CN117934001A

CN117934001A - Transaction abnormality detection method and device, electronic equipment and storage medium

Info

Publication number: CN117934001A
Application number: CN202410108882.7A
Authority: CN
Inventors: 孔文佳
Original assignee: Agricultural Bank of China
Current assignee: Agricultural Bank of China
Priority date: 2024-01-25
Filing date: 2024-01-25
Publication date: 2024-04-26

Abstract

The invention discloses a transaction abnormality detection method, a transaction abnormality detection device, electronic equipment and a storage medium. Relates to the technical field of financial security management and control, and the method comprises the following steps: acquiring transaction data of a target transaction, wherein the transaction data comprises transaction content and user information of a payment user; inputting user information into a first preset model of a current version, and determining standard behavior information of a payment user; inputting transaction content, user information and standard behavior information into a second preset model of the current version, and determining an analysis result of the target transaction; and detecting whether the target transaction is abnormal according to the analysis result. The scheme provided by the invention can accurately and timely detect whether the target transaction in various scenes is abnormal, thereby effectively reducing abnormal transactions such as theft and brushing, fraud and the like and guaranteeing the asset safety of users.

Description

Transaction abnormality detection method and device, electronic equipment and storage medium

Technical Field

The present invention relates to the field of financial security management and control technologies, and in particular, to a transaction anomaly detection method, apparatus, electronic device, and storage medium.

Background

With the popularity of mobile devices (e.g., smartphones, tablet computers), more and more users choose to transact in a mobile payment manner, which tightly binds the user's assets with the mobile device. Accordingly, this trend also increases the potential safety risk: once the user's mobile device is lost, stolen, or hacked, it is likely to result in loss of the user's assets and compromise of personal privacy. Therefore, it is important to detect whether there is an abnormality in a transaction when a user makes a mobile payment.

Currently, detecting whether a transaction is abnormal is mainly divided into two ways: one is to use predefined rules to detect, for example, that individual transaction amounts, transaction frequencies, transaction locations, etc. may be limited, if a transaction violates these rules, indicating that the transaction is abnormal; the other is to use a machine learning model to detect, and by training and modeling a large amount of transaction data, the difference between normal transaction and abnormal transaction can be automatically identified, so as to achieve the purpose of detection.

However, both the rules and the machine learning model in the above two modes are predefined/trained, are not flexible and accurate enough for complex payment environments, and often cannot be recognized in time when new abnormal scenes (such as novel fraudulent behaviors, changing attack patterns, etc.) occur, resulting in missed detection situations.

Disclosure of Invention

The invention provides a transaction anomaly detection method, a transaction anomaly detection device, electronic equipment and a storage medium, which can accurately and timely detect whether the target transaction in various scenes is abnormal, thereby effectively reducing abnormal transactions such as theft and brushing, fraud and the like and guaranteeing the asset safety of users.

According to an aspect of the present invention, there is provided a transaction abnormality detection method including: acquiring transaction data of a target transaction, wherein the transaction data comprises transaction content and user information of a payment user; inputting user information into a first preset model of a current version, and determining standard behavior information of a payment user; inputting transaction content, user information and standard behavior information into a second preset model of the current version, and determining an analysis result of the target transaction; and detecting whether the target transaction is abnormal according to the analysis result.

Optionally, the preset model of the current version is a model obtained by training the preset model of the previous version according to the training data set of the previous period by using an online learning algorithm; the preset model is a first preset model or a second preset model.

Optionally, the method for training to obtain the preset model of the current version includes: acquiring a training data set of a previous period and a preset model of the previous version, wherein the training data set of the previous period comprises a plurality of training data generated in the previous period, one training data comprises at least one type of sub data, and one type of sub data corresponds to one dimension; inputting the sub data of the same dimension into a preset model of a previous version, and constructing a loss function of the preset model of the previous version, wherein the learning rates of the sub data of different dimensions are different; according to the loss function, adjusting parameters of a preset model of the previous version; and taking the preset model of the last version with the parameters adjusted as the preset model of the current version.

