TW201816678A - Illegal transaction detection method and illegal transaction detection device - Google Patents
Illegal transaction detection method and illegal transaction detection device Download PDFInfo
- Publication number
- TW201816678A TW201816678A TW106136078A TW106136078A TW201816678A TW 201816678 A TW201816678 A TW 201816678A TW 106136078 A TW106136078 A TW 106136078A TW 106136078 A TW106136078 A TW 106136078A TW 201816678 A TW201816678 A TW 201816678A
- Authority
- TW
- Taiwan
- Prior art keywords
- behavior
- data
- discrete
- continuous
- probability
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2458—Special types of queries, e.g. statistical queries, fuzzy queries or distributed queries
- G06F16/2462—Approximate or statistical queries
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q40/00—Finance; Insurance; Tax strategies; Processing of corporate or income taxes
- G06Q40/04—Trading; Exchange, e.g. stocks, commodities, derivatives or currency exchange
Landscapes
- Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Physics & Mathematics (AREA)
- Accounting & Taxation (AREA)
- Theoretical Computer Science (AREA)
- Finance (AREA)
- General Physics & Mathematics (AREA)
- Probability & Statistics with Applications (AREA)
- Strategic Management (AREA)
- General Business, Economics & Management (AREA)
- Marketing (AREA)
- Software Systems (AREA)
- Development Economics (AREA)
- Technology Law (AREA)
- Computer Security & Cryptography (AREA)
- Fuzzy Systems (AREA)
- Mathematical Physics (AREA)
- Economics (AREA)
- Computational Linguistics (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- General Engineering & Computer Science (AREA)
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
Description
本發明涉及互聯網技術領域,尤其涉及一種非法交易檢測方法及裝置。 The present invention relates to the field of Internet technologies, and in particular, to a method and device for detecting illegal transactions.
代理訪問技術由於可以增強用戶上網安全,節省網路資源等諸多優點而被廣泛使用,但這也對交易的安全管理帶來一定的問題。 Proxy access technology is widely used because it can enhance users' online security and save network resources, but it also brings certain problems to the security management of transactions.
在現有的代理訪問檢測技術中,常用的是在網路層抓取使用者的訪問資料封包,通過分析資料封包來進行判斷,或利用常用的代理埠進行反向代理掃描,也有通過比對代理網路通訊協定(Internet Protocol,IP)位址庫來識別代理訪問。然而,這些檢測技術大多關注網路通訊協定層的識別,不僅需要較長的檢測時延,而且只能識別使用者是否為代理IP,無法識別使用者的交易是否合法。因此,當檢測出使用者IP為代理IP後,一般還會進行加強驗證、電話確認和直接封禁等多種方式處理,但無論哪種方式都有弊端,加強驗證影響了用戶體驗,且效果有限,電話確認增加了人力、物力成本,直接封禁會誤殺正常用戶。 In the current proxy access detection technology, it is common to capture the user's access data packets at the network layer and analyze them to determine the data packet, or use the common proxy port to perform reverse proxy scanning, and also compare the proxy Internet Protocol (IP) address library to identify proxy access. However, most of these detection technologies focus on the identification of the network protocol layer, which not only requires a long detection delay, but also can only identify whether the user is a proxy IP, and cannot identify whether the user's transaction is legitimate. Therefore, when the user IP is detected as a proxy IP, multiple methods such as enhanced authentication, telephone confirmation, and direct banning are generally processed. However, either method has disadvantages. Strengthening authentication affects the user experience and has limited effects. Confirmation by telephone increases the cost of manpower and material resources, and direct bans will accidentally kill normal users.
綜上所述,目前仍缺少一種可以直接檢測使用者具體交易行為的檢測方式。 In summary, there is still a lack of a detection method that can directly detect the user's specific transaction behavior.
本發明提供一種非法交易檢測方法及裝置,用以解決現有技術中存在缺少一種可以直接檢測使用者具體交易行為的檢測方式的問題。 The invention provides a method and a device for detecting illegal transactions, which are used to solve the problem of lacking a detection method that can directly detect a user's specific transaction behavior in the prior art.
本發明實施例提供一種非法交易檢測方法,包括:獲取使用者的當前交易行為資料;根據當前交易行為資料的多個行為指標,從當前交易行為資料中提取第一連續型指標資料和第一離散型指標資料;根據第一連續型指標資料和連續檢測模型計算當前交易行為的第一機率,以及,根據第一離散型指標資料和離散檢測模型計算當前交易行為的第二機率;連續檢測模型和離散檢測模型均根據歷史交易行為資料確定;根據第一機率和第二機率得到第三機率,第三機率為當前交易行為為非法交易的機率。 An embodiment of the present invention provides a method for detecting illegal transactions, including: obtaining current transaction behavior data of a user; and extracting first continuous indicator data and first discrete data from the current transaction behavior data according to multiple behavior indicators of the current transaction behavior data. Based on the first continuous indicator data and continuous detection model to calculate the first probability of the current trading behavior, and based on the first discrete indicator data and discrete detection model to calculate the second probability of the current trading behavior; continuous detection model and The discrete detection models are determined based on historical transaction behavior data; a third probability is obtained based on the first probability and the second probability, and the third probability is the probability that the current transaction behavior is an illegal transaction.
在本創作中,根據第一機率和第二機率得到第三機率之後,還包括:判斷第三機率是否滿足第一門檻值;若第三機率滿足第一門檻值,則判斷用戶的IP位址是否為已知的代理IP;若是已知的代理IP,則輸出當前交易行為為非法交易;若不是已知的代理IP,則輸出當前交易行為為疑似代理IP。 In this creation, after obtaining the third probability according to the first probability and the second probability, the method further includes: determining whether the third probability meets the first threshold; if the third probability meets the first threshold, determining the user's IP address Whether it is a known proxy IP; if it is a known proxy IP, the current transaction behavior is output as an illegal transaction; if it is not a known proxy IP, the current transaction behavior is output as a suspected proxy IP.
其中,連續檢測模型和離散檢測模型均根據歷史交易行為資料確定,包括:針對任一歷史交易行為資料,確定該任一歷史交易行為資料的多個行為指標;根據確定的該任一歷史交易行為資料的多個行為指標,從該任一歷 史交易行為資料中提取第二連續型指標資料和第二離散型指標資料,並確定各第二連續型指標資料對應的行為屬性和各第二離散型指標資料對應的行為屬性,其中,各第二連續型指標資料對應的行為屬性和各第二離散型指標資料對應的行為屬性是根據該任一歷史交易行為資料的行為屬性確定的,該任一歷史交易行為資料的行為屬性包括合法交易行為或非法交易行為;對各歷史交易行為資料的第二連續型指標資料及第二連續型指標資料對應的行為屬性進行模型訓練得到連續檢測模型;對各歷史交易行為資料的第二離散型指標資料及第二離散型指標資料對應的行為屬性進行模型訓練得到離散檢測模型。 Among them, the continuous detection model and the discrete detection model are determined based on historical transaction behavior data, including: for any historical transaction behavior data, determining multiple behavior indicators of the historical transaction behavior data; according to the determined historical transaction behavior Data for multiple behavior indicators, extract the second continuous indicator data and the second discrete indicator data from any historical transaction behavior data, and determine the behavior attributes and each second discrete type corresponding to each second continuous indicator data The behavior attributes corresponding to the indicator data, wherein the behavior attributes corresponding to each second continuous indicator data and the behavior attributes corresponding to each second discrete indicator data are determined based on the behavior attributes of any historical trading behavior data, The behavior attributes of historical transaction behavior data include legal transaction behavior or illegal transaction behavior; model training is performed on the second continuous indicator data and the second continuous indicator data of each historical transaction behavior data to obtain a continuous detection model; The second discrete indicator data of historical transaction behavior data and the second Discrete indicator data is subjected to model training to obtain a discrete detection model.
其中,根據確定的該任一歷史交易行為資料的多個行為指標,從該任一歷史交易行為資料中提取第二連續型指標資料和第二離散型指標資料,包括:計算各行為指標之間的相關性;根據各行為指標之間的相關性,確定出代表性的行為指標,代表性的行為指標包括從強關聯的各行為指標中確定的一個行為指標及弱關聯的各行為指標;將代表性的行為指標分為第二連續型指標和第二離散型指標;根據第二連續型指標和第二離散型指標,從該任一歷史交易行為資料中提取第二連續型指標資料和第二離散型指標資料。 Wherein, extracting the second continuous indicator data and the second discrete indicator data from the any historical transaction behavior data according to the determined multiple behavior indicators of the historical transaction behavior data, including: calculating between each behavior indicator According to the correlation between various behavioral indicators, a representative behavioral indicator is determined. The representative behavioral indicators include a behavioral indicator determined from the strongly correlated behavioral indicators and weakly correlated behavioral indicators; The representative behavior indicators are divided into the second continuous indicator and the second discrete indicator; according to the second continuous indicator and the second discrete indicator, the second continuous indicator data and the second continuous indicator are extracted from the historical transaction behavior data. Two discrete indicator data.
其中,對各歷史交易行為資料的第二連續型指標資料及第二連續型指標資料對應的行為屬性進行模型訓練得到連續檢測模型,包括: 採用邏輯回歸演算法對各歷史交易行為資料的第二連續型指標資料及第二連續型指標資料對應的行為屬性進行模型訓練,得到連續檢測模型;對各歷史交易行為資料的第二離散型指標資料及第二離散型指標資料對應的行為屬性進行模型訓練得到離散檢測模型,包括:採用決策樹演算法對各歷史交易行為資料的第二離散型指標資料及第二離散型指標資料對應的行為屬性進行模型訓練,得到離散檢測模型。 Among them, model training is performed on the second continuous indicator data of each historical transaction behavior data and the behavior attributes corresponding to the second continuous indicator data to obtain a continuous detection model, including: using a logistic regression algorithm to second the historical transaction behavior data The continuous attribute data and the second continuous index data are used to perform model training to obtain a continuous detection model. The second discrete indicator data and the second discrete index data of each historical transaction behavior data are modeled. The training obtains the discrete detection model, including: using a decision tree algorithm to perform model training on the second discrete indicator data of each historical transaction behavior data and the behavior attributes corresponding to the second discrete indicator data to obtain a discrete detection model.
其中,根據第一機率和第二機率得到第三機率,包括:根據第一關係對第一機率和第二機率進行計算,得到第三機率;第一關係通過以下方式得到:擬合連續檢測模型和離散檢測模型之間的運算關係;確定擬合結果與歷史交易行為資料的真實結果是否滿足預設精度;將滿足預設精度的擬合結果作為第一關係。 The third probability is obtained according to the first probability and the second probability, including: calculating the first probability and the second probability according to the first relationship to obtain a third probability; the first relationship is obtained by: fitting a continuous detection model And the discrete detection model; determine whether the fitting result and the true result of historical trading behavior data meet the preset accuracy; and use the fitting result that meets the preset accuracy as the first relationship.
本發明實施例提供一種非法交易檢測裝置,包括:收發模組,用於獲取使用者的當前交易行為資料;處理模組,用於根據當前交易行為資料的多個行為指標,從當前交易行為資料中提取第一連續型指標資料和第一離散型指標資料;根據第一連續型指標資料和連續檢測模型計算當前交易行為的第一機率,以及,根據第一離散型指標資料和離散檢測模型計算當前交易行為的第二機率;連續檢測模型和離散檢測模型均根據歷史交易行為資料確定;根據第一機率和第二機率得到第三機率,第三機率為當前交易行為為非法交易的機率。 An embodiment of the present invention provides an illegal transaction detection device, including: a transceiver module for obtaining a user's current transaction behavior data; and a processing module for obtaining a plurality of behavior indicators from the current transaction behavior data from the current transaction behavior data Extract the first continuous indicator data and the first discrete indicator data; calculate the first probability of the current trading behavior based on the first continuous indicator data and the continuous detection model; and calculate based on the first discrete indicator data and the discrete detection model The second probability of the current transaction behavior; the continuous detection model and the discrete detection model are determined based on historical transaction behavior data; the third probability is obtained according to the first probability and the second probability, and the third probability is the probability that the current transaction behavior is an illegal transaction.
其中,處理模組還用於:判斷第三機率是否滿足第一門檻值; 當第三機率滿足第一門檻值時,判斷用戶的IP位址是否為已知的代理IP;當使用者的IP位址是已知的代理IP時,控制收發模組輸出當前交易行為為非法交易;當使用者的IP位址不是已知的代理IP時,則控制收發模組輸出當前交易行為為疑似代理IP。 The processing module is further configured to: determine whether the third probability meets the first threshold; when the third probability meets the first threshold, determine whether the user's IP address is a known proxy IP; when the user's IP When the address is a known proxy IP, the control transceiver module outputs the current transaction behavior as an illegal transaction; when the user's IP address is not a known proxy IP, the control transceiver module outputs the current transaction behavior as a suspected proxy IP .
其中,處理模組還用於:針對任一歷史交易行為資料,確定該任一歷史交易行為資料的多個行為指標;根據確定的該任一歷史交易行為資料的多個行為指標,從該任一歷史交易行為資料中提取第二連續型指標資料和第二離散型指標資料,並確定各第二連續型指標資料對應的行為屬性和各第二離散型指標資料對應的行為屬性,其中,各第二連續型指標資料對應的行為屬性和各第二離散型指標資料對應的行為屬性是根據該任一歷史交易行為資料的行為屬性確定的,該任一歷史交易行為資料的行為屬性包括合法交易行為或非法交易行為;對各歷史交易行為資料第二連續型指標資料及第二連續型指標資料對應的行為屬性進行模型訓練得到連續檢測模型;對各歷史交易行為資料第二離散型指標資料及第二離散型指標資料對應的行為屬性進行模型訓練得到離散檢測模型。 Among them, the processing module is further configured to: for any historical transaction behavior data, determine multiple behavior indicators of any historical transaction behavior data; according to the determined multiple behavior indicators of any historical transaction behavior data, A second continuous indicator data and a second discrete indicator data are extracted from a historical transaction behavior data, and a behavior attribute corresponding to each second continuous indicator data and a behavior attribute corresponding to each second discrete indicator data are determined, where each The behavior attributes corresponding to the second continuous indicator data and the behavior attributes corresponding to each second discrete indicator data are determined according to the behavior attributes of any historical transaction behavior data. The behavior attributes of any historical transaction behavior data include legal transactions. Behavior or illegal trading behavior; model training on the second continuous indicator data and the second continuous indicator data of each historical transaction behavior data to obtain a continuous detection model; the second discrete indicator data of each historical transaction behavior data and Discrete behavioral attributes corresponding to the second discrete index data to perform model training to obtain discrete Measurement model.
其中,處理模組具體用於:計算各行為指標之間的相關性;根據各行為指標之間的相關性,確定出代表性的行為指標,代表性的行 為指標包括從強關聯的各行為指標中確定的一個行為指標及弱關聯的各行為指標;將代表性的行為指標分為第二連續型指標和第二離散型指標;根據第二連續型指標和第二離散型指標,從該任一歷史交易行為資料中提取第二連續型指標資料和第二離散型指標資料。 Among them, the processing module is specifically used to: calculate the correlation between various behavior indicators; determine the representative behavior indicators according to the correlation between the behavior indicators, and the representative behavior indicators include the behavior indicators with strong correlation One behavioral indicator and weakly correlated behavioral indicators identified in the; the representative behavioral indicators are divided into a second continuous indicator and a second discrete indicator; according to the second continuous indicator and the second discrete indicator, from this task A second continuous indicator data and a second discrete indicator data are extracted from a historical transaction behavior data.
其中,處理模組具體用於:採用邏輯回歸演算法對各歷史交易行為資料第二連續型指標資料及第二連續型指標資料對應的行為屬性進行模型訓練,得到連續檢測模型;採用決策樹演算法對各歷史交易行為資料第二離散型指標資料及第二離散型指標資料對應的行為屬性進行模型訓練,得到離散檢測模型。 Among them, the processing module is specifically used for: adopting a logistic regression algorithm to perform model training on the second continuous indicator data and the second continuous indicator data of each historical transaction behavior data to obtain a continuous detection model; and use a decision tree algorithm The method performs model training on the second discrete indicator data and the second discrete indicator data of each historical transaction behavior data to obtain a discrete detection model.
其中,處理模組具體用於:根據第一關係對第一機率和第二機率進行計算,得到第三機率;第一關係通過以下方式得到:擬合連續檢測模型和離散檢測模型之間的運算關係;確定擬合結果與歷史交易行為資料的真實結果是否滿足預設精度;將滿足預設精度的擬合結果作為第一關係。 The processing module is specifically configured to calculate the first probability and the second probability according to a first relationship to obtain a third probability; the first relationship is obtained by: fitting a calculation between a continuous detection model and a discrete detection model Relationship; determine whether the fitting result and the real result of historical trading behavior data meet the preset accuracy; and use the fitting result that meets the preset accuracy as the first relationship.
本發明實施例提供一種電腦可讀儲存媒體,該電腦可讀儲存媒體儲存有電腦可執行指令,該電腦可執行指令用於使電腦執行上述所述的非法交易檢測方法。 An embodiment of the present invention provides a computer-readable storage medium. The computer-readable storage medium stores computer-executable instructions. The computer-executable instructions are used to cause a computer to execute the foregoing illegal transaction detection method.
本發明實施例提供一種計算設備,包括:記憶體,用於儲存程式指令;處理器,用於調用該記憶體中儲存的程式指令,按照獲得的程式指令執 行上述所述的非法交易檢測方法。 An embodiment of the present invention provides a computing device including a memory for storing program instructions, and a processor for calling program instructions stored in the memory, and performing the foregoing illegal transaction detection method according to the obtained program instructions.
本發明實施例提供一種電腦程式產品,當其在電腦上運行時,使得電腦執行上述所述的非法交易檢測方法。 An embodiment of the present invention provides a computer program product that, when run on a computer, causes the computer to execute the aforementioned illegal transaction detection method.
