonlinear prediction module: the second transaction data is input into a second safety prediction sub-model to conduct nonlinear classification prediction, a second safety prediction result is obtained, and third transaction data is generated according to the first transaction data, the first safety prediction result and the second safety prediction result;
and the comprehensive prediction module is used for: and the third transaction data are input into a third security prediction sub-model to carry out comprehensive classification prediction, so that a security prediction result used for representing that the primary account is a normal transaction account or the primary account is an abnormal transaction account is obtained.
9. An electronic device comprising a memory storing a computer program and a processor that when executing the computer program implements the transaction account security prediction method of any of claims 1 to 7.
10. A storage medium storing a computer program, wherein the computer program when executed by a processor implements the transaction account security prediction method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311484871.0A CN117689385A (en) | 2023-11-08 | 2023-11-08 | Transaction account security prediction method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311484871.0A CN117689385A (en) | 2023-11-08 | 2023-11-08 | Transaction account security prediction method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117689385A true CN117689385A (en) | 2024-03-12 |
Family
ID=90132820
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311484871.0A Pending CN117689385A (en) | 2023-11-08 | 2023-11-08 | Transaction account security prediction method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117689385A (en) |
-
2023
- 2023-11-08 CN CN202311484871.0A patent/CN117689385A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107316198B (en) | Account risk identification method and device | |
| US8543522B2 (en) | Automatic rule discovery from large-scale datasets to detect payment card fraud using classifiers | |
| CN109410036A (en) | A kind of fraud detection model training method and device and fraud detection method and device | |
| CN105426356B (en) | A kind of target information recognition methods and device | |
| CN108520343A (en) | Risk model training method, Risk Identification Method, device, equipment and medium | |
| CN111639516B (en) | Analysis platform based on machine learning | |
| CN110111198A (en) | User's financial risks predictor method, device, electronic equipment and readable medium | |
| CN110852881B (en) | Risk account identification method and device, electronic equipment and medium | |
| CN110751557A (en) | Abnormal fund transaction behavior analysis method and system based on sequence model | |
| CN112329816A (en) | Data classification method and device, electronic equipment and readable storage medium | |
| CN115081641A (en) | Model training method, estimation result prediction method, device and storage medium | |
| CN113449753B (en) | Service risk prediction method, device and system | |
| CN110956278A (en) | Method and system for retraining machine learning models | |
| CN113807469A (en) | Multi-energy user value prediction method, device, storage medium and equipment | |
| CN115099326A (en) | Behavior prediction method, behavior prediction device, behavior prediction equipment and storage medium based on artificial intelligence | |
| CN109242165A (en) | A kind of model training and prediction technique and device based on model training | |
| CN109117352B (en) | Server performance prediction method and device | |
| CN113704637A (en) | Object recommendation method, device and storage medium based on artificial intelligence | |
| CN113435900A (en) | Transaction risk determination method and device and server | |
| CN116757476A (en) | Method and device for constructing risk prediction model and method and device for risk prevention and control | |
| CN116704581A (en) | Face recognition method, device, equipment and storage medium | |
| CN115358878A (en) | Financing user risk preference level analysis method and device | |
| CN117689385A (en) | Transaction account security prediction method, device, equipment and storage medium | |
| CN116861226A (en) | Data processing method and related device | |
| CN111984842B (en) | Bank customer data processing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |