WO2022156380A1 - Real-time transaction anomaly detection method and device - Google Patents

Real-time transaction anomaly detection method and device Download PDF

Info

Publication number
WO2022156380A1
WO2022156380A1 PCT/CN2021/134953 CN2021134953W WO2022156380A1 WO 2022156380 A1 WO2022156380 A1 WO 2022156380A1 CN 2021134953 W CN2021134953 W CN 2021134953W WO 2022156380 A1 WO2022156380 A1 WO 2022156380A1
Authority
WO
WIPO (PCT)
Prior art keywords
detection
dimension
transaction information
transaction
node
Prior art date
Application number
PCT/CN2021/134953
Other languages
French (fr)
Chinese (zh)
Inventor
朱龙先
陈林
李光宇
王炟
尹杰
黄子昱
Original Assignee
中国银联股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国银联股份有限公司 filed Critical 中国银联股份有限公司
Publication of WO2022156380A1 publication Critical patent/WO2022156380A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4016Transaction verification involving fraud or risk level assessment in transaction processing

Definitions

  • the present application relates to the technical field of data processing, and in particular, to a real-time transaction abnormality detection method and device.
  • bank cards as a financial product, have the advantages of easy portability and fast consumption, which makes bank cards popular rapidly, and derives credit cards, debit cards, savings cards, etc. type.
  • bank cards also have some security risks, such as credit card cash out, credit card fraud, savings card fraud, debit card fraud and so on.
  • Credit card cashing means that the cardholder does not withdraw cash through normal legal procedures, but uses other means to withdraw the funds within the credit limit of the card in cash without paying the bank's cash withdrawal fee. Cashing out of credit cards will increase financial risks, and without taking advantage of the stability of the financial order, it will bring great risks to the security of bank funds.
  • Stealing is an illegal act in which criminals use high-tech means to copy other people's savings card, credit card, debit card number and password and other information, and withdraw cash for their own use; it is an illegal act that causes property damage to the other party.
  • embezzle the payment software account use the payment software account to embezzle other people's funds, and cause other people's property damage. In order to avoid the above problems, it is necessary to identify cash-out, stealing and theft of payment software accounts in a timely manner.
  • the existing solutions in the prior art start from the bank card dimension of transaction information, and collect statistics on transaction information including the same bank card number; Statistical results such as location detect abnormal transaction information to identify behaviors such as cash-out and fraud.
  • this method cannot completely and accurately detect abnormal transaction information; for example, if a criminal conducts a small amount of cash out through multiple credit cards, the cash out behavior is not obvious, and abnormal transaction information cannot be easily detected. Therefore, it is difficult to detect abnormal transaction information in the bank card dimension, which is difficult to fully cover the detection of transaction fraud such as cash out and fraudulent fraud.
  • Embodiments of the present invention provide a real-time transaction abnormality detection method and device, which are used to solve the problems in the prior art that the coverage of transaction fraud is low and the accuracy of identifying abnormal transactions is low.
  • an embodiment of the present invention provides a real-time transaction abnormality detection method, which includes:
  • the transaction information includes transaction feature values of multiple dimensions; for any dimension, according to the first distribution rule of the dimension, determine a detection node that processes the transaction information; the detection node includes a detection node for The detection rule of the dimension; the detection result of the transaction information in each dimension is obtained from each detection node; wherein, the detection result of any dimension is the statistical result of the transaction feature value of the detection node based on the dimension, according to the dimension Determine whether the transaction information is abnormal in the dimension; determine whether the transaction information is abnormal according to the detection results of each dimension.
  • transaction information is obtained, the transaction information includes transaction feature values of multiple dimensions, and for any dimension in the multiple dimensions, a detection node that processes the transaction information is determined according to the first distribution rule of the dimension. That is to say, detection is performed for multiple dimensions of transaction information.
  • the detection results of the transaction information in each dimension are acquired from each detection node, and whether the transaction information is abnormal is determined according to the detection results of each dimension. That is to say, whether the transaction information is abnormal is jointly determined according to the detection results of multiple dimensions.
  • the present application can perform transaction abnormality detection through multiple dimensions, improve the coverage of abnormal transaction scenarios, and improve the accuracy of identifying abnormal transactions.
  • the method before acquiring the detection results of the transaction information in each dimension from each detection node, the method further includes: for any dimension, determining the statistics of processing the transaction information in the statistics node according to the second distribution rule of the dimension. unit; the statistical unit conducts statistics according to the statistical rules of the dimension, according to the transaction characteristic value and historical transaction characteristic value of the dimension, and sends the statistical result to the detection node that processes the transaction information; the statistical node includes For statistical units of different dimensions, the statistical units include statistical rules for different statistical objects.
  • the second distribution rule of the dimension determine the statistical unit processing transaction information in the statistical node; that is, the transaction information can be further distributed according to the second distribution rule, so that the statistical node
  • the statistical unit of the transaction information performs statistical processing on the relevant data in the transaction information; in this way, the statistical rules are separated from the detection rules, and the statistical nodes perform statistics and the detection nodes perform detection, which can reduce the processing pressure of the detection nodes and reduce the detection time.
  • the transaction characteristic value and historical transaction characteristic value of the dimension are counted to obtain the historical transaction characteristic and current transaction characteristic of the dimension; it can be determined whether the current transaction characteristic is significantly different from the historical transaction characteristic, or according to the current transaction characteristic value And the statistical results obtained by the historical transaction feature values are abnormal, so that the detection node can judge whether the transaction information is abnormal.
  • the multiple dimensions are set with different dimension priorities; according to the distribution rules of the dimensions, before determining the detection node that processes the transaction information, the method further includes: the dimension priority of the dimension is the first priority. level; determine the detection results of each dimension that has obtained a second priority, the second priority being higher than the first priority.
  • the detection results of the dimension of the first priority are obtained by performing processing such as detection on information such as transaction feature values of the dimension of the first priority.
  • the priority of each dimension can be set to achieve serial detection of information such as transaction feature values of each dimension.
  • the method further includes: opening a synchronization lock for the transaction information in the detection node; after sending the statistical results to the detection node processing the transaction information, further comprising: The method includes: closing the synchronization lock for the transaction information in the detection node.