綜上所述,本發明實施例提供一種非法交易檢測方法及裝置,其中非法交易檢測方法包括:獲取使用者的當前交易行為資料;根據當前交易行為資料的多個行為指標,從當前交易行為資料中提取第一連續型指標資料和第一離散型指標資料;根據第一連續型指標資料和連續檢測模型計算當前交易行為的第一機率,以及,根據該第一離散型指標資料和離散檢測模型計算當前交易行為的第二機率;連續檢測模型和離散檢測模型均根據歷史交易行為資料確定;根據第一機率和第二機率得到第三機率,第三機率為當前交易行為為非法交易的機率。在該檢測過程中,所用到的連續檢測模型和離散檢測模型是由歷史交易行為資料確定的,因此,連續檢測模型和離散檢測模型中包含了使用者交易行為的規律,將當前交易行為資料登錄連續檢測模型和離散檢測模型,便能獲得兩個模型計算的當前交易行為為非法交易的機率,由於使用者的交易行為有多個指標,將當前交易行為資料分為第一連續型指標資料和第一離散型指標資料後再分別根據連續檢測模型和離散檢測模型計算,可以提高計算結果的精度,因此,本發明實施例針對使用者交易行為特徵來分辨使用者的交易行為是否合法,而不針對網路通訊協定層檢測使用者交易行為,從而提高了檢測的精度。 In summary, the embodiments of the present invention provide an illegal transaction detection method and device, wherein the illegal transaction detection method includes: obtaining a user's current transaction behavior data; and from a plurality of behavior indicators of the current transaction behavior data, the current transaction behavior data Extract the first continuous indicator data and the first discrete indicator data; calculate the first probability of the current trading behavior based on the first continuous indicator data and the continuous detection model; and, based on the first discrete indicator data and the discrete detection model Calculate the second probability of the current transaction behavior; the continuous detection model and the discrete detection model are determined based on historical transaction behavior data; the third probability is obtained according to the first probability and the second probability, and the third probability is the probability that the current transaction behavior is an illegal transaction. In this detection process, the continuous detection model and discrete detection model used are determined by historical transaction behavior data. Therefore, the continuous detection model and discrete detection model contain the rules of user transaction behavior, and the current transaction behavior data is registered. Continuous detection model and discrete detection model can obtain the probability that the current transaction behavior calculated by the two models is illegal. Because the user's transaction behavior has multiple indicators, the current transaction behavior data is divided into the first continuous indicator data and The first discrete indicator data is then calculated according to the continuous detection model and the discrete detection model, which can improve the accuracy of the calculation result. Therefore, the embodiment of the present invention discriminates whether the user's transaction behavior is legal according to the characteristics of the user's transaction behavior. Detection of user transaction behaviors at the network protocol layer improves detection accuracy.
S101~S104‧‧‧非法交易檢測步驟 S101 ~ S104‧‧‧Illegal transaction detection steps
S201~S203‧‧‧構建連續檢測模型和離散檢測模型步驟 S201 ~ S203‧‧‧Construction of continuous detection model and discrete detection model steps
500‧‧‧檢測裝置 500‧‧‧testing device
501‧‧‧收發模組 501‧‧‧Transceiver Module
502‧‧‧處理模組 502‧‧‧Processing Module
601‧‧‧中央處理器 601‧‧‧Central Processing Unit
602‧‧‧記憶體 602‧‧‧Memory
603‧‧‧輸入設備 603‧‧‧ input device
604‧‧‧輸出設備 604‧‧‧Output device
為了更清楚地說明本發明實施例中的技術方案,下面將對實施例描述中所需要使用的附圖作簡要介紹,顯而易見地,下面描述中的附圖僅僅是本發明的一些實施例,對於本領域的通常知識者來講,在不經大量試驗的前提下,還可以根據這些附圖獲得其他的附圖。 In order to explain the technical solutions in the embodiments of the present invention more clearly, the drawings used in the description of the embodiments will be briefly introduced below. Obviously, the drawings in the following description are only some embodiments of the present invention. For those of ordinary skill in the art, other drawings can be obtained based on these drawings without extensive testing.
圖1為本發明實施例提供的一種非法交易檢測方法流程圖;圖2為本發明實施例提供的一種構建連續檢測模型和離散檢測模型的方法流程圖;圖3為本發明實施例提供的一種決策樹示意圖;圖4為本發明實施例提供的一個非法交易檢測識別流程圖;圖5為本發明實施例提供的一種非法交易檢測裝置結構示意圖;圖6為本發明實施例提供的一種計算設備結構示意圖。 FIG. 1 is a flowchart of an illegal transaction detection method according to an embodiment of the present invention; FIG. 2 is a flowchart of a method for constructing a continuous detection model and a discrete detection model according to an embodiment of the present invention; and FIG. 3 is a flowchart provided by an embodiment of the present invention Decision tree diagram; Figure 4 is a flowchart of illegal transaction detection and identification provided by an embodiment of the present invention; Figure 5 is a schematic structural diagram of an illegal transaction detection device provided by an embodiment of the present invention; Figure 6 is a computing device provided by an embodiment of the present invention Schematic.
為了使本發明的目的、技術方案和優點更加清楚,下面將結合附圖對本發明作進一步地詳細描述,顯然,所描述的實施例僅僅是本發明一部份實施例,而不是全部的實施例。基於本發明中的實施例,本領域通常知識者在沒有經大量試驗前提下所獲得的所有其它實施例,都屬於本發明保護的範圍。 In order to make the objectives, technical solutions, and advantages of the present invention clearer, the present invention will be described in further detail below with reference to the accompanying drawings. Obviously, the described embodiments are only a part of the embodiments of the present invention, not all the embodiments. . Based on the embodiments of the present invention, all other embodiments obtained by a person of ordinary skill in the art without a large number of tests belong to the protection scope of the present invention.
圖1為本發明實施例提供的一種非法交易檢測方法流程圖,如圖1所示,包括以下步驟:步驟S101:獲取使用者的當前交易行為資料;步驟S102:根據當前交易行為資料的多個行為指標,從當前交易行為 資料中提取第一連續型指標資料和第一離散型指標資料;步驟S103:根據第一連續型指標資料和連續檢測模型計算當前交易行為的第一機率,以及,根據第一離散型指標資料和離散檢測模型計算當前交易行為的第二機率;連續檢測模型和離散檢測模型均根據歷史交易行為資料確定;步驟S104:根據第一機率和第二機率得到第三機率,第三機率為當前交易行為為非法交易的機率。 FIG. 1 is a flowchart of an illegal transaction detection method according to an embodiment of the present invention. As shown in FIG. 1, the method includes the following steps: step S101: obtaining a user's current transaction behavior data; step S102: Behavior indicators, extracting the first continuous indicator data and the first discrete indicator data from the current transaction behavior data; step S103: calculating the first probability of the current transaction behavior according to the first continuous indicator data and the continuous detection model, and The first discrete indicator data and the discrete detection model calculate a second probability of the current trading behavior; the continuous detection model and the discrete detection model are determined based on historical transaction behavior data; step S104: obtaining a third probability based on the first probability and the second probability, The third probability is that the current transaction behavior is an illegal transaction.
具體實施過程中,本發明實施例既可用於終端支付、銀行轉帳,也可以用於支付寶交易,微信交易等多種交易途徑,即適用於普通IP交易,也適用於代理IP交易,尤其是對於目前仍沒有理想檢測手段的基於代理IP訪問的交易,可以在保證不誤殺正常交易的情況下,準確識別非法交易。 In the specific implementation process, the embodiments of the present invention can be used for terminal payment, bank transfer, Alipay transactions, WeChat transactions and other transaction channels, which are applicable to ordinary IP transactions and proxy IP transactions, especially for current Transaction based on proxy IP access, which still has no ideal detection method, can accurately identify illegal transactions without ensuring that normal transactions are accidentally killed.
在步驟S101中,對使用者當前交易行為資料進行採集時,是按照即將被用來計算資料的連續檢測模型和離散檢測模型中包含的指標來確定採集何種資料的,連續檢測模型和離散檢測模型中包含了與使用者交易行為是否合法的關聯度較高的一些指標,對使用者當前交易行為資料的採集,需針對這些指標採集,這樣採集的資料才可以被應用於連續檢測模型和離散檢測模型的計算。例如,連續檢測模型中包含了交易金額這一指標,離散檢測模型中包含了擊鍵間隔時間這一指標,則對使用者當前交易行為資料進行採集時可採集交易金額和擊鍵間隔時間這兩個指標對應的資料。 In step S101, when the user's current transaction behavior data is collected, the data to be collected is determined according to the indicators included in the continuous detection model and the discrete detection model that will be used to calculate the data. The continuous detection model and the discrete detection The model contains some indicators that have a high degree of relevance to whether the user's transaction behavior is legal. The user's current transaction behavior data collection needs to be collected for these indicators so that the collected data can be used in continuous detection models and discrete Calculation of detection model. For example, the continuous detection model includes the indicator of transaction amount, and the discrete detection model includes the indicator of keystroke interval time. When the user's current transaction behavior data is collected, the transaction amount and keystroke interval time can be collected. Data for each indicator.
在步驟S102中,對於連續型指標和離散型指標的劃分是人 為規定的,一般與銀行的常用處理方法相一致,例如對於一些連續變化的變數,如交易金額、交易時間等指標是連續型指標,而對於如擊鍵間隔,正常擊鍵間隔之間差異相對於機器人擊鍵間隔之間的差異來說大得多,因此不需記錄每次擊鍵的時間而只需記錄其是否間隔過小即可,因此為離散型指標。如,對於擊鍵間隔大於0.5秒的擊鍵行為認為其為正常擊鍵間隔,記錄為1,而對於擊鍵間隔小於0.5秒的擊鍵行為,認為其為機器人擊鍵,記錄為0,對於使用者擊鍵間隔的資料總體上只有0和1兩種,因此為離散型指標。 In step S102, the division of continuous indicators and discrete indicators is artificially defined, and is generally consistent with the common processing methods of banks. For example, for some continuously changing variables, such as indicators such as transaction amount and transaction time, they are continuous indicators. For the keystroke interval, the difference between the normal keystroke interval is much larger than the difference between the robot keystroke interval, so it is not necessary to record the time of each keystroke, but only whether the interval is too small. Yes, so it is a discrete indicator. For example, for a keystroke with a keystroke interval greater than 0.5 seconds, it is considered to be a normal keystroke interval, recorded as 1, and for a keystroke with a keystroke interval less than 0.5 seconds, it is considered to be a robot keystroke, recorded as 0. For The data of the user's keystroke interval is generally only 0 and 1, so it is a discrete indicator.
在步驟S103中,會將從使用者當前交易行為資料中提取的第一連續型指標資料和第一離散型指標資料分別與連續檢測模型和離散檢測模型進行處理,獲取兩個機率數值,即第一機率和第二機率。 In step S103, the first continuous indicator data and the first discrete indicator data extracted from the user's current transaction behavior data are processed with the continuous detection model and the discrete detection model, respectively, to obtain two probability values, namely the first First chance and second chance.
本創作中,圖2為本發明實施例提供的一種構建連續檢測模型和離散檢測模型的方法流程圖,如圖2所示,包括以下步驟:S201:針對任一歷史交易行為資料,確定該任一歷史交易行為資料的多個行為指標;根據確定的該任一歷史交易行為資料的多個行為指標,從該任一歷史交易行為資料中提取第二連續型指標資料和第二離散型指標資料,並確定各第二連續型指標資料對應的行為屬性和各第二離散型指標資料對應的行為屬性,其中,各第二連續型指標資料對應的行為屬性和各第二離散型指標資料對應的行為屬性是根據該任一歷史交易行為資料的行為屬性確定的,該任一歷史交易行為資料的行為屬性包括合法交易行為或非法交易行為;S202:對各歷史交易行為資料的第二連續型指標資料及第二連續型指標 資料對應的行為屬性進行模型訓練得到該連續檢測模型;S203:對各歷史交易行為資料的第二離散型指標資料及第二離散型指標資料對應的行為屬性進行模型訓練得到該離散檢測模型。 In the present creation, FIG. 2 is a flowchart of a method for constructing a continuous detection model and a discrete detection model according to an embodiment of the present invention. As shown in FIG. 2, the method includes the following steps: S201: For any historical transaction behavior data, determine the task. A plurality of behavior indicators of a historical transaction behavior data; and a second continuous indicator data and a second discrete indicator data are extracted from the historical transaction behavior data according to the determined plurality of behavior indicators of the historical transaction behavior data And determine the behavior attribute corresponding to each second continuous indicator data and the behavior attribute corresponding to each second discrete indicator data, wherein the behavior attribute corresponding to each second continuous indicator data and the second discrete indicator data correspond to The behavior attributes are determined based on the behavior attributes of any historical transaction behavior data, and the behavior attributes of any historical transaction behavior data include legal transaction behaviors or illegal transaction behaviors; S202: the second continuous indicator of historical transaction behavior data Data and the second continuous index data corresponding to the behavior attributes of the model training to obtain the continuous detection Type; S203: second discrete historical index data for each transaction data and index data corresponding to the second discrete behavioral attributes of the model is trained to detect the discrete model.
在本創作中,步驟S201之前,可預先佈置代理伺服器,用以獲取使用者的行為資料。其中,代理伺服器可部署一台或多台,甚至也可以是雲伺服器,合法或非法用戶均可如同使用常用代理方式那樣使用代理伺服器。其中,代理伺服器可人為開發也可以購買外部代理伺服器進行部署,使用者通過代理伺服器進行交易的一舉一動都被記錄在代理伺服器中。其中,預先部署的代理伺服器的IP位址構成了代理IP池。其中,對代理伺服器記錄的使用者交易行為進行即時的採集並儲存於資料庫中,這些使用者交易行為既包括了合法使用者交易行為,也包括了非法使用者交易行為,即時的採集可以防止非法使用者刪除代理伺服器記錄的非法交易行為資料。其中,採集的交易行為包括,使用者使用代理的方式,如是否存在多級代理、是否為機器人代理等;使用者登錄行為,如輸入密碼的快慢、輸錯的頻率等;使用者流覽頁面的點擊行為,如是否進行刷單行為、機器人行為等;使用者進行交易的行為,如支付登錄、密碼輸入、交易金額等。其中,歷史交易行為的採集應長期運作並週期性更新代理IP池,包括去除已無用的代理IP以及添加新的代理IP,以收集足夠多的使用者交易行為記錄。 In this creation, before step S201, a proxy server may be arranged in advance to obtain user behavior data. Among them, the proxy server can be deployed with one or more, or even a cloud server. Legal or illegal users can use the proxy server in the same way as common proxy methods. Among them, the proxy server can be manually developed or purchased by an external proxy server for deployment, and the user's every transaction performed by the proxy server is recorded in the proxy server. The IP address of the pre-deployed proxy server constitutes the proxy IP pool. Among them, real-time collection of user transaction behavior recorded by the proxy server is stored in the database. These user transaction behavior includes both legal user transaction behavior and illegal user transaction behavior. Real-time collection can Prevent illegal users from deleting the illegal transaction data recorded by the proxy server. Among them, the collected transaction behaviors include the ways in which users use agents, such as whether there are multi-level agents, whether they are robot agents, etc .; user login behaviors, such as the speed of entering passwords, the frequency of incorrect input, etc .; users browse pages Click behaviors, such as whether to perform order swipe behaviors, robot behaviors, etc .; users' transaction behaviors, such as payment login, password input, transaction amount, etc. Among them, the collection of historical transaction behaviors should be operated for a long time and the proxy IP pool should be periodically updated, including removing the useless proxy IPs and adding new proxy IPs in order to collect sufficient user transaction behavior records.
在步驟S201的具體實施中,各歷史交易行為由多個行為指標組成,例如,登錄環節輸錯密碼的次數,輸入密碼用時,輸入驗證碼的次數,輸入驗證碼用時等多種行為指標,又例如,交易環節中的交易金額, 交易時間,交易對象等行為指標。其中,可根據經驗設定或理論推導進行行為指標的設定,總之,對於行為指標的設定應包含儘量多的可能反應交易行為是否合法的指標,避免將重要指標遺漏。在獲取歷史交易行為資料的多個行為指標後,可先從歷史交易行為的多個行為指標中獲得第二連續型指標和第二離散型指標,再根據第二連續型指標和第二離散型指標從歷史交易行為資料中提取第二連續型指標資料和第二離散型指標資料。對於歷史交易行為的諸多行為指標,有相當一部分指標間反應的交易行為特徵是一致的,此時,只需用其中一個行為指標即可。其中,根據該各行為指標之間的相關性,篩選出具有代表性的行為指標並分為第二連續型指標和第二離散型指標,如有A、B、C、D四個行為指標,其中,A指標與B、C、D三個指標都有強相關性,此時,只需保留A指標即可反應A、B、C、D四個行為指標反應的交易行為特徵。根據各行為指標之間的相關性,篩選出具有代表性的行為指標之後,將篩選出的行為指標分為第二連續型指標和第二離散型指標,劃分規則與前述劃分第一連續型指標和第一離散型指標的規則一致。根據第二連續型指標和第二離散型指標從歷史行為資料中提取第二連續型指標資料和第二離散型指標資料,通過篩選出具有代表性的行為指標來表示交易行為的行為特徵,能夠實現在保證資料有效性不受損壞的前提下對歷史交易行為資料的精簡。此外,還需判斷歷史交易行為中各歷史交易行為是否為非法交易,以確定各第二連續型指標資料對應的行為屬性和各第二離散型指標資料對應的行為屬性,其中,行為屬性是根據歷史交易行為資料的行為屬性確定的,歷史交易行為資料的行為屬性包括合法交易行為和非法交易行為,即每一條歷史交易行為資料都會分為多個 第二連續型資料和第二離散型資料,若某一個歷史交易行為為合法交易行為,則此歷史交易行為所對應的第二連續型資料和第二離散型資料對應的行為屬性為合法交易行為;若某一個歷史交易行為為非法交易行為,則此歷史交易行為所對應的第二連續型資料和第二離散型資料對應的行為屬性為非法交易。各歷史交易行為資料中的第二連續型指標資料和第二離散型指標資料及它們所對應的行為屬性共同構成了特徵庫。其中,對非法交易的判斷可依據預先設定的非法交易規則進行評判,如登錄環節中,多次輸錯密碼來進行撞庫行為、構建機器登錄行為、登錄地經常變換且相隔較遠等等,又如交易環節中,支付時IP位址發生變化、回應時間較長等等。 In the specific implementation of step S201, each historical transaction behavior is composed of multiple behavior indicators, for example, the number of incorrect passwords during login, the number of times to enter a password, the number of times to enter a verification code, and the time to enter a verification code. For another example, transaction indicators such as transaction amount, transaction time, and transaction object in the transaction link. Among them, the setting of behavioral indicators can be based on empirical settings or theoretical derivation. In short, the setting of behavioral indicators should include as many indicators as possible that can reflect the legality of trading behaviors to avoid missing important indicators. After obtaining multiple behavior indicators of historical transaction behavior data, a second continuous indicator and a second discrete indicator may be obtained from the multiple behavior indicators of the historical transaction behavior, and then based on the second continuous indicator and the second discrete type The indicator extracts the second continuous indicator data and the second discrete indicator data from the historical transaction behavior data. For many behavioral indicators of historical trading behavior, quite a few of them reflect the same behavioral characteristics of trading behavior. At this time, only one of the behavioral indicators is needed. Among them, according to the correlation between the behavior indicators, a representative behavior indicator is selected and divided into a second continuous indicator and a second discrete indicator. If there are four behavior indicators, A, B, C, and D, Among them, the A indicator has strong correlation with the three indicators B, C, and D. At this time, only the A indicator can be retained to reflect the transaction behavior characteristics of the four behavior indicators A, B, C, and D. According to the correlation between various behavior indicators, after selecting representative behavior indicators, the selected behavior indicators are divided into a second continuous indicator and a second discrete indicator. Consistent with the rules of the first discrete indicator. According to the second continuous indicator and the second discrete indicator, the second continuous indicator data and the second discrete indicator data are extracted from the historical behavior data, and the behavior characteristics of the trading behavior can be expressed by filtering out representative behavior indicators, which can Realize the streamlining of historical transaction behavior data on the premise of ensuring that the validity of the data is not damaged. In addition, it is necessary to determine whether each historical trading behavior in the historical trading behavior is an illegal transaction to determine the behavior attribute corresponding to each second continuous indicator data and the behavior attribute corresponding to each second discrete indicator data, where the behavior attribute is based on The behavior attributes of historical transaction behavior data are determined. The behavior attributes of historical transaction behavior data include legal transaction behavior and illegal transaction behavior, that is, each piece of historical transaction behavior data will be divided into multiple second continuous data and second discrete data. If a certain historical transaction behavior is a legal transaction behavior, the behavior attribute corresponding to the second continuous data and the second discrete data corresponding to this historical transaction behavior is a legal transaction behavior; if a certain historical transaction behavior is an illegal transaction behavior, The behavior attribute corresponding to the second continuous data and the second discrete data corresponding to this historical transaction behavior is an illegal transaction. The second continuous indicator data and the second discrete indicator data in each historical transaction behavior data and their corresponding behavior attributes form a feature library. Among them, the judgment of illegal transactions can be judged according to the preset illegal transaction rules. For example, during the login process, the wrong password is entered many times to perform the database collision behavior, the machine login behavior is constructed, the login location is frequently changed and separated from each other, etc. For another example, during the transaction, the IP address changes during the payment, and the response time is long.
表一為本發明實施例中提出的一種特徵庫的表現形式,如表一所示,行為屬性以0和1表示,0表示非法交易,1表示合法交易,每一個交易行為都由指標A、指標B、指標C來表示行為特徵,其中,指標A和指標B為連續型指標,指標C為離散型指標,指標A為a1,指標B為b1,指標C為c1的交易行為為合法交易行為,指標A為a2,指標B為b2,指標C為c2的交易行為為非法交易行為。 Table 1 is a representation form of a feature database proposed in the embodiment of the present invention. As shown in Table 1, behavior attributes are represented by 0 and 1, 0 represents an illegal transaction, and 1 represents a legal transaction. Each transaction behavior is represented by indicators A, Indicators B and C represent behavior characteristics. Among them, indicator A and indicator B are continuous indicators, indicator C is a discrete indicator, indicator A is a1, indicator B is b1, and indicator C is c1. The transaction behavior is legal transaction behavior. , The indicator A is a2, the indicator B is b2, and the indicator C is c2. The transaction behavior is illegal transaction behavior.
在步驟S202的具體實施過程中,從特徵庫中提取第二連續型指標資料及與其對應的行為屬性,以表一所示的特徵庫為例,從表一中 提取如表二所示的資料,如表二所示,表二中保留了表一中連續指標A和連續指標B以及它們所對應的行為屬性。 In the specific implementation process of step S202, the second continuous indicator data and the corresponding behavior attributes are extracted from the feature database. Taking the feature database shown in Table 1 as an example, the data shown in Table 2 is extracted from Table 1. As shown in Table 2, the continuous indicators A and B in Table 1 and their corresponding behavior attributes are retained in Table 2.
獲取如表二所示的資料後,採用邏輯回歸演算法對各第二連續型指標資料及各第二連續型指標資料對應的行為屬性進行模型訓練,得到連續檢測模型。邏輯回歸適用於引數和因變數是線性關係的情況,因此邏輯回歸只適用於連續型指標資料的分析。根據邏輯回歸演算法,對如表二所示的資料作線性擬合,引數為連續指標A和連續指標B,因變數為交易行為為非法交易的機率,從而擬合出連續指標A和連續指標B與交易行為為非法交易的機率之間的線性關係。 After obtaining the data shown in Table 2, the logistic regression algorithm is used to perform model training on each second continuous index data and the behavior attributes corresponding to each second continuous index data to obtain a continuous detection model. Logistic regression is applicable to the case where the argument and the dependent variable are linear, so logistic regression is only applicable to the analysis of continuous indicator data. According to the logistic regression algorithm, a linear fit is performed on the data shown in Table 2. The arguments are continuous index A and continuous index B, and the dependent variable is the probability of the transaction behavior being illegal trading, thereby fitting continuous index A and continuous The linear relationship between indicator B and the probability that the transaction is an illegal transaction.
在步驟S203的具體實施過程中,從特徵庫中提取第二離散型指標資料及其對應的行為屬性,以表一所示的特徵庫為例,從表一中提取如表三所示的資料,如表三所示,表三中保留了表一中關於離散指標C以及離散指標C所對應的行為屬性。 In the specific implementation process of step S203, the second discrete index data and its corresponding behavior attributes are extracted from the feature database. Taking the feature database shown in Table 1 as an example, the data shown in Table 1 are extracted from Table 1. As shown in Table 3, Table 3 retains the discrete attribute C and the corresponding behavior attributes of the discrete index C in Table 1.
獲取如表三所示的資料後,採用決策樹演算法對各第二離散型指標資料及各第二離散型指標資料對應的行為屬性進行模型訓練,得到離散檢測模型對第二離散型指標資料進行模型訓練。決策樹是一種逼近離散值目標函數的方法,在這種方法中學習到的函數模型被表示為一棵決策樹,樹上包括多個節點,每個節點下的分支表示的是該節點的一個可能結果,具體到本發明實施例中,決策樹的節點指的是第二離散型指標資料,圖3為本發明實施例提供的一種決策樹示意圖,如圖3所示,決策樹中主要包括了3個指標:指標1、指標2和指標3,每個指標都對應兩種值0和1,決策樹共有4種機率計算結果:結果1、結果2、結果3和結果4,這四個結果都是根據從特徵庫中提取第二離散型指標資料及其對應的行為屬性獲得的。 After obtaining the data shown in Table 3, a decision tree algorithm is used to perform model training on each of the second discrete index data and the behavior attributes corresponding to each of the second discrete index data to obtain a discrete detection model for the second discrete index data. Perform model training. A decision tree is a method for approximating a discrete-valued objective function. The function model learned in this method is represented as a decision tree. The tree includes multiple nodes. The branch under each node represents one of the nodes. Possible result. Specifically, in the embodiment of the present invention, the nodes of the decision tree refer to the second discrete index data. FIG. 3 is a schematic diagram of a decision tree provided by the embodiment of the present invention. As shown in FIG. 3, the decision tree mainly includes There are three indicators: indicator 1, indicator 2 and indicator 3, each indicator corresponds to two values 0 and 1, and the decision tree has 4 kinds of probability calculation results: result 1, result 2, result 3 and result 4, these four The results are obtained by extracting the second discrete index data and its corresponding behavior attributes from the feature database.
其中,步驟S202和步驟S203的執行順序並不固定,既可以先執行步驟S202,也可以先執行步驟S203,更可以同時執行步驟S202和步驟S203。 The execution order of steps S202 and S203 is not fixed. You can execute step S202 or step S203 first, or you can execute steps S202 and S203 at the same time.
獲取連續檢測模型和離散模型之後,還可建立兩個模型之間的運算關係將兩個模型的計算結果結合起來。其中,擬合連續檢測模型和離散檢測模型之間的運算關係;確定擬合結果與歷史交易行為資料的真實結果是否滿足預設精度;將滿足預設精度的擬合結果作為第一關係。上述過程也是基於大資料統計分析的過程,不斷調整連續檢測模型和離散檢測模型之間的運算關係,直至運算結果的精度達到預設精度,此時連續檢測 模型和離散檢測模型之間的運算關係稱為第一關係。 After obtaining the continuous detection model and the discrete model, the operation relationship between the two models can also be established to combine the calculation results of the two models. Among them, the operational relationship between the continuous detection model and the discrete detection model is fitted; it is determined whether the fitted result and the true result of the historical transaction behavior data satisfy the preset accuracy; and the fit result that meets the preset accuracy is taken as the first relationship. The above process is also a process based on statistical analysis of big data. The calculation relationship between the continuous detection model and the discrete detection model is continuously adjusted until the accuracy of the operation result reaches a preset accuracy. At this time, the operation relationship between the continuous detection model and the discrete detection model is adjusted. Called the first relationship.
在步驟S103的具體實施中,將第一連續型指標資料登錄連續檢測模型,連續檢測模型根據第一連續性指標資料計算出第一連續型指標資料所表示的交易行為是非法交易的機率,稱為第一機率;將第一離散型指標資料登錄離散檢測模型,離散檢測模型根據第一離散型指標資料計算出第一離散型指標資料所表示的交易行為是非法交易的機率,稱為第二機率。 In the specific implementation of step S103, the first continuous indicator data is registered in the continuous detection model, and the continuous detection model calculates the probability that the transaction behavior indicated by the first continuous indicator data is an illegal transaction according to the first continuous indicator data. Is the first probability; the first discrete indicator data is registered in the discrete detection model, and the discrete detection model calculates the probability that the transaction behavior represented by the first discrete indicator data is an illegal transaction based on the first discrete indicator data, which is called the second probability Chance.
在步驟S104的具體實施中,當獲得第一機率和第二機率後,還需對第一機率和第二機率作進一步計算,將二者結合起來,所用的運算關係便是在建立連續檢測模型和離散檢測模型之後,通過大資料統計分析,獲得的連續檢測模型和離散檢測模型之間的第一關係。 In the specific implementation of step S104, after obtaining the first probability and the second probability, it is necessary to further calculate the first probability and the second probability, and to combine the two, the computing relationship used is to establish a continuous detection model The first relationship between the continuous detection model and the discrete detection model obtained through statistical analysis of big data after the discrete detection model.
其中,判斷第三機率是否滿足第一門檻值;若第三機率滿足第一門檻值,則判斷用戶的IP位址是否為已知的代理IP;若是已知的代理IP,則輸出當前交易行為為非法交易;若不是已知的代理IP,則輸出當前交易行為為疑似代理IP。第一門檻值可以根據經驗設定或理論推導獲得,其中,還可以設定第二門檻值,第三門檻值等多個門檻值,即對最後的計算結果採取分級處理的模式,根據不同的機率分級,採取不同的應對措施,而不是像往常一樣,採取通用的限制或禁止當前代理交易行為,這樣可以避免合法的代理交易行為被誤診,如留學生在國外利用代理訪問進行支付的情況等。其中,在對使用者當前交易行為資料進行分析之前,先查詢用戶IP位址是否為預設的IP地址,即用戶的IP地址是否位於IP池之中,若是,則將此IP位址標為代理IP,當第三機率滿足第一門檻值時,只需判斷 此IP位址是否被標為代理IP即可判斷其是否為代理IP位址。 Among them, determine whether the third probability meets the first threshold; if the third probability meets the first threshold, determine whether the user's IP address is a known proxy IP; if it is a known proxy IP, output the current transaction behavior It is an illegal transaction; if it is not a known proxy IP, the current transaction behavior is output as a suspected proxy IP. The first threshold value can be obtained based on empirical or theoretical derivation. Among them, multiple threshold values such as the second threshold value and the third threshold value can also be set, that is, the final calculation result is taken in a hierarchical processing mode and graded according to different probabilities. , Take different measures instead of adopting general restrictions or prohibitions on current agent transactions as usual, so that legal agent transactions can be prevented from being misdiagnosed, such as when international students use agent visits to make payments abroad. Among them, before analyzing the user's current transaction behavior data, first check whether the user's IP address is a preset IP address, that is, whether the user's IP address is in the IP pool, and if so, mark this IP address as a proxy IP, when the third probability meets the first threshold, just determine whether this IP address is marked as a proxy IP to determine whether it is a proxy IP address.
圖4為本發明實施例提供的一個非法交易檢測識別流程圖,如圖4所示,當用戶發起一筆線上交易時,若使用者發送的IP位址存在於已知的代理IP池中,則系統將此交易打上代理標識。其次,將當前使用者交易行為輸入檢測模型,此檢測模型既包括了連續檢測模型、離散檢測模型,也包括了連續檢測模型和離散檢測模型之間的第一關係,輸出不同機率等級的危險交易預警,機率越大,則當前為代理的欺詐交易風險較高。若使用者發送的IP位址不在伺服器發佈的代理IP位址集區中,則直接將其輸入至檢測模型中,輸出風險機率,根據機率的大小判斷IP位址為代理IP的疑似程度。最後,後臺交易系統可根據檢測模型輸出的機率大小,採取不同的應對措施。 FIG. 4 is a flowchart for detecting and identifying an illegal transaction according to an embodiment of the present invention. As shown in FIG. 4, when a user initiates an online transaction, if the IP address sent by the user exists in a known proxy IP pool, The system marks this transaction with an agent ID. Second, the current user's transaction behavior is input into the detection model. This detection model includes both continuous detection models, discrete detection models, and the first relationship between continuous detection models and discrete detection models. It outputs dangerous transactions with different probability levels. Early warning, the greater the probability, the higher the risk of fraudulent transactions for agents at present. If the IP address sent by the user is not in the proxy IP address pool issued by the server, it is directly input into the detection model, the risk probability is output, and the degree of likelihood of the IP address as the proxy IP is judged according to the probability. Finally, the background trading system can take different countermeasures according to the probability of the output of the detection model.
綜上所述,本發明實施例提供一種非法交易檢測方法,包括:獲取使用者的當前交易行為資料;根據當前交易行為資料的多個行為指標,從當前交易行為資料中提取第一連續型指標資料和第一離散型指標資料;根據第一連續型指標資料和連續檢測模型計算當前交易行為的第一機率,以及,根據該第一離散型指標資料和離散檢測模型計算當前交易行為的第二機率;連續檢測模型和離散檢測模型均根據歷史交易行為資料確定;根據第一機率和第二機率得到第三機率,第三機率為當前交易行為為非法交易的機率。在上述檢測過程中,所用到的連續檢測模型和離散檢測模型是由歷史交易行為資料確定的,因此,連續檢測模型和離散檢測模型中包含了使用者交易行為的規律,將當前交易行為輸入連續檢測模型和離散檢測模型,便能獲得兩個模型計算的當前交易行為為非法交易的機率, 由於使用者的交易行為有多個指標,將當前交易行為資料分為第一連續型指標資料和第一離散型指標資料後再分別根據連續檢測模型和離散檢測模型計算,可以提高計算結果的精度,因此,本發明實施例針對使用者交易行為特徵來分辨使用者的交易行為是否合法,而不針對網路通訊協定層檢測使用者交易行為,從而提高了檢測的精度。 In summary, an embodiment of the present invention provides a method for detecting illegal transactions, including: obtaining current transaction behavior data of a user; and extracting a first continuous indicator from the current transaction behavior data according to multiple behavior indicators of the current transaction behavior data. Data and the first discrete indicator data; calculating a first probability of the current trading behavior based on the first continuous indicator data and the continuous detection model; and calculating a second probability of the current trading behavior based on the first discrete indicator data and the discrete detection model Probability; continuous detection model and discrete detection model are determined based on historical transaction behavior data; a third probability is obtained according to the first probability and the second probability, and the third probability is the probability that the current transaction behavior is an illegal transaction. In the above detection process, the continuous detection model and discrete detection model used are determined by historical transaction behavior data. Therefore, the continuous detection model and discrete detection model contain the rules of user transaction behavior, and the current transaction behavior is input into the continuous The detection model and the discrete detection model can obtain the probability that the current transaction behavior calculated by the two models is an illegal transaction. Because the user's transaction behavior has multiple indicators, the current transaction behavior data is divided into the first continuous indicator data and the first After a discrete indicator data is calculated according to the continuous detection model and the discrete detection model, the accuracy of the calculation result can be improved. Therefore, the embodiment of the present invention discriminates whether the user's transaction behavior is legal according to the characteristics of the user's transaction behavior, but does not The network protocol layer detects user transaction behavior, thereby improving the accuracy of detection.
