JP7359910B1 - Information processing device, information processing method, and program - Google Patents

Abstract

[Problem] To appropriately extract users of interest who are suspected of fraudulently using an electronic payment service. [Solution] By inputting input data having multiple data items including the user's usage history of the electronic payment service into a trained model, the user related to the input data may engage in unauthorized use of the electronic payment service. The trained model is equipped with an inference unit that derives output data indicating whether or not the user of interest is suspected of having committed illegal activity. It is learned by machine learning using learning data as tag information indicating whether the user is the user who performed An information processing device that retrains a trained model by adding input data regarding the user and tag information indicating that the user is a user who has engaged in unauthorized use to learning data. [Selection diagram] Figure 7

Description

The present invention relates to an information processing device, an information processing method, and a program.

Conventionally, inventions of computerized risk management methods and risk management systems for facilitating analysis and quantification of risks related to financial transactions have been disclosed (Patent Document 1). The system generates a risk index or other rating based on a weighted algorithm applied to the criteria.

Special Publication No. 2005-509196

In the conventional technology, since a trained model learned by machine learning is not used, it may not be possible to appropriately extract a user of interest who is suspected of fraudulently using an electronic payment service.

The present invention has been made in consideration of such circumstances, and provides an information processing device and an information processing method that can appropriately extract users of interest who are suspected of fraudulently using an electronic payment service. One of the purposes is to provide , and programs.

One aspect of the present invention is to input input data having a plurality of data items including a user's usage history of an electronic payment service into a trained model that has been trained in advance by machine learning. The trained model includes an inference unit that derives output data indicating whether or not the user is the user of interest who is suspected of fraudulently using the electronic payment service, and the trained model The information is learned by machine learning using the input data and tag information indicating whether each of the plurality of users is the user who has performed the unauthorized use as learning data, and the inference unit For at least some of the users from whom information indicating that they are users of interest has been derived, the input data regarding the users and tag information indicating that they are the users who have engaged in the fraudulent use. The information processing apparatus further includes a relearning unit that adds a set of the learning model to the learning data and relearns the learned model.

According to one aspect of the present invention, it is possible to provide an information processing device, an information processing method, and a program that can appropriately extract a user of interest who is suspected of fraudulently using an electronic payment service. .

1 is a diagram illustrating an example of a configuration for realizing an electronic payment service. FIG. 1 is a sequence diagram (Part 1) illustrating the general flow of electronic payment. FIG. 2 is a sequence diagram (Part 2) illustrating the general flow of electronic payment. FIG. 1 is a configuration diagram of a payment server 100 according to a first embodiment. 3 is a diagram showing an example of the contents of user information 172. FIG. It is a diagram showing an example of the contents of member store/store information 176. FIG. 2 is a configuration diagram of an information processing device 200. 3 is a diagram showing an example of the contents of a score table 278. FIG. FIG. 3 is a diagram for explaining processing contents of a learning unit 230. FIG. It is a figure showing an example of trend analysis information display screen IM1. 3 is a diagram illustrating an example of processing contents of a relearning unit 240. FIG. It is a figure which shows an example of user number transition display screen IM2.

DESCRIPTION OF THE PREFERRED EMBODIMENTS Embodiments of an information processing apparatus, an information processing method, and a program according to the present invention will be described below with reference to the drawings. The information processing device derives output data indicating whether or not a user who uses an electronic payment service is a user of interest who is suspected of having fraudulently used the electronic payment service. First, the electronic payment service will be explained, and then the functions of the information processing device will be explained.

[Electronic payment service]
Electronic payment services are provided, for example, by cooperation between an application program (payment application) and a payment server. An electronic payment service is a service that supports payments for purchases of products and services at stores. A store is, for example, a physical store (actual store) that exists in real space, but may also include a virtual store for electronic commerce. Virtual stores may include those provided by entities different from the operator of the electronic payment service. In that case, when paying for shopping at the virtual store, the screen is controlled to transition to an interface screen of the electronic payment service. In an electronic payment service, a store is treated as belonging to a member store (brand), for example, and processing such as payment when a purchase is made at a store is mainly performed between a user and the member store. Alternatively, processing such as payment may be performed between the user and the store.

FIG. 1 is a diagram showing an example of a configuration for realizing an electronic payment service and an information processing device. The electronic payment service is realized mainly by the payment server 100. The payment server 100 communicates with each of the one or more user terminal devices 10, the one or more first store terminal devices 50, and the one or more second store terminal devices 70, for example, via the network NW. The network NW includes, for example, the Internet, a LAN (Local Area Network), a wireless base station, a provider device, and the like. The information processing device 200 is connected to, for example, the payment server 100 via a narrow area network (not shown). The information processing device 200 is not limited to this, and may be connected to the payment server 100 via the network NW, or may be a function of the payment server 100.

The user terminal device 10 is, for example, a portable terminal device such as a smartphone or a tablet terminal. The user terminal device 10 is a computer device having at least an optical reading function, a communication function, a display function, an input reception function, and a program execution function. In the following description, the configurations for realizing these functions are respectively referred to as a camera, a communication device, a touch panel, a CPU (Central Processing Unit), and the like. In the user terminal device 10, the payment application 20 is executed by a processor such as a CPU, so that the payment application 20 operates in cooperation with the payment server 100 to provide electronic payment services to the user. The payment application 20 is installed on the user terminal device 10 from an application store, for example, and controls a camera, a communication device, a touch panel, and the like.

The first store terminal device 50 is installed in a store, for example. The first store terminal device 50 is a computer device having at least a product price acquisition function, an optical reading function, a program execution function, and a communication function. The first store terminal device 50 includes a so-called POS (Point of Sale) device, and the POS device may realize a product price acquisition function and an optical reading function. The store code image 60 is placed in a store, and a code image such as a QR code (registered trademark) is printed on a paper or plastic medium. Note that the store code image 60 may be displayed on a display (or a display of a terminal device such as a smartphone) placed in the store.

The second store terminal device 70 is used by an operator of a member store. The second store terminal device 70 is a smartphone, a tablet terminal, a personal computer, or the like. In the second store terminal device 70, an interface 72 for member stores operates. The member store interface 72 may be an application for member stores or may be a browser. The member store interface 72 receives coupon settings and the like from the member store operator and transmits them to the payment server 100. The second store terminal device 70, which is a smartphone, has the function of displaying a code image corresponding to the store code image and reading the code image displayed by the user terminal device 10 by executing an application for member stores. have

The payment server 100 realizes electronic payment based on payment information received from the user terminal device 10 or the first store terminal device 50. The first store terminal device 50 may include a POS device and a member store server, in which case payment information is transmitted from the POS device to the payment server 100 via the member store server. In the following description, it is assumed that payment information is transmitted from the first store terminal device 50 without making any particular distinction.

2 and 3 are sequence diagrams illustrating the general flow of electronic payment. There may be two patterns, pattern 1 and pattern 2, in electronic payment.

In the case of pattern 1 (hereinafter referred to as user scan) shown in FIG. 2, the user terminal device 10 with the payment application 20 activated decodes the store code image 60 using an optical reading function (S1). The store code image 60 includes information on a store URL (Uniform Resource Locator). This store URL is the domain of the electronic payment service added with information that can identify the store, and is associated with member store IDs, store IDs, etc. in the payment server 100 (described later). The payment application 20 transmits first payment information including the store URL and account ID to the payment server 100 (S2). The payment server 100 searches for store information (described later) from the member store ID and store ID corresponding to the store URL, obtains the member store name and store name information (S3), and sends the information to the payment application 20 (S4). . The user inputs the payment amount into the user terminal device 10 on the screen on which the member store name and store name are displayed (S5). Then, the user terminal device 10 generates second payment information including at least the payment amount and transmits it to the payment server 100 (S6). The payment server 100 performs electronic payment based on the received second payment information (S7). Then, the payment server 100 transmits a payment completion notification (information for displaying the payment completion screen) to the payment application 20 (S8), and the payment application 20 displays the payment completion screen (S9). Note that when the store code image 60 is displayed on a display placed in a store, the store code image 60 may include not only the store URL but also information on the payment amount. In this case, the step for the user to input the payment amount is omitted, and the first payment information includes information on the payment amount and is sent to the payment server 100. Information on the member store name and store name may be included and displayed on the payment completion screen.

In the case of pattern 2 (hereinafter referred to as store scan) shown in FIG. 3, when the payment application 20 is started, when a payment operation is performed on the payment application 20, and when the automatic update timing (for example, every minute) is reached. , and at other timings, the payment application 20 transmits a one-time code issuance request to the payment server 100 (S11). The payment server 100 generates a one-time code (S12) and sends it to the payment application 20 (S13). The payment application 20 displays a code image, such as a QR code or barcode, generated based on the one-time code (S14). The user holds up (presents) the display surface of the user terminal device 10 to the first store terminal device 50, and the first store terminal device 50 decodes the code image using an optical reading function and obtains a one-time code, etc. (S15). Then, the first store terminal device 50 generates payment information including a one-time code, payment amount, member store ID, store ID, etc., and transmits it to the payment server 100 (S16). Information on the payment amount is obtained in advance by barcode reading, manual input, etc. The payment server 100 identifies the user corresponding to the one-time code based on the received information and performs electronic payment (S17). Then, the payment server 100 transmits a payment completion notification to the payment application 20 (S18), and the payment application 20 displays a payment completion screen (S19).

Note that electronic payment may be performed using only one of the above patterns. Moreover, the "account ID" explained in FIG. 2 may be other information (for example, a telephone number) that can be used as user identification information. Furthermore, the issuance of a one-time code may be omitted in the store scan, and the payment application 20 may display a code image generated based on the user's account ID. In that case, the payment server 100 identifies the user corresponding to the account ID instead of identifying the user corresponding to the one-time code.

FIG. 4 is a configuration diagram of the payment server 100. The payment server 100 includes, for example, a communication section 110, a payment content providing section 120, a payment processing section 130, an information management section 140, and a storage section 170. Components other than the communication unit 110 and the storage unit 170 are realized by, for example, a hardware processor such as a CPU executing a program (software). Some or all of these components are hardware (circuit parts) such as LSI (Large Scale Integration), ASIC (Application Specific Integrated Circuit), FPGA (Field-Programmable Gate Array), and GPU (Graphics Processing Unit). (including circuitry), or may be realized by collaboration between software and hardware. The program may be stored in advance in a storage device (a storage device with a non-transitory storage medium) such as an HDD (Hard Disk Drive) or flash memory, or may be stored in a removable storage device such as a DVD or CD-ROM. It may be stored in a medium (non-transitory storage medium), and installed in the storage device by loading the storage medium into a drive device.

The storage unit 170 is an HDD, flash memory, RAM (Random Access Memory), or the like. The storage unit 170 may be a NAS (Network Attached Storage) device that can be accessed by the payment server 100 via a network. The storage unit 170 stores information such as user information 172, payment content information 174, and member store/store information 176.

The communication unit 110 is a communication interface for connecting to the network NW. Communication unit 110 is, for example, a network interface card.

The payment content providing unit 120 has, for example, the function of a web server, and provides the user terminal device 10 with information (content) for displaying various screens of the electronic payment service. The payment content providing unit 120 reads necessary content from the payment content information 174 as appropriate and provides it to the user terminal device 10. The user terminal device 10 receives various inputs from the user while the content is being played by the payment application 20, and transmits the above-mentioned payment information and the like to the payment server 100.

The payment processing unit 130 performs payment processing based on the payment information transmitted by the user terminal device 10 or the first store terminal device 50. The payment processing unit 130 performs payment processing while referring to the user information 172.

FIG. 5 is a diagram showing an example of the contents of the user information 172. User information 172 is an example of user registration information. User information 172 includes, for example, user URL, account ID, phone number, password, email address, user ID, name/address/date of birth, registration date, charge balance, deferred payment setting, deferred payment limit, deferred payment. Information such as usage amount, available deferred payment amount, payment method setting, bank account, credit card number, charge history information, payment history information, P2P remittance history information, etc. are associated with each other. The user URL is used for remittance processing between users. When registering for a new electronic payment service, it is mandatory to register a phone number and password. The account ID is issued to the user by the payment server 100, and the user ID is an ID that can be arbitrarily set (or does not need to be set) by the user. Similarly, e-mail address, name, address, and date of birth are information that can (or does not need to be) set arbitrarily by the user. The registration date is the date the user registered with the electronic payment service (the date the account was created). Hereinafter, the user instance (electronic payment account) to which this information is associated will be referred to as an account.

The charge balance is information indicating the balance of electronic money set by the user transferring money to the account in advance. Methods of remittance include remittance from an ATM (Automatic Teller Machine) of a designated business (bank), remittance from a registered bank account, etc. The deferred payment setting is information indicating whether the settings for enabling electronic payment by deferred payment have been completed, and is set to either "completed" or "not yet". The deferred payment allowance is the maximum amount of deferred payment that can be used each month, the deferred payment usage amount is the amount of deferred payment that has already been used in the current month, and the available deferred payment amount is calculated by subtracting the deferred payment usage amount from the deferred payment allowance. , is the amount of deferred payment available for the current month. In the figure, only one deferred payment limit is shown, but in reality, there are additional daily upper limit amounts, and the lower of these may be set as the deferred payment limit. The payment method setting is setting information that indicates whether the user will perform electronic payment using the charge balance or payment by deferred payment at that time. The bank account and credit card number are each information about a bank account or credit card number (account number, card number) that can be used to deposit money into the electronic payment service. The charging history information is a history of the user increasing the charging balance by remitting money to the electronic payment service in advance. The payment history information is information that shows the details of the payments made by the user (date and time, store ID of the store where the purchase was made, payment amount, payment method, etc.) for each payment. P2P remittance history information is related to remittances between users (P2P remittances) included in electronic payment services, and includes the history of P2P remittances performed by users (date and time, amount remitted, recipient user, etc.) This is information that shows each remittance process.

When payment information is acquired from the user terminal device 10 or the first store terminal device 50, the payment processing unit 130 refers to the user information 172 and acquires the "payment method setting" of the user. The payment processing unit 130 performs electronic payment as follows for a user whose "payment method setting" is set to "charge balance". The payment processing unit 130 performs electronic payment by, for example, decreasing the charge balance managed in association with the user ID and increasing the item value of the member store's sales proceeds. For example, the item value of the sales proceeds of a member store is not used as electronic money itself, but the amount corresponding to the item value of the sales proceeds is determined in a cycle according to the agreement between the member store and the electronic payment service. Money will be transferred to your bank account.

The payment processing unit 130 performs electronic payment in the following manner for users whose "setting information" is set to "deferred payment." Deferred payment is set up separately from "credit payment" in collaboration with a credit card company, which is a separate entity from the operator of the electronic payment service, and the operator of the electronic payment service is the creditor. , which allows electronic payments that do not depend on the charge balance within the deferred payment limit. Note that in order to receive the deferred payment service, the user may be required to obtain a credit card provided by the operator of the electronic payment service. The amount used for deferred payment is paid in one month's worth on the next month's payment date, for example, by debiting from a bank account. In this case, the payment processing unit 130 performs provisional payment by adding the payment amount to the deferred payment usage amount and subtracting the same amount from the available deferred payment amount, and on the closing date, the payment for the current month is transferred to the next month's payment date as described above. Process to withdraw the money. Note that if the payment amount exceeds the available deferred payment amount at the time of provisional payment, an error notification is sent back to the payment application 20.

FIG. 6 is a diagram showing an example of the contents of the affiliated store/store information 176. The affiliated store/store information 176 includes, for example, a first table 176A in which affiliated store IDs and store IDs are associated with store URLs, and affiliated store names and sales proceeds (described above) are associated with affiliated store IDs. 176B, and a third table 176C in which store IDs are associated with store IDs. In addition to this information, the member store/store information 176 includes information such as the category of the member store or store, the location of the store, and the payment pattern.

The information management unit 140 manages user information 172 and member store/store information 176 based on information acquired from the user terminal device 10 and the second store terminal device 70. The information management unit 140 adds, edits, deletes, etc. new records for the user information 172 and member store/store information 176.

[Information processing device]
FIG. 7 is a configuration diagram of the information processing device 200. The information processing device 200 includes, for example, an information acquisition section 210, an inference section 220, a learning section 230, a relearning section 240, a display control section 250, and a storage section 270. The components other than the storage unit 270 are realized by, for example, a hardware processor such as a CPU executing a program (software). Some or all of these components may be realized by hardware (including circuitry) such as LSI, ASIC, FPGA, or GPU, or may be realized by collaboration between software and hardware. Good too. The program may be stored in advance in a storage device such as an HDD or flash memory (storage device equipped with a non-transitory storage medium), or may be stored in a removable storage medium (non-transitory storage medium) such as a DVD or CD-ROM. The software may be installed in the storage device by attaching the storage medium to the drive device.

The storage unit 270 is an HDD, flash memory, RAM, or the like. The storage unit 270 may be a NAS device that the information processing device 200 can access via a network. The storage unit 270 stores information such as learning data 272, a learned model 274, input data 276, and a score table 278.

The information processing device 200 may be an integrated device as illustrated, or may be a device having a distributed configuration. For example, the inference section 220, the learning section 230, and the relearning section 240 may be realized by separate devices.

[Inference stage]
The information acquisition unit 210 acquires data necessary for the inference unit 220 to perform inference processing from the payment server 100 or the like, and stores it in the storage unit 270 as input data 276. The input data 276 is data having a plurality of data items including the user's usage history of the electronic payment service. The input data 276 has, for example, the following data items. The "history information" in (3) and (5) may include one or both of information on each remittance or charge, and statistical information obtained from the amount, frequency, etc.
(1) Basic statistical information regarding user attribute information and electronic payment history (2) Category information of the store where electronic payment was made (3) P2P remittance history information (4) Cooperation with electronic payment services (electronic (5) Charge history information (6) Terminal information of user terminal device 10 (OS, etc.)

The inference unit 220 inputs the input data into the learned model 274 that has been trained in advance by machine learning, thereby determining the focused use in which the user associated with the input data is suspected of having made fraudulent use of the electronic payment service. Output data indicating whether or not the person is a person is derived. Unauthorized use is, for example, illegal remittance acts such as money laundering. Since it is assumed that users who perform this type of fraudulent remittance act are often characterized by charge history information and P2P remittance history information, the information processing device 200 uses these as input data as described above. Perform inference processing including. Thereby, the information processing device 200 can appropriately extract the users of interest who are suspected of having fraudulently used the electronic payment service.

The inference unit 220 outputs, as output data, a score indicating the degree to which fraudulent use of the electronic payment service is suspected, a classification label obtained by comparing the score with a threshold value and binarized, and a level obtained by discretizing the level. Output. All of these may be outputs of the trained model 274, or the inference unit 220 may separately perform arithmetic processing or the like to compare the score output by the trained model 274 with a threshold value.

The inference unit 220 stores the score, classification label, and level as a score table 278 in the storage unit 270. FIG. 8 is a diagram showing an example of the contents of the score table 278. The score table 278 is a table in which, for example, user identification information such as an account ID is associated with a classification label, score, level, and update date. For the classification label, a value of 1 indicates that the user is the user of interest, and a value of 0 indicates that the user is not the user of interest. Alternatively, a user with a classification label of 1 and a level of 5 may be defined as the user of interest, and other users may be defined as users who are not the user of interest. That is, the classification label alone or the combination of the classification label and the level is an example of "output data indicating whether or not the user is the user of interest." The score is derived, for example, to a value between 0 and 1. The level is 0 if the score is 0 or more and less than 0.5, 1 if the score is 0.5 or more and less than 0.6, 2 if the score is 0.6 or more and less than 0.7, and 0. If the score is 7 or more and less than 0.8, it is set to 3, if the score is 0.8 or more and less than 0.9, it is set to 4, and if the score is 0.9 or more, it is set to 5. The update date indicates the date on which the inference processing by the inference unit 220 was performed. For example, for level 5 users, after the electronic payment history information is verified by human eyes, measures such as account freezing are taken.

[Learning stage]
The learning unit 230 generates a learned model 274. The trained model 274 uses, as learning data, input data about multiple users and tag information indicating whether each of the multiple users is a user who has engaged in unauthorized use (hereinafter referred to as an unauthorized user). , which was learned using machine learning.

FIG. 9 is a diagram for explaining the processing contents of the learning section 230. The learning unit 230 calculates that the score derived as a result of inputting input data about a plurality of users including a first group of users and a second group of users into a machine learning model is about the first group of users. Adjust the parameters of the machine learning model by backpropagation so that the values for the second group of users are within the range indicating that they are not unauthorized users, and the values for the second group of users are within the range indicating that they are unauthorized users. . The machine learning model at the time when adjustment of parameters and the like for all input data is completed becomes the learned model 274.

The users of the first group are given tag information indicating that they are not unauthorized users, and the users of the second group are assigned tag information indicating that they are unauthorized users. The first group of users is, for example, a user who has an account with an electronic payment service and whose frequency of electronic payment is higher than the standard (for example, who has made k or more payments in XX days), that is, active users. A predetermined number of users randomly sampled from The second group of users are users who have a sufficiently high probability of being fraudulent users, such as suspects of fraudulent remittances or users who have received inquiries from the police.

By generating the learned model 274 in this manner, it is possible to appropriately extract users of interest who are suspected of having made fraudulent use of the electronic payment service. With this type of conventional technology, whether or not a user is an unauthorized user is determined solely based on the information used for identity verification, and the determination is made based on dynamic information such as the history of using electronic payment services. I wasn't able to do that. In this regard, according to the present embodiment, the trained model 274 is used to focus on charging history information and P2P remittance history information, which are assumed to be likely to be characteristic information for fraudulent users, as input data. Since users are extracted, users of interest can be appropriately extracted.

[Trend analysis (part 1)]
The display control unit 250 generates trend analysis information indicating which part of the input data the generated trained model 274 (which may include a retrained model as described later) should emphasize to derive a score. is displayed on a display device (not shown). The display device may be attached to the information processing device 200 or may be connected to the information processing device 200 via various networks. Trend analysis information is obtained, for example, via an API (Application Programming Interface) provided by a machine learning platform. FIG. 10 is a diagram showing an example of the trend analysis information display screen IM1. The trend analysis information display screen IM1 displays multiple events of interest, such as (1) users who often make electronic payments at stores belonging to category XX, (2) users whose P2P remittance history tends to be XX, ( 3) Users whose charge balance is ○○, (4) Users who make many electronic payments during a specific time period, (5) Users whose charging method tends to be ○○, (6) Terminal settings are ○○. It is shown that there is a tendency to output users with , etc. as users of interest, and events of interest are listed in order of their contribution. Additionally, a trend graph that visualizes the details of the degree of contribution is displayed corresponding to each of the events of interest.

By displaying the trend analysis information display screen IM1 on the display device in this way, the operator can intuitively understand whether or not the inference process is performed in a way that suits the sense of the operator of the information processing device 200. Can be done.

[Re-learning]
The relearning unit 240 performs an offline process to determine whether at least some of the users for whom information indicating that they are the users of interest have been derived by the inference unit 220 (that is, by the learned model 274) are fraudulent. After confirming that the user has used the service, a set of input data regarding the user and tag information indicating that the user is the user who has made the unauthorized use is added to the learning data 272, and the trained model 274 Re-learning. The offline process is, for example, the process of verifying history information of electronic payment, which is a condition for freezing the account described above. The relearning unit 240 performs the above process for the user for whom the inference unit 220 outputs information indicating that the user is at level 5.

FIG. 11 is a diagram illustrating an example of processing contents of the relearning unit 240. The relearning unit 240 extracts input data of a user to whom information indicating that the user is the user of interest has been output in the inference process. These users are verified through offline processing as described above. When it is confirmed through offline processing that unauthorized use has occurred, the relearning unit 240 adds tag information indicating that the user is an unauthorized user to the input data of those users and adds it to the learning data 272. do. Then, the relearning unit 240 performs the same process as the learning unit 230 to relearn the learned model 274.

Through such processing, the volume of the learning data 272 can be enriched and the accuracy of the learned model 274 can be improved. The second group of users described in FIG. 9 are usually far fewer in number than the first group of users. For this reason, if the number of users in the second group initially prepared is not sufficient, there is a concern that the learned model 274 may not be generated with high accuracy. In this regard, according to the present embodiment, tag information indicating that the user is an unauthorized user is added to the input data of at least some of the users who are shown to be the user of interest through inference processing, and the input data is added to the learning data 272. Since the model is added and re-learning is performed, the accuracy of the learned model 274 can be improved.

Furthermore, conventionally, it has been difficult to make this type of prediction based on rules. Although it was not possible to make predictions with sufficient accuracy using a simple rule-based method such as a decision tree, by using a trained model 274 generated by machine learning, it is possible to make predictions based on complex and multifaceted conditions. It has been found that the prediction accuracy can be improved. In addition, the behavior patterns of fraudulent users do not necessarily remain the same for a long period of time, and it may be difficult to make stable predictions based on fixed criteria, but the trained model 274 can be retrained many times. Since the information can be updated by , it is possible to flexibly follow changes in the behavior patterns of unauthorized users. By performing the above-described processing of the relearning unit 240, it is possible to expand the learning data 272 and improve prediction accuracy, while flexibly following changes in the behavior patterns of fraudulent users.

[Trend analysis (Part 2)]
The display control unit 250 displays changes in the number of users for each level as the inference process is repeatedly executed, for example, once a week for users newly added as targets of the inference process. may be displayed on the display device. FIG. 12 is a diagram showing an example of the user number transition display screen IM2. When generating this screen, the display control unit 250 refers to the "update date" item in the score table 278 and reflects the user in the portion of the graph after the update date. In this way, by displaying the change in the number of users for each level, the operator can understand the properties of the learned model 274 from another perspective, and the reliability of the inference process can be improved. Further, the display control unit 250 may cause the display device to display the ranking results of the scores for each unauthorized user, or may cause the display device to display other statistical information.

According to the embodiment described above, it is possible to appropriately extract a user of interest who is suspected of having fraudulently used an electronic payment service.

Although the mode for implementing the present invention has been described above using embodiments, the present invention is not limited to these embodiments in any way, and various modifications and substitutions can be made without departing from the gist of the present invention. can be added.

10 User terminal device 20 Payment application 100 Payment server 200 Information processing device 210 Information acquisition section 220 Reasoning section 230 Learning section 240 Relearning section 250 Display control section 270 Storage section

Claims (12)

By inputting input data having multiple data items including the user's usage history of the electronic payment service into a trained model trained in advance by machine learning, the user related to the input data can use the electronic payment service. comprising an inference unit that derives output data indicating whether or not the user of interest is suspected of having conducted an illegal remittance act using
The trained model uses, as learning data, the input data about a plurality of users and tag information indicating whether each of the plurality of users is the user who performed the fraudulent remittance act. It is learned by machine learning,
With respect to at least some of the users for whom information indicating that the user is the user of interest has been derived by the inference unit, the input data regarding the user and the user who performed the fraudulent remittance act are further comprising a relearning unit that adds a pair with tag information indicating that there is something to the learning data and retrains the learned model;
Information processing device. The relearning unit is configured to determine whether the user who is confirmed to have made the fraudulent remittance act among the users for whom the inference unit has obtained output data indicating that the user is the user of interest. adding the input data related to the above and tag information indicating that the user is the one who performed the fraudulent remittance act to the learning data, and relearning the trained model;
The information processing device according to claim 1. The user who has been confirmed to have performed the fraudulent remittance act is a user who has been confirmed to have performed the fraudulent remittance act through offline processing.
The information processing device according to claim 2. The electronic payment service allows the user to perform electronic payment based on the charge balance charged by the user in advance,
The input data includes history information of the charge,
The information processing device according to claim 1. The electronic payment service enables remittances between users,
The input data includes historical information on remittances between the users;
The information processing device according to claim 1. By inputting input data having multiple data items including the user's usage history of the electronic payment service into a trained model trained in advance by machine learning, the user related to the input data can use the electronic payment service. comprising an inference unit that derives output data indicating whether or not the user of interest is suspected of having conducted an illegal remittance act using
The trained model performs machine learning using the input data about a plurality of users and tag information indicating whether each of the plurality of users is the user who performed the fraudulent remittance act as learning data. It was learned by
The electronic payment service allows the user to perform electronic payment based on the charge balance charged by the user in advance,
The input data includes history information of the charge,
Information processing device. The electronic payment service enables remittance processing between users,
The input data further includes history information of remittance processing between the users.
The information processing device according to claim 6. The trained model outputs a score indicating the degree to which it is suspected that the user has committed an illegal remittance act using the electronic payment service;
further comprising a display control unit that causes a display device to display a change in the number of users for each level obtained by discretizing the score;
An information processing device according to any one of claims 1 to 7. The information processing device inputs input data having multiple data items including the user's usage history of electronic payment services into a trained model trained in advance by machine learning, so that the user related to the input data , performing inference processing to derive output data indicating whether or not the user of interest is suspected of having performed an illegal remittance using the electronic payment service;
The trained model performs machine learning using the input data about a plurality of users and tag information indicating whether each of the plurality of users is the user who performed the fraudulent remittance act as learning data. It was learned by
The information processing apparatus further includes, for at least some of the users from which output data indicating that the user is the user of interest has been derived in the inference process, the input data regarding the user and the fraudulent information. adding a pair with tag information indicating that the user is a user who has made a remittance act to the learning data, and relearning the learned model;
Information processing method. The information processing device
By inputting input data having multiple data items including the user's usage history of the electronic payment service into a trained model trained in advance by machine learning, the user related to the input data can use the electronic payment service. Execute inference processing to derive output data indicating whether or not the user of interest is suspected of having conducted fraudulent remittances using
The trained model performs machine learning using the input data about a plurality of users and tag information indicating whether each of the plurality of users is the user who performed the fraudulent remittance act as learning data. It was learned by
The electronic payment service allows the user to perform electronic payment based on the charge balance charged by the user in advance,
The input data includes history information of the charge,
Information processing method. By inputting input data having multiple data items including a user's usage history of electronic payment services into a trained model trained by machine learning in advance, the user related to the input data can , causing an inference process to derive output data indicating whether or not the user of interest is suspected of having conducted an illegal remittance using the electronic payment service;
The trained model performs machine learning using the input data about a plurality of users and tag information indicating whether each of the plurality of users is the user who performed the fraudulent remittance act as learning data. It was learned by
The information processing apparatus further includes, for at least some of the users for which output data indicating that the user is the user of interest has been derived in the inference process, the input data regarding the user and the fraudulent information. adding a pair with tag information indicating that the user is a user who has made a remittance act to the learning data, and causing the trained model to be retrained;
program. By inputting input data having multiple data items including a user's usage history of electronic payment services into a trained model trained by machine learning in advance, the user related to the input data can , causing an inference process to derive output data indicating whether or not the user of interest is suspected of having conducted an illegal remittance using the electronic payment service;
The trained model performs machine learning using the input data about a plurality of users and tag information indicating whether each of the plurality of users is the user who performed the fraudulent remittance act as learning data. It was learned by
The electronic payment service allows the user to perform electronic payment based on the charge balance charged by the user in advance,
The input data includes history information of the charge,
program.

Images