  • determining the detection node that processes the transaction information according to the first distribution rule of the dimension includes: determining, according to the first distribution rule of the dimension, to process the transaction information according to the transaction feature value of the dimension.
  • the detection node includes multiple detection packets. That is to say, multiple detection groups in the detection node can be detected in parallel, increasing the detection speed of the detection node; and, each detection group contains a plurality of different detection rule groups, which are determined according to the transaction items included in the transaction information.
  • the set of detection rules for transactions That is to say, the detection group can contain multiple different detection rules, and each detection rule corresponds to the detection of each transaction item; according to the transaction items included in the transaction information, a plurality of detection rules corresponding to each transaction information can be determined , that is, the detection rule group formed for each transaction information. In this way, flexible detection can be performed for each transaction information, thereby increasing the accuracy of the detection result.
  • each detection rule in the same detection rule group is executed serially; each detection rule in different detection rule groups is executed in parallel.
  • each detection rule in the same detection rule group is executed serially. In this way, when the detection result of one detection rule depends on the previous detection rule, all the required detection results can be obtained through serialization.
  • the method further includes: sending the transaction information to the message middleware through the detection node; sending the transaction information to the message middleware through the message middleware. the statistics node.
  • the transaction information is transmitted through the message middleware to ensure that the transaction information can be accurately sent to the corresponding statistical node.
  • the method before determining the detection node that processes the transaction information according to the first distribution rule of the dimension, the method further includes: determining that the dimension is the dimension set in the abnormality detection.
  • the transaction information can be filtered before the distribution according to the first distribution rule of the dimension.
  • the two detection nodes are a detection group, and the two detection nodes in the detection group detect the update time of the detection results from each other, and further includes: determining the detection by a detection node in the detection group If the update time of another detection node in the group is higher than the set time threshold, the first distribution rule is adjusted so that one detection node in the detection group receives the update time of another detection node in the detection group.
  • the transaction information to be detected, the detection rules in the two detection nodes are the same.
  • the detection nodes can mutually detect the update time of the detection results. If the update time is abnormal and exceeds the preset time threshold for update of the detection node, it can be considered that the detection node is faulty.
  • the detection node that detects normally in the detection group takes over the detection task of the fault detection node. Ensure the stability of transaction anomaly detection.
  • an embodiment of the present invention provides a real-time transaction abnormality detection device, the device comprising:
  • an acquisition module for acquiring transaction information, where the transaction information includes transaction feature values of multiple dimensions
  • a distribution module configured to determine a detection node for processing the transaction information according to the first distribution rule of the dimension for any dimension; the detection node includes a detection rule for the dimension;
  • the acquiring module is further configured to acquire, from each detection node, the detection result of the transaction information in each dimension; wherein, the detection result of any dimension is the statistical result of the transaction characteristic value of the detection node based on the dimension, according to the The detection rule of the dimension determines whether the transaction information is abnormal in the dimension;
  • a processing module configured to determine whether the transaction information is abnormal according to the detection results of the various dimensions.
  • an embodiment of the present application further provides a computing device, including: a memory for storing a program; a processor for calling a program stored in the memory, and executing various aspects of the first aspect according to the obtained program methods described in possible designs.
  • embodiments of the present application further provide a computer-readable non-volatile storage medium, including a computer-readable program, when the computer reads and executes the computer-readable program, the computer executes the first aspect.
  • FIG. 1 is a schematic structural diagram of a real-time transaction abnormality detection provided by an embodiment of the present invention
  • FIG. 2 is a schematic flowchart of a real-time transaction abnormality detection provided by an embodiment of the present invention
  • FIG. 3 is a schematic structural diagram of a real-time transaction abnormality detection provided by an embodiment of the present invention.
  • FIG. 4 is a schematic flowchart of a real-time transaction abnormality detection provided by an embodiment of the present invention.
  • FIG. 5 is a schematic flowchart of a real-time transaction abnormality detection provided by an embodiment of the present invention.
  • FIG. 6 is a schematic diagram of a real-time transaction abnormality detection apparatus provided by an embodiment of the present invention.
  • the distribution server 101 After acquiring transaction information, the distribution server 101, according to transaction feature values of multiple dimensions of the transaction information, for any dimension, according to the dimension According to the first distribution rule, the transaction information is sent to the corresponding detection node in the detection node cluster 102, so that the detection node detects the transaction information according to the detection rule of the dimension, and obtains the detection result.
  • the method for obtaining the detection results of each dimension of the transaction information may be as follows: by performing statistics of information such as transaction feature values of the corresponding dimensions in different detection nodes in the detection node cluster 102 respectively, to obtain the detection results according to the obtained statistical results; Afterwards, one or more detection nodes in the node cluster 102 are detected, the detection results of the transaction information in each dimension are obtained from the different detection nodes, and whether the transaction information is abnormal is determined according to the detection results of the various dimensions.
  • a determination server 103 may be additionally provided, so that the determination server 103 obtains the detection results of the transaction information in each dimension from the different detection nodes, and determines whether the transaction information is abnormal according to the detection results of the various dimensions.
  • the processing pressure of the detection node can be shared, and the benign operation of the system for detecting abnormal transactions can be ensured.
  • multiple detection nodes simultaneously obtain the detection results of the transaction information in each dimension from the different detection nodes, and determine whether the transaction information is abnormal according to the detection results of the various dimensions, one of the detection nodes determines the transaction. If the information is an abnormal transaction or a normal transaction, the remaining multiple detection nodes can stop the judgment processing. In this way, the transaction detection speed can be accelerated.
  • the distribution server 101 may be a distribution server in a distribution server cluster
  • the determination servers 103 may be respectively a determination server in a determination server cluster.
  • the embodiment of the present application provides a process of a real-time transaction abnormality detection method, as shown in FIG. 2 , including:
  • Step 201 Obtain transaction information, where the transaction information includes transaction feature values of multiple dimensions;
  • the multiple dimensions may include: bank card, merchant, IP and other dimensions; transaction feature values of multiple dimensions: for example, the transaction feature value of the bank card dimension is the bank card number in the transaction information, and the transaction feature of the merchant dimension The value is the merchant number in the transaction information, the transaction feature value of the IP dimension is the IP address in the transaction information, and so on.
  • Step 202 for any dimension, according to the first distribution rule of the dimension, determine the detection node that processes the transaction information; In the detection node, the detection rule for the dimension is included;
  • the first distribution rule may be to distribute according to the transaction characteristic value; for example, the detection node of the transaction information is determined according to the remainder of the last digit of the bank card number of the transaction information; The remainder of the last digit of the merchant number determines the detection node of the transaction information, and the like. For example, the bank card number: 123456789, determine the remainder of the last one: 9/10, the remainder is 9, then distribute the transaction information to the detection node corresponding to the remainder 9 of the last one of the bank card number.
  • the detection rules contained in the detection node for example, to obtain the transaction average amount of the transaction information, the detection result of the transaction information in this dimension can be determined according to the transaction average amount and the threshold of the transaction average amount. For example, if the average transaction amount is greater than the threshold of the transaction average amount, it is determined that the transaction information is an abnormal transaction in this dimension.
  • Step 203 Obtain the detection results of the transaction information in each dimension from each detection node; wherein, the detection result of any dimension is the statistical result of the transaction feature value of the detection node based on the dimension, and is determined according to the detection rule of the dimension Whether the transaction information is abnormal in the dimension;
  • the statistical result of the transaction characteristic value (which can be a credit card number) based on the bank card dimension is: the average transaction amount between the current transaction and the last 9 historical transactions is 100,000 yuan, and the transaction of the credit card number is 100,000 yuan.
  • the threshold of the average amount is 100 yuan (for example, it can be the threshold value of the average transaction amount determined according to all transaction information of the credit card number in the previous month, the first two months and other historical time periods); determined according to the detection rules of this dimension Whether the transaction information is abnormal in this dimension is: the average transaction amount of 100,000 yuan is greater than the threshold of 100 yuan for the average transaction amount, and the transaction information is an abnormal transaction in the bank card dimension.
  • Step 204 Determine whether the transaction information is abnormal according to the detection results of the various dimensions.
  • the transaction information in the bank card dimension, the merchant dimension, and the IP dimension are all abnormal, it is determined that the transaction information is abnormal.
  • transaction information is obtained, the transaction information includes transaction feature values of multiple dimensions, and for any dimension in the multiple dimensions, a detection node that processes the transaction information is determined according to the first distribution rule of the dimension. That is to say, detection is performed for multiple dimensions of transaction information. Obtain the detection results of the transaction information in each dimension from each detection node, and determine whether the transaction information is abnormal according to the detection results of each dimension. That is to say, whether the transaction information is abnormal is jointly determined according to the detection results of multiple dimensions.
  • the present application can perform transaction abnormality detection through multiple dimensions, improve the coverage of abnormal transaction scenarios, and improve the accuracy of identifying abnormal transactions.
  • FIG. 3 is a system architecture of real-time transaction abnormality detection provided by an embodiment of the present invention
  • the system architecture of the real-time transaction abnormality detection in FIG. 3 is:
  • Related programs such as statistical rules in the detection node are separated into the statistical node cluster 305 , so as to reduce the processing pressure of the detection node cluster 302 .
  • the distribution server 301 after acquiring the transaction information, the distribution server 301, according to the transaction feature values of multiple dimensions of the transaction information, for any dimension, according to the first distribution rule of the dimension, sends the transaction information to the detection The corresponding detection node in the node cluster 302, so that the detection node sends the transaction information to the corresponding statistical node in the statistical node cluster 305 through the message middleware 304, and determines according to the second distribution rule of the dimension.
  • the statistical rule of the dimension of the statistical unit is: obtain each historical transaction information corresponding to the historical transaction characteristic value according to the transaction characteristic value of the transaction information, and determine the average transaction amount according to the transaction information and the historical transaction information.
  • the obtained statistical result transaction average amount is sent back to the detection node in the detection node cluster 302 through the message middleware 304 .
  • whether the transaction information is abnormal is determined by the determination server 303 or any one or more detection nodes according to the detection results of each dimension.
  • the statistical nodes may be in one-to-one correspondence with the detection nodes, or the statistical nodes may not be in one-to-one correspondence with the detection nodes, and each statistical node may include the same statistical unit, and the statistics of the transaction information of each statistical node in the statistical node cluster 305 The tasks are evenly distributed.
  • the embodiment of the present application provides a real-time transaction abnormality detection method.
  • the method further includes: for any dimension, according to the second distribution rule of the dimension, Determine the statistical unit that processes the transaction information in the statistical node; the statistical unit performs statistics according to the statistical rules of the dimension, according to the transaction characteristic value and historical transaction characteristic value of the dimension, and sends the statistical result to the processing of the transaction.
  • the second distribution rule can be based on the remainder of the third last digit of the merchant number 1234, which can be 3/10.
  • the remainder is 3, and the statistics for processing the transaction information are determined. unit.
  • the statistical unit obtains the historical transaction information of the merchant number 1234 in the historical transaction information according to the statistical rules of the merchant dimension, and determines the statistical result - the average transaction amount according to the transaction amount of the current transaction information and the transaction amount of each historical transaction information. Send the transaction average back to the detection node that processes the transaction information.
  • the statistical objects may be the average transaction amount, the frequency of swiping cards, and the like.
  • the embodiment of the present application provides a real-time transaction abnormality detection method, wherein the multiple dimensions are set with different dimension priorities; before determining the detection node processing the transaction information according to the distribution rules of the dimensions, the method further includes: The dimension priority of the dimension is the first priority; the detection result of each dimension that has obtained the second priority is determined, and the second priority is higher than the first priority.
  • the detection of each dimension can be performed serially by setting the priority of each dimension. In this way, when the detection result of a certain dimension needs to depend on the detection result of another dimension, the detection of the corresponding dimension can be performed serially by this method, thereby increasing the accuracy of the result detection.
  • the embodiment of the present application provides a real-time transaction abnormality detection method. After determining the detection node that processes the transaction information, the method further includes: opening a synchronization lock for the transaction information in the detection node; sending the statistical result to After processing the detection node of the transaction information, the method further includes: closing the synchronization lock for the transaction information in the detection node. For example, based on the system architecture in FIG. 3, when the detection node receives the transaction information, a synchronization lock for the transaction information is opened in the detection node; when the statistical node returns the statistical result of the transaction information to the detection node , the detection node closes the synchronization lock for the transaction information.
  • the synchronization lock for the transaction information is opened in the detection group corresponding to the transaction information of the detection node.
  • the detection group closes the synchronization. Lock.
  • the synchronization lock can be used for: when the detection of each dimension is performed serially, when the detection of the second dimension is performed, that is, the detection result of the first dimension is obtained. Then, the detection group opens the synchronization lock, and closes the synchronization lock after waiting to obtain the statistical results of the second dimension; in this way, it is ensured that the statistical results of a transaction information are obtained completely, so as to perform detection according to the statistical results and obtain the detection results. In this way, it is prevented that the detection dimension of the transaction information in the detection node does not obtain the statistical result of the transaction information, resulting in incomplete statistical information of the transaction information of the corresponding dimension in the detection node, thereby making the detection result inaccurate.
  • determining a detection node that processes the transaction information includes: according to the first distribution rule of the dimension, through the The transaction characteristic value of the dimension determines the detection node that processes the transaction information and determines the detection group that processes the transaction information in the detection node; through each transaction item in the transaction information, the detection rule is determined from the detection group group; the detection rule group is composed of at least one detection rule in the detection group.
  • the detection node may include multiple detection groups, and the multiple detection groups may have the same detection logic.
  • the detection group may contain multiple detection rules, and the multiple detection rules may contain the same detection rule.
  • Each detection rule group includes multiple different detection rules, and different detection rule groups may contain the same detection rule.
  • the detection node is determined; the detection group is determined according to the remainder of the second last digit of the merchant number 1234; according to each transaction item in the transaction information, such as,
  • the detection rule group is determined by the transaction amount, transaction channel and other information; for example, the detection rule for the average transaction amount is determined according to the transaction amount in the transaction information, and the detection rule for the transaction channel is determined according to the transaction channel in the transaction information.
  • the detection rules of the transaction channel and the detection rules of the transaction channel constitute a detection rule group for the transaction information.
  • the detection rule group is determined according to each transaction item in the transaction information, such as transaction amount, transaction time, etc., for example, according to the transaction information.
  • the transaction amount determines the detection rules for the average transaction amount, determines the detection rules for the transaction time according to the transaction time in the transaction information, etc., which consists of the detection rules for the average transaction amount and the transaction time.
  • a set of detection rules for information In this way, the detection rules in the detection rule group of the two transaction information with the merchant number 1234 and the merchant number 2234 may include the same detection rule for the average transaction amount.
  • the detection rule group of each dimension contains multiple detection rules, which may be the same or different, and may be set as required, which is not specifically limited.
  • the embodiment of the present application provides a real-time transaction abnormality detection method, in which each detection rule in the same detection rule group is executed serially; and each detection rule in different detection rule groups is executed in parallel.
  • the detection rule group includes multiple different detection rules, and for multiple different detection results of transaction information, the multiple different detection rules included in the detection rule group in the detection node can be serialized Get test results.
  • the embodiment of the present application provides a real-time transaction abnormality detection method.
  • the method further includes: determining that the dimension is the dimension set in the abnormality detection. . That is to say, before detecting transaction information, it can be determined which dimensions of the transaction information need to be detected, and those dimensions do not need to be detected; or, those transaction information are detected, and those transaction information do not need to be detected; this dimension will not need to be detected.
  • the detected transaction information is deleted or the transaction information that does not need to be detected is deleted. In this way, through detection and filtering, targeted detection of transaction information can be realized, which not only reduces the workload of detection and/or statistics, but also improves the accuracy of detection results.
  • the embodiment of the present application provides a real-time transaction abnormality detection method, two detection nodes are a detection group, and the two detection nodes in the detection group detect the update time of detection results from each other, and further includes: in the detection One detection node in the detection group determines that the update time of another detection node in the detection group is higher than the set time threshold, then adjusts the first distribution rule so that one detection node in the detection group receives The transaction information to be detected of another detection node in the detection group, and the detection rules in the two detection nodes are the same. That is to say, two or two nodes in the detection node cluster can detect each other at a certain frequency.
  • the detection node of the other party If it is found that the detection result in the detection node of the other party has not been updated within the set time threshold, the detection node of the other party is faulty, and by adjusting the first detection node The distribution rule (the second distribution rule can be correspondingly adjusted as needed), so that the detection task in the detection node of the opposite party is taken over.
  • the detection nodes in the detection group may be two or more detection nodes to detect each other, which is not specifically limited.
  • an embodiment of the present application provides a flow of a real-time transaction abnormality detection method with transaction information dimension serialization, as shown in FIG. 4 , including:
  • Step 401 Obtain transaction information, where the transaction information includes transaction feature values of multiple dimensions.
  • the multiple transaction characteristic values here can be bank card numbers, merchant numbers, IP addresses, and the like.
  • Step 402 Determine the dimension of the second priority according to the first distribution rule.
  • the dimension of the second priority is the dimension in which detection is performed first.
  • the dimension in which the second priority is detected is the bank card dimension.
  • Step 403 Determine the transaction feature value of the dimension in the transaction information according to the first distribution rule.
  • the transaction characteristic value is the bank card number.
  • Step 404 Determine the detection node corresponding to the transaction characteristic value according to the first distribution rule. In the previous example, it is determined that the transaction information corresponds to detection node 1 according to the remainder of the last digit of the bank card number.
  • Step 405 Send the transaction information to the corresponding detection node.
  • the corresponding detection node is detection node 1 .
  • Step 406 Determine the detection group corresponding to the transaction feature value according to the first distribution rule. In the previous example, it is determined that the transaction information corresponds to detection group 1 in detection node 1 according to the remainder of the penultimate digit of the bank card number.
  • Step 407 Determine a detection rule group for processing the transaction information according to the transaction item of the transaction information.
  • a corresponding detection rule is determined according to the transaction amount, transaction channel, transaction time and other information in the transaction information, and a detection rule group is formed according to the corresponding detection rule.
  • Step 408 The detection node sets a synchronization lock for the transaction information. It should be noted here that, if the first implementation of this solution is the detection of the bank card dimension, since the historical transaction information, detection results and statistical results of a bank card are stored locally, there is no need to set a synchronization lock.
  • Step 409 Send the transaction information to the statistics unit of the corresponding statistics node, and perform statistics respectively according to the statistics rules of different statistics objects of the transaction information of the dimension in the statistics unit to obtain the statistics results.
  • the historical transaction information of the last 9 historical transactions with the same bank card number as the transaction information is obtained through the statistical rules of the statistical object-transaction average amount, according to the transaction information and the nine historical transactions The transaction information determines the average transaction amount) to determine the statistical result - the average transaction amount is 1,000 yuan.
  • Step 410 Return the statistical result to the corresponding detection node.
  • the statistical result is returned to detection node 1 .
  • Step 411 After acquiring the statistical result, the detection node closes the synchronization lock for the transaction information. It should be noted here that, in an embodiment, if the synchronization lock is not set in the detection of the bank card dimension, this step does not need to be performed.
  • Step 412 the detection node determines the detection result according to the detection rule group of the dimension transaction information and the statistical result.
  • the average transaction amount is 1,000 yuan greater than the preset average transaction amount of 100 yuan, and the detection result of the transaction information in this dimension is abnormal.
  • the transaction information and the detection result are saved, and the transaction information and the detection result are sent to the message middleware.
  • Step 413 Determine that the transaction information is a dimension with a second priority (the second priority is higher than the first priority, that is, among the remaining undetected dimensions, determine the dimension with the highest priority).
  • the aforementioned bank card dimension is the second priority dimension
  • the merchant dimension is the first priority dimension.
  • the second priority dimension of the transaction information is determined again (it may be the merchant dimension), in the possible process described in step 412, it may also be the transaction feature value corresponding to the dimension.
  • the detection node obtains the transaction information from the message middleware, and performs the flow from step 406 to step 413 .
  • Step 403 Determine the transaction feature value of the dimension in the transaction information according to the first distribution rule.
  • the transaction characteristic value is the merchant number.
  • Step 404 Determine the detection node corresponding to the transaction characteristic value according to the first distribution rule.
  • the transaction information corresponds to detection node 2 according to the remainder of the last digit of the merchant number.
  • it can also be the detection node 1 corresponding to the transaction information in the previous dimension.
  • the detection node of the detection processing is not specifically limited.
  • Step 405 Send the transaction information to the corresponding detection node.
  • the corresponding detection node is detection node 2 .
  • Step 406 Determine the detection group corresponding to the transaction feature value according to the first distribution rule. In the previous example, it is determined that the transaction information corresponds to detection group 2 in detection node 2 according to the remainder of the penultimate digit of the merchant number.
  • Step 407 Determine a detection rule group for processing the transaction information according to the transaction item of the transaction information.
  • a corresponding detection rule is determined according to the transaction amount, transaction channel, transaction time, transaction location and other information in the transaction information, and a detection rule group is formed according to the corresponding detection rule.
  • Step 408 The detection node sets a synchronization lock for the transaction information.
  • Step 409 Send the transaction information to the statistics unit of the corresponding statistics node, and perform statistics respectively according to the statistics rules of different statistics objects of the transaction information of the dimension in the statistics unit to obtain the statistics results.
  • statistics are determined by the statistical rules of the statistical object-total transaction amount (eg, obtaining historical transaction information of the historical transaction with the same merchant number as the transaction information, and determining the total transaction amount according to the transaction information and the historical transaction information) Result - The total transaction amount is 1 million yuan.
  • Step 410 Return the statistical result to the corresponding detection node. In the above example, return the statistical result to the detection node 2 .
  • Step 411 After acquiring the statistical result, the detection node closes the synchronization lock for the transaction information.
  • Step 412 The detection node determines the detection result according to the detection rule group of the dimension and the statistical result. In the above example, if the total transaction amount is 1 million yuan greater than the preset transaction amount of 900,000 yuan, the detection result of the transaction information in this dimension is abnormal.
  • Step 413 If the detection node determines that the transaction information needs to be detected for the dimension of the next priority (the second priority in the remaining dimensions), then continue to perform steps 403 to 412 in a loop to obtain the statistical results of the dimension.
  • Step 414 Acquire detection results of each dimension of the transaction information, and determine whether the transaction information is abnormal according to the detection results of each dimension of the transaction information.
  • the detection result of the bank card dimension in the transaction information is transaction abnormality and the detection result of the merchant dimension in the transaction information is transaction abnormality, the transaction information is abnormal, for example, the transaction is likely to be the bank card user Cooperate with the merchant to illegally cash out.
  • step 408 may be executed before and after any of steps 406-407.
  • Steps 406 and 407 may be performed before step 405 .
  • an embodiment of the present application provides a flow of a real-time transaction abnormality detection method with parallel transaction information dimensions, as shown in FIG. 5 , including:
  • Step 501 Obtain transaction information, where the transaction information includes transaction feature values of multiple dimensions.
  • the multiple transaction characteristic values here may be a bank card number, a merchant number, an IP address, and the like.
  • Step 502 Determine transaction characteristic values of each dimension of the transaction information according to the first distribution rule.
  • the transaction feature values of each dimension include: a bank card dimension and a merchant dimension.
  • Step 503 Determine the detection nodes corresponding to the transaction feature values of each dimension in the transaction information according to the first distribution rule.
  • the transaction information is determined to correspond to detection node 1 according to the remainder of the last one of the bank card number
  • the detection node 2 is determined to be corresponding to the transaction information according to the remainder of the last one of the merchant number.
  • Detection nodes corresponding to multiple dimensions may also be different detection nodes.
  • Step 504 Send the transaction information to the corresponding detection node.
  • the transaction information is sent to detection node 1 and detection node 2, respectively.
  • Step 505 Determine the detection group corresponding to the transaction feature value of each dimension according to the first distribution rule.
  • the transaction information is determined to correspond to detection group 1 in detection node 1 according to the remainder of the penultimate digit of the bank card number, and the transaction information is determined to correspond to detection group 1 in detection node 2 according to the remainder of the penultimate digit of the merchant number.
  • Step 506 Determine a detection rule group for processing the transaction information according to each transaction item of the transaction information.
  • Step 507 The detection node sets a synchronization lock for the transaction information.
  • Step 508 Send the transaction information to the statistics unit of the corresponding statistics node, and perform statistics respectively according to the statistics rules of different statistics objects of the transaction information of the dimension in the statistics unit to obtain the statistics results.
  • the statistical results of the transaction information in the bank card dimension and the merchant dimension are obtained respectively.
  • Step 509 Return the statistical result to the corresponding detection node.
  • the statistical result of the bank card dimension is returned to the detection node 1
  • the statistical result of the merchant dimension is returned to the detection node 2.
  • Step 510 After acquiring the statistical result, the detection node closes the synchronization lock for the transaction information.
  • Step 511 The detection node determines the detection result according to the detection rule group of the dimension transaction information and the statistical result.
  • Step 512 Acquire detection results of each dimension of the transaction information, and determine whether the transaction information is abnormal according to the detection results of each dimension of the transaction information.
  • step 507 can be executed before any step of step 505 and step 506 or after any step.
  • FIG. 6 is a schematic diagram of a real-time transaction abnormality detection device provided by an embodiment of the application, as shown in FIG. 6 , including:
  • an acquisition module 601, configured to acquire transaction information, where the transaction information includes transaction feature values of multiple dimensions;
  • the distribution module 602 is configured to, for any dimension, determine a detection node for processing the transaction information according to the first distribution rule of the dimension; the detection node includes a detection rule for the dimension;
  • the acquisition module 601 is further configured to acquire the detection results of the transaction information in each dimension from each detection node; wherein, the detection result of any dimension is the statistical result of the transaction feature value of the detection node based on the dimension, according to the The detection rule of the dimension determines whether the transaction information is abnormal in the dimension;
  • the processing module 603 is configured to determine whether the transaction information is abnormal according to the detection results of the various dimensions.
  • the distribution module 602 is further configured to, for any dimension, determine the statistical unit that processes the transaction information in the statistical node according to the second distribution rule of the dimension; Statistical rules, perform statistics according to the transaction characteristic values and historical transaction characteristic values of the dimension, and send the statistical results to the detection node that processes the transaction information; the statistical node includes statistical units for different dimensions, and the statistical units include Statistical rules for different statistical objects.
  • the distribution module 602 is further configured to set different dimension priorities for the multiple dimensions; before determining the detection node that processes the transaction information according to the distribution rules of the dimensions, the method further includes: the The dimension priority of the dimension is the first priority; the detection result of each dimension that has obtained the second priority is determined, and the second priority is higher than the first priority.
  • the processing module 603 is further configured to open a synchronization lock for the transaction information in the detection node; the processing module 603 is further configured to disable the synchronization lock for the transaction information in the detection node synchronization lock.
  • the distribution module 602 is specifically configured to, according to the first distribution rule of the dimension, determine the detection node that processes the transaction information by the transaction characteristic value of the dimension and determine the detection node to process the transaction information.
  • a detection grouping of transaction information; a detection rule group is determined from the detection group by each transaction item in the transaction information; the detection rule group is composed of at least one detection rule in the detection group.
  • each detection rule in the same detection rule group is executed serially; each detection rule in different detection rule groups is executed in parallel.
  • the distribution module 602 is further configured to send the transaction information to the message middleware through the detection node; and send the transaction information to the statistics node through the message middleware.
  • the processing module 603 is further configured to determine that the dimension is the dimension set in the abnormality detection.
  • the processing module 603 is further configured to, when a detection node in the detection group determines that the update time of another detection node in the detection group is higher than a set time threshold, adjust the The first distribution rule enables one detection node in the detection group to receive transaction information to be detected of another detection node in the detection group, and the detection rules in the two detection nodes are the same.
  • the embodiments of the present application may be provided as a method, a system, or a computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
  • computer-usable storage media including, but not limited to, disk storage, CD-ROM, optical storage, etc.
  • These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory result in an article of manufacture comprising instruction means, the instructions
  • the apparatus implements the functions specified in the flow or flow of the flowcharts and/or the block or blocks of the block diagrams.

Landscapes

  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Finance (AREA)
  • Strategic Management (AREA)
  • Computer Security & Cryptography (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
  • Complex Calculations (AREA)

Abstract

A real-time transaction anomaly detection method and device, the method comprising: acquiring transaction information (201), the transaction information comprising transaction feature values of multiple dimensions; according to a first distribution rule of the dimensions, determining, for any dimension, detection nodes that process the transaction information (202), the detection nodes comprising a detection rule for the dimensions; acquiring, from each detection node, a detection result of the transaction information in each dimension (203), the detection result of any dimension being a statistical result of the detection nodes based on the transaction feature values of the dimensions, and whether the transaction information is abnormal in the dimensions is determined according to the detection rule of the dimensions; and according to the detection result of each dimension, determining whether the transaction information is abnormal (204). In the said method, problems in the existing technology in which transaction fraud coverage is low and the accuracy of identifying abnormal transactions is low may be solved.

Description

一种实时的交易异常检测方法及装置A real-time transaction abnormality detection method and device
相关申请的交叉引用CROSS-REFERENCE TO RELATED APPLICATIONS
本申请要求在2021年01月21日提交中国专利局、申请号为202110080166.9、申请名称为“一种实时的交易异常检测方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese patent application filed on January 21, 2021 with the application number of 202110080166.9 and the application title of "a real-time transaction abnormality detection method and device", the entire contents of which are incorporated by reference in in this application.
技术领域technical field
本申请涉及数据处理技术领域,尤其涉及一种实时的交易异常检测方法及装置。The present application relates to the technical field of data processing, and in particular, to a real-time transaction abnormality detection method and device.
背景技术Background technique
随着全球经济的快速发展,人们的消费水平不断提高,银行卡作为一种金融产品,具有便于携带、快捷消费等优点,使得银行卡迅速普及,并衍生出信用卡、借记卡、储蓄卡等种类。然而银行卡也存在一些安全隐患,比如信用卡套现、信用卡盗刷、储蓄卡盗刷、借记卡盗刷等。信用卡套现是指持卡人不是通过正常合法手续提取现金,而通过其他手段将卡中信用额度内的资金以现金的方式套取,同时又不支付银行提现费用的行为。信用卡套现会增加金融风险,不利用金融秩序的稳定,给银行资金安全带来极大风险。盗刷就是不法份子利用高科技手段复制他人的储蓄卡、信用卡、借记卡卡号以及密码等信息,提取现金供自己使用;给对方造成财产损失的一种违法行为。以及,盗用支付软件账号,通过该支付软件账号盗用他人资金,造成他人财产损失。为了避免上述问题,需要及时识别套现、盗刷和盗用支付软件账号等行为。With the rapid development of the global economy and the continuous improvement of people's consumption level, bank cards, as a financial product, have the advantages of easy portability and fast consumption, which makes bank cards popular rapidly, and derives credit cards, debit cards, savings cards, etc. type. However, bank cards also have some security risks, such as credit card cash out, credit card fraud, savings card fraud, debit card fraud and so on. Credit card cashing means that the cardholder does not withdraw cash through normal legal procedures, but uses other means to withdraw the funds within the credit limit of the card in cash without paying the bank's cash withdrawal fee. Cashing out of credit cards will increase financial risks, and without taking advantage of the stability of the financial order, it will bring great risks to the security of bank funds. Stealing is an illegal act in which criminals use high-tech means to copy other people's savings card, credit card, debit card number and password and other information, and withdraw cash for their own use; it is an illegal act that causes property damage to the other party. And, embezzle the payment software account, use the payment software account to embezzle other people's funds, and cause other people's property damage. In order to avoid the above problems, it is necessary to identify cash-out, stealing and theft of payment software accounts in a timely manner.
目前,现有技术中已有的解决方案是从交易信息的银行卡维度着手,通过对包含相同银行卡卡号的交易信息进行统计;如,通过获取同一信用卡的多个交易的平均交易额、交易地点等统计结果检测异常交易信息,以识别套 现和盗刷等行为。但该方式并不能完全准确检测到异常交易信息;如,若不法分子通过多个信用卡分别进行小额度的套现,该套现行为是不明显的,异常交易信息不易被检测出来。因此,在银行卡维度进行异常交易信息检测,很难全面覆盖套现和盗刷等交易欺诈行为的检测。At present, the existing solutions in the prior art start from the bank card dimension of transaction information, and collect statistics on transaction information including the same bank card number; Statistical results such as location detect abnormal transaction information to identify behaviors such as cash-out and fraud. However, this method cannot completely and accurately detect abnormal transaction information; for example, if a criminal conducts a small amount of cash out through multiple credit cards, the cash out behavior is not obvious, and abnormal transaction information cannot be easily detected. Therefore, it is difficult to detect abnormal transaction information in the bank card dimension, which is difficult to fully cover the detection of transaction fraud such as cash out and fraudulent fraud.
综上,目前亟需一种实时的交易异常检测方法及装置,用于解决现有技术中交易欺诈行为覆盖率低,识别异常交易准确率低的问题。To sum up, there is an urgent need for a real-time transaction abnormality detection method and device, which are used to solve the problems in the prior art that the coverage of transaction fraud is low and the accuracy of identifying abnormal transactions is low.
发明内容SUMMARY OF THE INVENTION
本发明实施例提供一种实时的交易异常检测方法及装置,用于解决现有技术中交易欺诈行为覆盖率低,识别异常交易准确率低的问题。Embodiments of the present invention provide a real-time transaction abnormality detection method and device, which are used to solve the problems in the prior art that the coverage of transaction fraud is low and the accuracy of identifying abnormal transactions is low.
第一方面,本发明实施例提供一种实时的交易异常检测方法,该方法包括:In a first aspect, an embodiment of the present invention provides a real-time transaction abnormality detection method, which includes:
获取交易信息,所述交易信息中包含多个维度的交易特征值;针对任一维度,按照所述维度的第一分发规则,确定处理所述交易信息的检测节点;所述检测节点中包含针对所述维度的检测规则;从各检测节点获取所述交易信息在各维度的检测结果;其中,任一维度的检测结果是检测节点基于所述维度的交易特征值的统计结果,按照所述维度的检测规则确定所述交易信息在所述维度是否异常;根据所述各维度的检测结果确定所述交易信息是否异常。Obtain transaction information, the transaction information includes transaction feature values of multiple dimensions; for any dimension, according to the first distribution rule of the dimension, determine a detection node that processes the transaction information; the detection node includes a detection node for The detection rule of the dimension; the detection result of the transaction information in each dimension is obtained from each detection node; wherein, the detection result of any dimension is the statistical result of the transaction feature value of the detection node based on the dimension, according to the dimension Determine whether the transaction information is abnormal in the dimension; determine whether the transaction information is abnormal according to the detection results of each dimension.
上述方法中,获取交易信息,交易信息中包含多个维度的交易特征值,针对多个维度中的任一维度,根据该维度的第一分发规则,确定处理该交易信息的检测节点。也就是说,针对交易信息的多个维度进行检测。从各检测节点获取该交易信息在各维度的检测结果,根据各维度的检测结果确定该交易信息是否异常。也就是说,根据多个维度的检测结果共同确定该交易信息是否异常。相比于现有技术中通过单一维度进行交易异常检测来说,本申请可以通过多维度进行交易异常检测,提高交易异常场景的覆盖率,提高识别异常交易的准确率。In the above method, transaction information is obtained, the transaction information includes transaction feature values of multiple dimensions, and for any dimension in the multiple dimensions, a detection node that processes the transaction information is determined according to the first distribution rule of the dimension. That is to say, detection is performed for multiple dimensions of transaction information. The detection results of the transaction information in each dimension are acquired from each detection node, and whether the transaction information is abnormal is determined according to the detection results of each dimension. That is to say, whether the transaction information is abnormal is jointly determined according to the detection results of multiple dimensions. Compared with the single-dimensional transaction abnormality detection in the prior art, the present application can perform transaction abnormality detection through multiple dimensions, improve the coverage of abnormal transaction scenarios, and improve the accuracy of identifying abnormal transactions.