基於相同的技術構思,本發明實施例還提供一種非法交易檢測裝置,如圖5所示,檢測裝置500包括:收發模組501和處理模組502,其中:收發模組501,用於獲取使用者的當前交易行為資料;處理模組502,用於根據當前交易行為資料的多個行為指標,從當前交易行為資料中提取第一連續型指標資料和第一離散型指標資料;根據第一連續型指標資料和連續檢測模型計算當前交易行為的第一機率,以及,根據第一離散型指標資料和離散檢測模型計算當前交易行為的第二機率;連續檢測模型和離散檢測模型均根據歷史交易行為資料確定;根據第一機率和第二機率得到第三機率,第三機率為當前交易行為為非法交易的機率。 Based on the same technical concept, an embodiment of the present invention further provides an illegal transaction detection device. As shown in FIG. 5, the detection device 500 includes: a transceiver module 501 and a processing module 502, wherein the transceiver module 501 is used for obtaining and using The current transaction behavior data of the user; a processing module 502, configured to extract the first continuous indicator data and the first discrete indicator data from the current transaction behavior data according to multiple behavior indicators of the current transaction behavior data; according to the first continuous Data and continuous detection models calculate the first probability of the current trading behavior, and calculate the second probability of the current trading behavior based on the first discrete indicator data and the discrete detection model; both the continuous detection model and the discrete detection model are based on the historical trading behavior The data is determined; the third probability is obtained according to the first probability and the second probability, and the third probability is the probability that the current transaction behavior is an illegal transaction.
其中,處理模組502還用於:判斷第三機率是否滿足第一門檻值;當第三機率滿足第一門檻值時,判斷用戶的IP位址是否為已知的代理IP;當使用者的IP位址是已知的代理IP時,控制收發模組501輸出當前交易行為為非法交易;當使用者的IP位址不是已知的代理IP時,則控制收發模組501輸出當 前交易行為為疑似代理IP。 The processing module 502 is further configured to: determine whether the third probability meets the first threshold; when the third probability meets the first threshold, determine whether the user's IP address is a known proxy IP; when the user's When the IP address is a known proxy IP, the control transceiver module 501 outputs the current transaction behavior as an illegal transaction; when the user's IP address is not a known proxy IP, the control transceiver module 501 outputs the current transaction behavior as Suspected proxy IP.
其中,處理模組502還用於:針對任一歷史交易行為資料,確定該任一歷史交易行為資料的多個行為指標;根據確定的該任一歷史交易行為資料的多個行為指標,從該任一歷史交易行為資料中提取第二連續型指標資料和第二離散型指標資料,並確定各第二連續型指標資料對應的行為屬性和各第二離散型指標資料對應的行為屬性,其中,各第二連續型指標資料對應的行為屬性和各第二離散型指標資料對應的行為屬性是根據該任一歷史交易行為資料的行為屬性確定的,該任一歷史交易行為資料的行為屬性包括合法交易行為或非法交易行為;對各歷史交易行為資料第二連續型指標資料及第二連續型指標資料對應的行為屬性進行模型訓練得到連續檢測模型;對各歷史交易行為資料第二離散型指標資料及第二離散型指標資料對應的行為屬性進行模型訓練得到離散檢測模型。 Wherein, the processing module 502 is further configured to: for any historical transaction behavior data, determine multiple behavior indicators of the historical transaction behavior data; and according to the determined multiple behavior indicators of the historical transaction behavior data, Extract the second continuous indicator data and the second discrete indicator data from any historical transaction behavior data, and determine the behavior attributes corresponding to each second continuous indicator data and the behavior attributes corresponding to each second discrete indicator data, where: The behavior attributes corresponding to each second continuous indicator data and the behavior attributes corresponding to each second discrete indicator data are determined based on the behavior attributes of any historical transaction behavior data. The behavior attributes of any historical transaction behavior data include legal Trading behavior or illegal trading behavior; model training on the second continuous indicator data and the second continuous indicator data of each historical transaction behavior data to obtain a continuous detection model; second discrete indicator data on each historical transaction behavior data And the second discrete indicator data corresponding to the behavior attributes for model training Detection model.
其中,處理模組502具體用於:計算各行為指標之間的相關性;根據各行為指標之間的相關性,確定出代表性的行為指標,代表性的行為指標包括從強關聯的各行為指標中確定的一個行為指標及弱關聯的各行為指標;將代表性的行為指標分為第二連續型指標和第二離散型指標;根據第二連續型指標和第二離散型指標,從歷史交易行為資料中提取第二連續型指標資料和第二離散型指標資料。 Among them, the processing module 502 is specifically used to: calculate the correlation between the behavior indicators; determine the representative behavior indicators according to the correlation between the behavior indicators, and the representative behavior indicators include the behaviors from the strong correlation A behavior indicator and weakly related behavior indicators determined in the indicators; representative behavior indicators are divided into second continuous indicators and second discrete indicators; according to the second continuous indicators and the second discrete indicators, from the history The second continuous indicator data and the second discrete indicator data are extracted from the transaction behavior data.
其中,處理模組502具體用於:採用邏輯回歸演算法對各歷史交易行為資料第二連續型指標資料及第二連續型指標資料對應的行為屬性進行模型訓練,得到連續檢測模型;採用決策樹演算法對各歷史交易行為資料第二離散型指標資料及第二離散型指標資料對應的行為屬性進行模型訓練,得到離散檢測模型。 Among them, the processing module 502 is specifically used for: adopting a logistic regression algorithm to perform model training on the second continuous indicator data and the second continuous indicator data of each historical transaction behavior data to obtain a continuous detection model; using a decision tree The algorithm performs model training on the second discrete indicator data and the second discrete indicator data of each historical transaction behavior data to obtain a discrete detection model.
其中,處理模組502具體用於:根據第一關係對第一機率和第二機率進行計算,得到第三機率;第一關係通過以下方式得到:擬合連續檢測模型和離散檢測模型之間的運算關係;確定擬合結果與歷史交易行為資料的真實結果是否滿足預設精度;將滿足預設精度的擬合結果作為第一關係。 The processing module 502 is specifically configured to calculate a first probability and a second probability according to a first relationship to obtain a third probability. The first relationship is obtained by fitting a continuous detection model and a discrete detection model. Computational relationship; determining whether the fitting result and the true result of historical trading behavior data meet the preset accuracy; and taking the fitting result that meets the preset accuracy as the first relationship.
基於相同的技術構思,本發明實施例還提供一種計算設備,該計算設備具體可以為桌上型電腦、可擕式電腦、智慧手機、平板電腦、個人數位助理(Personal Digital Assistant,PDA)等。如圖6所示,為本發明實施例提供的一種計算設備結構示意圖,該計算設備可以包括中央處理器601(Central Processing Unit,CPU)、記憶體602、輸入設備603、輸出設備604等,輸入設備603可以包括鍵盤、滑鼠、觸控式螢幕等,輸出設備604可以包括顯示裝置,如液晶顯示器(Liquid Crystal Display,LCD)、陰極射線管(Cathode Ray Tube,CRT)等。 Based on the same technical concept, an embodiment of the present invention further provides a computing device. The computing device may specifically be a desktop computer, a portable computer, a smart phone, a tablet computer, a personal digital assistant (PDA), and the like. As shown in FIG. 6, it is a schematic structural diagram of a computing device according to an embodiment of the present invention. The computing device may include a central processing unit 601 (Central Processing Unit, CPU), a memory 602, an input device 603, an output device 604, and the like. The device 603 may include a keyboard, a mouse, a touch screen, and the like, and the output device 604 may include a display device, such as a liquid crystal display (Liquid Crystal Display, LCD), a cathode ray tube (CRT), and the like.
記憶體602可以包括唯讀記憶體(ROM)和隨機存取記憶體(RAM),並向中央處理器提供記憶體中儲存的程式指令和資料。在本發明實施例中,記憶體可以用於儲存本發明任一實施例所提供的方法的程 式,中央處理器通過調用記憶體儲存的程式指令,按照獲得的程式指令執行上述實施例所公開的非法交易檢測方法。 The memory 602 may include a read-only memory (ROM) and a random access memory (RAM), and provide program instructions and data stored in the memory to the central processing unit. In the embodiment of the present invention, the memory can be used to store the program of the method provided by any embodiment of the present invention. The central processing unit calls the program instructions stored in the memory and executes the program instructions disclosed in the foregoing embodiment according to the obtained program instructions. Detection methods for illegal transactions.
基於相同的技術構思,本發明實施例還提供一種電腦可讀儲存媒體,用於儲存為上述計算設備所用的電腦程式指令,其包含用於執行上述實施例所公開的非法交易檢測方法的程式。 Based on the same technical concept, an embodiment of the present invention further provides a computer-readable storage medium for storing computer program instructions for the above computing device, which includes a program for executing the illegal transaction detection method disclosed in the above embodiment.
該電腦儲存媒體可以是電腦能夠存取的任何可用媒體或資料存放裝置,包括但不限於磁性記憶體(例如軟碟、硬碟、磁帶、磁光碟(MO)等)、光學記憶體(例如CD、DVD、BD、HVD等)、以及唯讀記憶體(例如ROM、EPROM、EEPROM、快閃記憶體(NAND FLASH)、固態硬碟(SSD))等。 The computer storage medium can be any available media or data storage device that the computer can access, including but not limited to magnetic memory (such as floppy disks, hard disks, magnetic tapes, magneto-optical disks (MO), etc.), optical memory (such as CDs) , DVD, BD, HVD, etc.), and read-only memory (such as ROM, EPROM, EEPROM, flash memory (NAND FLASH), solid-state hard disk (SSD)).