Optionally, acquiring the preset model of the previous version includes: when the preset model is a first preset model, acquiring a first initial model and a version number of a previous version; determining a first parameter corresponding to the version number of the previous version; determining a first preset model of the previous version according to the first parameter and the first initial model; when the preset model is a second preset model, acquiring a second initial model and a version number of a previous version; determining a second parameter corresponding to the version number of the previous version; and determining a second preset model of the previous version according to the second parameters and the second initial model.

Optionally, the method further comprises: preprocessing transaction data, wherein the preprocessing comprises denoising, deduplication, missing value processing, outlier processing and format conversion processing; and taking the preprocessed transaction data as training data, and storing the training data in a training data set of the current period.

Optionally, the analysis result includes an abnormality assessment parameter; detecting whether the target transaction is abnormal according to the analysis result, including: if the abnormality evaluation parameter is smaller than or equal to a preset threshold value, determining that no abnormality exists in the target transaction; if the abnormality evaluation parameter is greater than a preset threshold, determining that abnormality exists in the target transaction.

Optionally, after determining that the target transaction is abnormal, the method further includes: and determining an abnormal grade corresponding to the target transaction, and executing corresponding abnormal control measures according to the abnormal grade.

According to another aspect of the present invention, there is provided a transaction abnormality detection device including: the device comprises an acquisition module, an analysis module and a detection module; the acquisition module is used for acquiring transaction data of the target transaction, wherein the transaction data comprises transaction content and user information of a payment user; the analysis module is used for inputting the user information into the first preset model of the current version and determining the standard behavior information of the payment user; inputting transaction content, user information and standard behavior information into a second preset model of the current version, and determining an analysis result of the target transaction; and the detection module is used for detecting whether the target transaction is abnormal or not according to the analysis result.

According to another aspect of the present invention, there is provided an electronic apparatus including: at least one processor; and a memory communicatively coupled to the at least one processor; the memory stores a computer program executable by the at least one processor, and the computer program is executed by the at least one processor to enable the at least one processor to perform the transaction anomaly detection method according to any one of the embodiments of the present invention.

According to another aspect of the present invention, there is provided a computer readable storage medium storing computer instructions for causing a processor to execute a transaction anomaly detection method according to any one of the embodiments of the present invention.

According to the technical scheme, standard behavior information of a payment user is determined by acquiring transaction data of a target transaction and inputting user information in the transaction data into a first preset model of a current version; inputting the transaction data and the standard behavior information into a second preset model of the current version, and determining an analysis result of the target transaction; and finally, detecting whether the target transaction is abnormal or not according to the analysis result. Because the invention sets the first preset model and the second preset model, the first preset model can determine the standard behavior information of the payment user based on the user information, and standardized information is provided for the second preset model, thereby improving the accuracy of analysis results and achieving the purpose of accurately and timely detecting whether the target transaction in various scenes is abnormal or not. Meanwhile, the preset model of the current version is a model obtained by training the preset model of the previous version according to the training data set of the previous period by using an online learning algorithm, and therefore, the first preset model and the second preset model can be continuously optimized and updated to adapt to continuously changed transaction scenes. In addition, when the abnormality of the target transaction is detected, the invention can also determine the abnormality level corresponding to the target transaction and execute the corresponding abnormality control measures, thereby effectively reducing abnormal transactions such as theft and brushing, fraud and the like and guaranteeing the asset security of the user.

It should be understood that the description in this section is not intended to identify key or critical features of the embodiments of the invention or to delineate the scope of the invention. Other features of the present invention will become apparent from the description that follows.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

Fig. 1 is a flow chart of a transaction anomaly detection method according to a first embodiment of the present invention;

fig. 2 is a flow chart of a transaction anomaly detection method according to a second embodiment of the present invention;

fig. 3 is a schematic structural diagram of a transaction anomaly detection device according to a third embodiment of the present invention;

Fig. 4 is a schematic structural diagram of another transaction abnormality detection device according to the third embodiment of the present invention;

Fig. 5 is a schematic structural diagram of another transaction abnormality detection device according to the third embodiment of the present invention;

Fig. 6 is a schematic structural diagram of an electronic device according to a fourth embodiment of the present invention.

Detailed Description

In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.

It should be noted that the terms "first," "second," "target," "initial," "candidate," and the like in the description and claims of the present invention and in the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

Example 1

Fig. 1 is a flow chart of a transaction anomaly detection method according to an embodiment of the present invention, where the method may be applied to detect whether a transaction is anomaly, and the method may be performed by a transaction anomaly detection device, which may be implemented in hardware and/or software, and the transaction anomaly detection device may be configured in an electronic device (such as a computer or a server). As shown in fig. 1, the method includes:

S110, acquiring transaction data of a target transaction, wherein the transaction data comprises transaction content and user information of a payment user.

The transaction anomaly detection method provided by the invention can be suitable for various financial transaction scenes, and is especially suitable for mobile payment transaction scenes. In a mobile payment transaction scenario, which generally involves both parties to the transaction, namely a payment user (or referred to as a payor) and a payee user (or referred to as a payee), the user referred to in the present invention generally refers to the payment user.

The target transaction is any transaction for which the presence of an anomaly is to be detected. The target transaction, when generated, generates transaction data. In one embodiment, the transaction data may include transaction content including, but not limited to, transaction records (e.g., transaction serial number, transaction amount, transaction time, transaction location, etc.), and user information of the payment user including, but not limited to, user identification, user behavior log, device information, geographic location of the user, etc. Further, the transaction data may also include user information of the payee user.

Transaction data may be generated from multiple data sources, and thus, the transaction anomaly detection device needs to collect, integrate, and correlate data from the multiple data sources. Optionally, the collected related data can be preprocessed, so that a high-quality data base is provided for subsequent steps. Specifically, the preprocessing may include denoising processing, deduplication processing, missing value processing, outlier processing, and format conversion processing.

S120, inputting the user information into a first preset model of the current version, and determining standard behavior information of the payment user.

The transaction anomaly detection device stores a first preset model and a second preset model, wherein the first preset model and the second preset model are updated periodically/aperiodically. For example, the first preset model and the second preset model may be updated according to a preset period; for another example, the first and second preset models may be updated based on an update instruction.

Each time the first and second predetermined models are updated, a version is generated. Specifically, the preset model of the current version is a model obtained by training the preset model of the previous version according to the training data set of the previous cycle by using an online learning algorithm, wherein the preset model is a first preset model or a second preset model. That is, the first preset model of the current version is a model obtained by training the first preset model of the previous version according to the training data set of the previous period by using an online learning algorithm; the second preset model of the current version is a model obtained by training the second preset model of the previous version according to the training data set of the previous period by utilizing an online learning algorithm. Model parameters may be different or the same between different versions.

Table 1 shows examples of different versions of a first preset model and a second preset model.

Table 1 different versions of the first and second preset models

Version number	Version time	First preset model	Second preset model
				1	XXXX year, X month and X day	Model parameters 1.1	Model parameters 2.1
2	XXXX year, X month and Y day	Model parameters 1.2	Model parameters 2.2
				……	……	……	……
n	XXXX year, X month and Z day	Model parameters 1.N	Model parameters 2.N

As shown in table 1, the first preset model and the second preset model of the initial version are the first preset model and the second preset model corresponding to the version number 1, and the model parameters are 1.1 and 2.1, respectively. The first preset model and the second preset model of the current version are the first preset model and the second preset model corresponding to the version number n, and model parameters are 1.N and 2.N respectively.

The first preset model is a model which is trained in advance and can model and describe the behavior of the payment user. After the transaction data of the target transaction are acquired, user information is input into a first preset model of the current version, and standard behavior information of the payment user is determined. The standard behavior information is standardized information, and can measure the behavior mode and characteristics of the payment user under normal conditions in a standardized way.

S130, inputting the transaction content, the user information and the standard behavior information into a second preset model of the current version, and determining an analysis result of the target transaction.

The second preset model is a model which is trained in advance, can analyze target transactions and determine differences between the target transactions and normal transactions. The second preset model may be integrated with a detection algorithm, which may include at least one of a threshold-based algorithm, a probability-based algorithm, and a machine-learning-based algorithm.

And inputting the transaction content, the user information and the standard behavior information into a second preset model of the current version, so that the second preset model analyzes the transaction data of the target transaction based on the detection algorithm and the standardized information to obtain an analysis result of the target transaction.

The first preset model can determine the standard behavior information of the payment user based on the user information, and standardized information is provided for the second preset model, so that the accuracy of an analysis result is improved, and the aim of accurately and timely detecting whether the target transaction in various scenes is abnormal or not is fulfilled.

And S140, detecting whether the target transaction is abnormal or not according to the analysis result.

The analysis results may include an anomaly evaluation parameter. In one implementation, the anomaly evaluation parameter may be embodied in the form of an anomaly evaluation score, e.g., the higher the anomaly evaluation score, the greater the likelihood that an anomaly exists for the target transaction; the lower the anomaly evaluation score, the less likely that anomalies are present in the target transaction.

In another implementation manner, the abnormality evaluation parameter may be embodied in the form of an abnormality evaluation index, for example, the greater the number of abnormality evaluation indexes, the greater the likelihood that there is an abnormality in the target transaction; the smaller the number of abnormality evaluation indicators, the less likely that an abnormality exists in the target transaction.

In one embodiment, according to the analysis result, the method for detecting whether the target transaction is abnormal may include: if the abnormality evaluation parameter is smaller than or equal to a preset threshold value, determining that no abnormality exists in the target transaction; if the abnormality evaluation parameter is greater than a preset threshold, determining that abnormality exists in the target transaction.

For example, when the abnormality evaluation parameter is embodied in the form of an abnormality evaluation score, the preset threshold may be a preset score, such as 80 points. If the abnormality evaluation score is less than or equal to 80 points, determining that no abnormality exists in the target transaction; if the abnormality evaluation score is greater than 80 points, determining that the target transaction is abnormal.

Also by way of example, when the abnormality evaluation parameter is embodied in the form of an abnormality evaluation index, the preset threshold value may be a preset index number, such as 3. If the number of the abnormality evaluation indexes is less than or equal to 3, determining that no abnormality exists in the target transaction; if the number of the abnormality evaluation indexes is greater than 3, determining that the target transaction is abnormal.

Further, for the situation that the target transaction has an abnormality, the invention can divide the abnormality into a plurality of abnormality levels. Therefore, after the abnormality of the target transaction is determined, the abnormality grade corresponding to the target transaction can be determined, and corresponding abnormality control measures are executed according to the abnormality grade, so that abnormal transactions such as theft and brushing, fraud and the like are effectively reduced, and the asset safety of a user is ensured.

For example, assuming that the anomalies are classified into 2 anomaly levels, when the anomaly level corresponding to the target transaction is level 1, a level 1 anomaly control measure may be performed, such as triggering a user authentication mechanism (including but not limited to requiring the user to provide additional authentication information) to determine the validity of the transaction; when the target transaction corresponds to an anomaly level of 2, level 2 anomaly control measures may be performed, such as rejecting the transaction, freezing the account, sending an alert or notification to the relevant entity, etc.

Example two

Fig. 2 is a flow chart of a transaction anomaly detection method according to a second embodiment of the present invention, and on the basis of the first embodiment, the present embodiment provides a method for updating a first preset model and a second preset model. As shown in fig. 2, the method includes:

S201, acquiring a training data set of a previous period and a preset model of a previous version, wherein the training data set of the previous period comprises a plurality of training data generated in the previous period, one training data comprises at least one type of sub data, one type of sub data corresponds to one dimension, and the preset model is a first preset model or a second preset model.

In the present invention, the transaction abnormality detection device stores the first preset model or the second preset model. The first and second predetermined models are updated continuously periodically/aperiodically. Each time the first and second predetermined models are updated, a version is generated.

Specifically, the preset model of the current version is a model obtained by training the preset model of the previous version according to the training data set of the previous cycle by using an online learning algorithm, wherein the preset model is a first preset model or a second preset model. That is, the first preset model of the current version is a model obtained by training the first preset model of the previous version according to the training data set of the previous period by using an online learning algorithm; the second preset model of the current version is a model obtained by training the second preset model of the previous version according to the training data set of the previous period by utilizing an online learning algorithm. Therefore, for the first preset model and the second preset model, steps S201 to S204 in the present embodiment need to be performed, respectively, to realize updating of the models.

In one embodiment, the training data may be transaction data for transactions generated during the previous cycle. One training data includes at least one type of sub-data, e.g., each type of sub-data in the transaction data (e.g., transaction amount, transaction serial number, transaction time, transaction location, user identification, user behavior log, device information, geographic location of the user, etc.) corresponds to a dimension. The dimensions corresponding to the different types of sub-data may be the same or different.

In an embodiment, for the first preset model, the method for obtaining the first preset model of the previous version may include: acquiring a version number of a first initial model and a version number of a last version; determining a first parameter corresponding to the version number of the previous version; and determining a first preset model of the previous version according to the first parameters and the first initial model.

Similarly, for the second preset model, the method for obtaining the second preset model of the previous version may include: acquiring a version number of the second initial model and the version number of the last version; determining a second parameter corresponding to the version number of the previous version; and determining a second preset model of the previous version according to the second parameters and the second initial model.

It should be noted that, a version number of a version corresponds to a set of parameters (including a first parameter and a second parameter). The first parameter is a parameter of the first preset model of the version, and the second parameter is a parameter of the second preset model of the version. Substituting the first parameter into a first initial model to obtain a first preset model of the version; substituting the second parameter into the second initial model to obtain a second preset model of the version.

In addition, when the version number of the previous version is the initial version number, the parameters corresponding to the initial version number are parameters of the first initial model and the second initial model. That is, when the version number of the previous version is the initial version number, the first preset model of the previous version is the first initial model, and the second preset model of the previous version is the second initial model.

S202, inputting the sub-data of the same dimension into a preset model of a previous version, and constructing a loss function of the preset model of the previous version, wherein learning rates of the sub-data of different dimensions are different.

S203, according to the loss function, adjusting parameters of a preset model of the previous version.

As can be seen from the combination of steps S202-S203, the method is to train the preset model by taking the dimension of the sub-data as the granularity. Because the learning rates of the sub-data with different dimensions are different, the sub-data with the same dimension is input into the preset model with the previous version, and the loss function of the preset model with the previous version is constructed, so that the parameters of the preset model with the previous version are adjusted according to the loss function, the non-uniformity of the training data on different characteristics can be fully considered, and the accuracy and the flexibility of the preset model are improved.

Alternatively, the online learning algorithm may be FTRL (Follow-the-regularized-Leader) algorithm. The FTRL algorithm is a common optimization algorithm suitable for processing ultra-large scale data and comprising online learning of a large number of sparse features. The FTRL algorithm combines the advantages of FOBOS (Forward-Backward Splitting) algorithm and redundancy analysis (redundancy analysis, RDA) algorithm, can ensure higher precision with FOBOS, and can generate better sparsity under the condition of losing certain precision.

S204, taking the preset model of the last version with the parameters adjusted as the preset model of the current version.

And when the parameters of the preset model of the previous version are adjusted according to the sub-data of all dimensions, taking the preset model of the previous version with the adjusted parameters as the preset model of the current version.

Parameters of the preset model of the previous version can be adjusted according to the sub-data of a certain dimension in sequence according to a certain sequence; and can also be adjusted according to the sub-data of each dimension at the same time. The embodiment of the present invention is not particularly limited thereto.

S205, acquiring transaction data of a target transaction, wherein the transaction data comprises transaction content and user information of a payment user.

After training the preset model of the current version, the preset model of the current version can be used as a model for detecting whether the transaction is abnormal or not in the current period.

In practical applications, the target transaction is any transaction of which the current period is to be detected whether an abnormality exists. The target transaction, when generated, generates transaction data. In one embodiment, the transaction data may include transaction content including, but not limited to, transaction records (e.g., transaction serial number, transaction amount, transaction time, transaction location, etc.), and user information of the payment user including, but not limited to, user identification, user behavior log, device information, geographic location of the user, etc. Further, the transaction data may also include user information of the payee user.

S206, preprocessing the transaction data, wherein the preprocessing comprises denoising, deduplication, missing value processing, outlier processing and format conversion processing.

Transaction data may be generated from multiple data sources, and thus, the transaction anomaly detection device needs to collect, integrate, and correlate data from the multiple data sources. In order to ensure consistency of the transaction data, a high-quality data basis is provided for subsequent steps, and the transaction data can be preprocessed, wherein the preprocessing comprises denoising processing, deduplication processing, missing value processing, outlier processing and format conversion processing.

The denoising process refers to removing meaningless data (such as data which is difficult to be correctly understood and translated by a machine and unstructured data) in transaction data; the duplicate removal processing means that duplicate data in transaction data is removed, and data redundancy is avoided; the missing value processing and the abnormal value processing respectively refer to supplementing/correcting the missing value and the abnormal value in the transaction data; the format conversion process refers to unifying the format of transaction data.

S207, taking the preprocessed transaction data as training data, and storing the training data in a training data set of the current period.

And taking the preprocessed transaction data as training data, and storing the training data into a training data set of the current period, so that the training data set of the current period trains a preset model of the current version, and further obtaining a preset model of the next version. Therefore, the preset model is ensured to be continuously learned and optimized so as to adapt to continuously changed transaction scenes (such as new payment behavior modes and new attack means), and the accuracy and the flexibility of the preset model are improved.

S208, inputting the user information into a first preset model of the current version, and determining standard behavior information of the payment user.

After the transaction data of the target transaction are acquired, user information is input into a first preset model of the current version, and standard behavior information of the payment user is determined. The standard behavior information is standardized information, and can measure the behavior mode and characteristics of the payment user under normal conditions in a standardized way.

S209, inputting the transaction content, the user information and the standard behavior information into a second preset model of the current version, and determining an analysis result of the target transaction.

The second preset model may be integrated with a detection algorithm, which may include at least one of a threshold-based algorithm, a probability-based algorithm, and a machine-learning-based algorithm.

S210, detecting whether the target transaction is abnormal or not according to the analysis result.

Example III

Fig. 3 is a schematic structural diagram of a transaction anomaly detection device according to a third embodiment of the present invention. As shown in fig. 3, the apparatus includes: an acquisition module 301, an analysis module 302 and a detection module 303.

An obtaining module 301, configured to obtain transaction data of a target transaction, where the transaction data includes transaction content and user information of a payment user;

The analysis module 302 is configured to input user information into a first preset model of a current version, and determine standard behavior information of a payment user; inputting transaction content, user information and standard behavior information into a second preset model of the current version, and determining an analysis result of the target transaction;

and the detection module 303 is configured to detect whether the target transaction is abnormal according to the analysis result.

Optionally, referring to fig. 3, fig. 4 is a schematic structural diagram of another transaction anomaly detection device according to a third embodiment of the present invention. As shown in fig. 4, further includes: training module 304.

The training module 304 is configured to obtain a training data set of a previous period and a preset model of a previous version, where the training data set of the previous period includes a plurality of training data generated in the previous period, and one training data includes at least one type of sub-data, and one type of sub-data corresponds to one dimension; inputting the sub data of the same dimension into a preset model of a previous version, and constructing a loss function of the preset model of the previous version, wherein the learning rates of the sub data of different dimensions are different; according to the loss function, adjusting parameters of a preset model of the previous version; and taking the preset model of the last version with the parameters adjusted as the preset model of the current version.

Optionally, the training module 304 is specifically configured to obtain, when the preset model is a first preset model, a version number of the first initial model and a version number of a previous version; determining a first parameter corresponding to the version number of the previous version; determining a first preset model of the previous version according to the first parameter and the first initial model; when the preset model is a second preset model, acquiring a second initial model and a version number of a previous version; determining a second parameter corresponding to the version number of the previous version; and determining a second preset model of the previous version according to the second parameters and the second initial model.

Optionally, the acquiring module 301 is further configured to perform preprocessing on the transaction data, where the preprocessing includes denoising, deduplication, missing value processing, outlier processing, and format conversion processing; the training module 304 takes the preprocessed transaction data as training data and stores the training data in the training data set of the current period.

Optionally, the analysis results include an anomaly evaluation parameter.

Referring to fig. 4, fig. 5 is a schematic structural diagram of a transaction anomaly detection device according to a third embodiment of the present invention. As shown in fig. 5, further includes: an evaluation and early warning module 305.

The evaluation and early warning module 305 is configured to determine that the target transaction is not abnormal if the abnormal evaluation parameter is less than or equal to a preset threshold; if the abnormality evaluation parameter is greater than a preset threshold, determining that abnormality exists in the target transaction.

Optionally, the evaluation and early warning module 305 is further configured to determine an anomaly level corresponding to the target transaction after determining that the target transaction is abnormal, and execute a corresponding anomaly control measure according to the anomaly level.

The transaction abnormality detection device provided by the embodiment of the invention can execute the transaction abnormality detection method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.

Example IV

Fig. 6 shows a schematic diagram of the structure of an electronic device 10 that may be used to implement an embodiment of the invention. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. Electronic equipment may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.

As shown in fig. 6, the electronic device 10 includes at least one processor 11, and a memory, such as a Read Only Memory (ROM) 12, a Random Access Memory (RAM) 13, etc., communicatively connected to the at least one processor 11, in which the memory stores a computer program executable by the at least one processor, and the processor 11 may perform various appropriate actions and processes according to the computer program stored in the Read Only Memory (ROM) 12 or the computer program loaded from the storage unit 18 into the Random Access Memory (RAM) 13. In the RAM 13, various programs and data required for the operation of the electronic device 10 may also be stored. The processor 11, the ROM 12 and the RAM 13 are connected to each other via a bus 14. An input/output (I/O) interface 15 is also connected to bus 14.

Various components in the electronic device 10 are connected to the I/O interface 15, including: an input unit 16 such as a keyboard, a mouse, etc.; an output unit 17 such as various types of displays, speakers, and the like; a storage unit 18 such as a magnetic disk, an optical disk, or the like; and a communication unit 19 such as a network card, modem, wireless communication transceiver, etc. The communication unit 19 allows the electronic device 10 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunication networks.

The processor 11 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of processor 11 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, digital Signal Processors (DSPs), and any suitable processor, controller, microcontroller, etc. The processor 11 performs the various methods and processes described above, such as the transaction anomaly detection method.

In some embodiments, the transaction anomaly detection method may be implemented as a computer program tangibly embodied on a computer-readable storage medium, such as storage unit 18. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 10 via the ROM 12 and/or the communication unit 19. When the computer program is loaded into RAM 13 and executed by processor 11, one or more steps of the transaction anomaly detection method described above may be performed. Alternatively, in other embodiments, the processor 11 may be configured to perform the transaction anomaly detection method by any other suitable means (e.g., by means of firmware).

Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.

A computer program for carrying out methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be implemented. The computer program may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.