基於相同的技術構思,本發明實施例還提供一種電腦程式產品,當其在電腦上運行時,使得電腦執行上述實施例所公開的非法交易檢測方法。 Based on the same technical idea, an embodiment of the present invention further provides a computer program product, which when run on a computer, causes the computer to execute the method for detecting illegal transactions disclosed in the above embodiments.
儘管已描述了本發明的優選實施例,但本領域內的技術人員一旦得知了基本創造性概念,則可對這些實施例作出另外的變更和修改。所以,所附請求項意欲解釋為包括優選實施例以及落入本發明專利範圍的所有變更和修改。 Although the preferred embodiments of the present invention have been described, those skilled in the art can make other changes and modifications to these embodiments once they know the basic inventive concepts. Therefore, the appended claims are intended to be construed to include the preferred embodiments and all changes and modifications that fall within the scope of the patent for the present invention.
顯然,本領域的技術人員可以對本發明進行各種改動和變型而不脫離本發明的精神和範圍。這樣,倘若本發明的這些修改和變型屬於本發明專利範圍及其等同技術的範圍之內,則本發明也意圖包括這些改動和變型在內。 Obviously, those skilled in the art can make various modifications and variations to the present invention without departing from the spirit and scope of the present invention. In this way, if these modifications and variations of the present invention fall within the scope of the present invention patent and its equivalent technology, the present invention also intends to include these modifications and variations.
Claims (15)
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610918010.2A CN106548343B (en) | 2016-10-21 | 2016-10-21 | Illegal transaction detection method and device |
| ??201610918010.2 | 2016-10-21 | ||
| CN201610918010.2 | 2016-10-21 |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| TW201816678A true TW201816678A (en) | 2018-05-01 |
| TWI684151B TWI684151B (en) | 2020-02-01 |
Family
ID=58392127
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| TW106136078A TWI684151B (en) | 2016-10-21 | 2017-10-20 | Method and device for detecting illegal transaction |
Country Status (3)
| Country | Link |
|---|---|
| CN (1) | CN106548343B (en) |
| TW (1) | TWI684151B (en) |
| WO (1) | WO2018072580A1 (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115456788A (en) * | 2022-11-07 | 2022-12-09 | 支付宝(杭州)信息技术有限公司 | Method, device and equipment for detecting risk group |
Families Citing this family (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106548343B (en) * | 2016-10-21 | 2020-11-10 | 中国银联股份有限公司 | Illegal transaction detection method and device |
| CN107679862B (en) * | 2017-09-08 | 2021-08-27 | 中国银联股份有限公司 | Method and device for determining characteristic value of fraud transaction model |
| CN110309840B (en) | 2018-03-27 | 2023-08-11 | 创新先进技术有限公司 | Risk transaction identification method, risk transaction identification device, server and storage medium |
| CN108876105B (en) * | 2018-05-10 | 2022-02-15 | 易联支付有限公司 | Transaction risk control method and device |
| CN108682088A (en) * | 2018-05-14 | 2018-10-19 | 平安科技(深圳)有限公司 | Based on the cross-border determination method and device merchandised extremely of ATM |
| CN111224830A (en) * | 2018-11-23 | 2020-06-02 | 中国电信股份有限公司 | Data monitoring method and device, Internet of things network element and computer readable storage medium |
| CN109685527B (en) * | 2018-12-14 | 2024-03-29 | 拉扎斯网络科技(上海)有限公司 | Method, device, system and computer storage medium for detecting merchant false transaction |
| CN109858633B (en) * | 2019-02-22 | 2021-02-02 | 中国工商银行股份有限公司 | Characteristic information identification method and system |
| CN110096868A (en) * | 2019-04-28 | 2019-08-06 | 深圳前海微众银行股份有限公司 | Auditing method, device, equipment and the computer readable storage medium of operation code |
| CN112116357B (en) * | 2020-09-29 | 2023-08-11 | 中国银行股份有限公司 | Method and device for realizing cashing detection and computer equipment |
| CN113347021B (en) * | 2021-04-29 | 2023-06-27 | 北京奇艺世纪科技有限公司 | Model generation method, collision library detection method, device, electronic equipment and computer readable storage medium |
| CN114640546B (en) * | 2022-05-10 | 2022-10-11 | 北京微步在线科技有限公司 | Login behavior detection method and device, storage device and electronic device |
Family Cites Families (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103678346A (en) * | 2012-09-07 | 2014-03-26 | 阿里巴巴集团控股有限公司 | Man-machine recognition method and system |
| US20140180974A1 (en) * | 2012-12-21 | 2014-06-26 | Fair Isaac Corporation | Transaction Risk Detection |
| CN104679777B (en) * | 2013-12-02 | 2018-05-18 | 中国银联股份有限公司 | A kind of method and system for being used to detect fraudulent trading |
| US20160203490A1 (en) * | 2013-12-10 | 2016-07-14 | Sas Institute Inc. | Systems and Methods for Travel-Related Anomaly Detection |
| CN103793484B (en) * | 2014-01-17 | 2017-03-15 | 五八同城信息技术有限公司 | The fraud identifying system based on machine learning in classification information website |
| US10896421B2 (en) * | 2014-04-02 | 2021-01-19 | Brighterion, Inc. | Smart retail analytics and commercial messaging |
| CN105095238B (en) * | 2014-05-04 | 2019-01-18 | 中国银联股份有限公司 | For detecting the decision tree generation method of fraudulent trading |
| CN104023109B (en) * | 2014-06-27 | 2015-09-30 | 努比亚技术有限公司 | Income prompting method and device and sorting technique and device |
| CN105279691A (en) * | 2014-07-25 | 2016-01-27 | 中国银联股份有限公司 | Financial transaction detection method and equipment based on random forest model |
| CN105590055B (en) * | 2014-10-23 | 2020-10-20 | 创新先进技术有限公司 | Method and device for identifying user credible behaviors in network interaction system |
| CN105631747A (en) * | 2014-11-05 | 2016-06-01 | 阿里巴巴集团控股有限公司 | Risk event determining method and apparatus |
| CN105654277A (en) * | 2014-12-08 | 2016-06-08 | 阿里巴巴集团控股有限公司 | Transaction operation identification method and server |
| CN104778591B (en) * | 2015-04-01 | 2018-05-22 | 北京三快在线科技有限公司 | A kind of extraction, recognition methods and the device of the characteristic information of abnormal behaviour |
| CN105930430B (en) * | 2016-04-19 | 2020-01-07 | 北京邮电大学 | Real-time fraud detection method and device based on non-accumulative attribute |
| CN106548343B (en) * | 2016-10-21 | 2020-11-10 | 中国银联股份有限公司 | Illegal transaction detection method and device |
-
2016
- 2016-10-21 CN CN201610918010.2A patent/CN106548343B/en active Active
-
2017
- 2017-09-19 WO PCT/CN2017/102194 patent/WO2018072580A1/en active Application Filing
- 2017-10-20 TW TW106136078A patent/TWI684151B/en active
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115456788A (en) * | 2022-11-07 | 2022-12-09 | 支付宝(杭州)信息技术有限公司 | Method, device and equipment for detecting risk group |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106548343A (en) | 2017-03-29 |
| WO2018072580A1 (en) | 2018-04-26 |
| CN106548343B (en) | 2020-11-10 |
| TWI684151B (en) | 2020-02-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| TWI684151B (en) | Method and device for detecting illegal transaction | |
| US11507645B1 (en) | Behavioral profiling method and system to authenticate a user | |
| WO2020199621A1 (en) | Knowledge graph-based fraud detection | |
| KR102151862B1 (en) | Service processing method and device | |
| CN105590055B (en) | Method and device for identifying user credible behaviors in network interaction system | |
| JP6732806B2 (en) | Account theft risk identification method, identification device, and prevention/control system | |
| CN107563757B (en) | Data risk identification method and device | |
| CN104836781B (en) | Distinguish the method and device for accessing user identity | |
| TWI734466B (en) | Risk assessment method and device for leakage of privacy data | |
| CN107566358A (en) | A kind of Risk-warning reminding method, device, medium and equipment | |
| CN110442712B (en) | Risk determination method, risk determination device, server and text examination system | |
| CN105072214B (en) | C&C domain name recognition methods based on domain name feature | |
| CN108920947A (en) | A kind of method for detecting abnormality and device based on the modeling of log figure | |
| CN106682906A (en) | Risk identification and business processing method and device | |
| CN111107096A (en) | Web site safety protection method and device | |
| CN111309822A (en) | User identity identification method and device | |
| CN111754241A (en) | User behavior perception method, device, equipment and medium | |
| TWI701932B (en) | Identity authentication method, server and client equipment | |
| CN108092985A (en) | Network safety situation analysis method, device, equipment and computer storage media | |
| TWI677830B (en) | Method and device for detecting key variables in a model | |
| CN111951008A (en) | Risk prediction method and device, electronic equipment and readable storage medium | |
| NL2020729B1 (en) | Systems and methods for detecting fraudulent transactions | |
| TWI778411B (en) | Learning model application system, learning model application method and program product | |
| US20180315052A1 (en) | System and method for measuring user behavior in electronic transaction based on an immunity system | |
| TWI668657B (en) | Business processing method and device |