In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. The computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.

To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) through which a user can provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.

The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), blockchain networks, and the internet.

The computing system may include clients and servers. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical hosts and VPS service are overcome.

It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps described in the present invention may be performed in parallel, sequentially, or in a different order, so long as the desired results of the technical solution of the present invention are achieved, and the present invention is not limited herein.

The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.

Claims

1. A transaction anomaly detection method, comprising:

acquiring transaction data of a target transaction, wherein the transaction data comprises transaction content and user information of a payment user;

inputting the user information into a first preset model of a current version, and determining standard behavior information of the payment user;

inputting the transaction content, the user information and the standard behavior information into a second preset model of a current version, and determining an analysis result of the target transaction;

And detecting whether the target transaction is abnormal according to the analysis result.

2. The transaction anomaly detection method according to claim 1, wherein the current version of the preset model is a model obtained by training the previous version of the preset model according to a training data set of the previous period by using an online learning algorithm;

The preset model is the first preset model or the second preset model.

3. The method for detecting abnormal transaction according to claim 2, wherein the training method for obtaining the preset model of the current version comprises the following steps:

acquiring the training data set of the previous period and the preset model of the previous version, wherein the training data set of the previous period comprises a plurality of training data generated in the previous period, one training data comprises at least one type of sub data, and one type of sub data corresponds to one dimension;

Inputting the sub data of the same dimension into the preset model of the previous version, and constructing a loss function of the preset model of the previous version, wherein the learning rates of the sub data of different dimensions are different; according to the loss function, adjusting parameters of the preset model of the previous version;

And taking the preset model of the last version with the parameters adjusted as the preset model of the current version.

4. The transaction anomaly detection method of claim 3, wherein obtaining the previous version of the pre-set model comprises:

When the preset model is the first preset model, acquiring a first initial model and a version number of a previous version; determining a first parameter corresponding to the version number of the previous version; determining a first preset model of the previous version according to the first parameters and the first initial model;

When the preset model is the second preset model, acquiring a second initial model and a version number of a previous version; determining a second parameter corresponding to the version number of the previous version; and determining a second preset model of the previous version according to the second parameters and the second initial model.

5. The transaction anomaly detection method of claim 1, further comprising:

Preprocessing the transaction data, wherein the preprocessing comprises denoising, deduplication, missing value processing, outlier processing and format conversion processing;

and taking the preprocessed transaction data as training data, and storing the training data in a training data set of the current period.

6. The transaction anomaly detection method of claim 1, wherein the analysis results include anomaly evaluation parameters;

And detecting whether the target transaction is abnormal according to the analysis result, wherein the method comprises the following steps:

if the abnormality evaluation parameter is smaller than or equal to a preset threshold value, determining that no abnormality exists in the target transaction;

and if the abnormality evaluation parameter is larger than a preset threshold value, determining that the target transaction is abnormal.

7. The transaction anomaly detection method of claim 6, further comprising, after determining that the target transaction is anomalous:

and determining an abnormal grade corresponding to the target transaction, and executing corresponding abnormal control measures according to the abnormal grade.

8. A transaction abnormality detection device, comprising: the device comprises an acquisition module, an analysis module and a detection module;

The acquisition module is used for acquiring transaction data of a target transaction, wherein the transaction data comprises transaction content and user information of a payment user;

The analysis module is used for inputting the user information into a first preset model of a current version and determining standard behavior information of the payment user; inputting the transaction content, the user information and the standard behavior information into a second preset model of a current version, and determining an analysis result of the target transaction;

and the detection module is used for detecting whether the target transaction is abnormal or not according to the analysis result.

9. An electronic device, the electronic device comprising:

at least one processor; and a memory communicatively coupled to the at least one processor; wherein,

The memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the transaction anomaly detection method of any one of claims 1-7.

10. A computer readable storage medium storing computer instructions for causing a processor to perform the transaction anomaly detection method of any one of claims 1 to 7.