可选的,从各检测节点获取所述交易信息在各维度的检测结果之前,还包括:针对任一维度,按照所述维度的第二分发规则,确定统计节点中处理所述交易信息的统计单元;所述统计单元按照所述维度的统计规则,根据所述维度的交易特征值与历史交易特征值进行统计,将统计结果发送给处理所述交易信息的检测节点;所述统计节点中包括针对不同维度的统计单元,统计单元中包括针对不同统计对象的统计规则。Optionally, before acquiring the detection results of the transaction information in each dimension from each detection node, the method further includes: for any dimension, determining the statistics of processing the transaction information in the statistics node according to the second distribution rule of the dimension. unit; the statistical unit conducts statistics according to the statistical rules of the dimension, according to the transaction characteristic value and historical transaction characteristic value of the dimension, and sends the statistical result to the detection node that processes the transaction information; the statistical node includes For statistical units of different dimensions, the statistical units include statistical rules for different statistical objects.
上述方法中,针对任一维度,按照该维度的第二分发规则,确定统计节点中处理交易信息的统计单元;也就是说,可以将交易信息根据第二分发规则进一步分发,以使得统计节点中的统计单元对交易信息中的相关数据等进行统计处理;如此,将统计规则从检测规则中分离出来,由统计节点进行统计、检测节点进行检测,可以降低检测节点的处理压力,降低检测时间。其中,对该维度的交易特征值与历史交易特征值进行统计,获取该维度的历史交易特征和当前交易特征;可以确定当前交易特征是否与历史交易特征有较大出入,或者根据当前交易特征值和历史交易特征值获取的统计结果异常等,以使得检测节点可以判断该交易信息是否异常。In the above method, for any dimension, according to the second distribution rule of the dimension, determine the statistical unit processing transaction information in the statistical node; that is, the transaction information can be further distributed according to the second distribution rule, so that the statistical node The statistical unit of the transaction information performs statistical processing on the relevant data in the transaction information; in this way, the statistical rules are separated from the detection rules, and the statistical nodes perform statistics and the detection nodes perform detection, which can reduce the processing pressure of the detection nodes and reduce the detection time. Among them, the transaction characteristic value and historical transaction characteristic value of the dimension are counted to obtain the historical transaction characteristic and current transaction characteristic of the dimension; it can be determined whether the current transaction characteristic is significantly different from the historical transaction characteristic, or according to the current transaction characteristic value And the statistical results obtained by the historical transaction feature values are abnormal, so that the detection node can judge whether the transaction information is abnormal.
可选的,所述多个维度设置有不同的维度优先级;按照所述维度的分发规则,确定处理所述交易信息的检测节点之前,还包括:所述维度的维度优先级为第一优先级;确定已获得第二优先级的各维度的检测结果,所述第二优先级高于所述第一优先级。Optionally, the multiple dimensions are set with different dimension priorities; according to the distribution rules of the dimensions, before determining the detection node that processes the transaction information, the method further includes: the dimension priority of the dimension is the first priority. level; determine the detection results of each dimension that has obtained a second priority, the second priority being higher than the first priority.
上述方法中,通过使得获取第二优先级的各维度的检测结果后,对第一优先级的维度的交易特征值等信息进行检测等处理,获取第一优先级的维度的检测结果。如此,可以通过设置各维度的优先级,以达到对各维度的交易特征值等信息进行串行检测等处理。In the above method, after obtaining the detection results of each dimension of the second priority, the detection results of the dimension of the first priority are obtained by performing processing such as detection on information such as transaction feature values of the dimension of the first priority. In this way, the priority of each dimension can be set to achieve serial detection of information such as transaction feature values of each dimension.
可选的,确定处理所述交易信息的检测节点之后,还包括:在所述检测节点中开启针对所述交易信息的同步锁;将统计结果发送给处理所述交易信息的检测节点之后,还包括:在所述检测节点中关闭针对所述交易信息的同步锁。Optionally, after determining the detection node processing the transaction information, the method further includes: opening a synchronization lock for the transaction information in the detection node; after sending the statistical results to the detection node processing the transaction information, further comprising: The method includes: closing the synchronization lock for the transaction information in the detection node.
上述方法中,通过在检测节点中开启针对该交易信息的同步锁,并在获取该交易信息的统计结果后将该同步锁关闭,以使得检测节点确定交易信息对应的统计规则有得到统计结果,保证每笔交易都得到统计,增加交易异常检测的准确性。可以保证每个检测规则和统计规则中的交易信息的检测和统计为串行执行,防止交易信息的检测和统计混乱导致检测结果和统计结果不准确。In the above method, by opening the synchronization lock for the transaction information in the detection node, and closing the synchronization lock after obtaining the statistical result of the transaction information, so that the detection node determines that the statistical rule corresponding to the transaction information can obtain the statistical result, Ensure that each transaction is counted to increase the accuracy of transaction anomaly detection. It can ensure that the detection and statistics of transaction information in each detection rule and statistical rule are executed serially, preventing the detection and statistics of transaction information from being confusing and causing inaccurate detection and statistics results.
可选的,按照所述维度的第一分发规则,确定处理所述交易信息的检测节点,包括:按照所述维度的第一分发规则,通过所述维度的交易特征值确定处理所述交易信息的检测节点及确定所述检测节点中处理所述交易信息的检测分组;通过所述交易信息中的各交易项,从所述检测分组中确定检测规则组;所述检测规则分组由所述检测分组中的至少一个检测规则组成。Optionally, determining the detection node that processes the transaction information according to the first distribution rule of the dimension includes: determining, according to the first distribution rule of the dimension, to process the transaction information according to the transaction feature value of the dimension. The detection node and the detection group for processing the transaction information in the detection node; through each transaction item in the transaction information, a detection rule group is determined from the detection group; the detection rule group is determined by the detection It consists of at least one detection rule in the group.
上述方法中,检测节点中包含多个检测分组。也就是说,检测节点中的多个检测分组可以并行进行检测,增加检测节点的检测速度;以及,每个检测分组中包含多个不同的检测规则组,根据交易信息中包含的交易项确定该交易的检测规则组。也就是说,检测分组中可以包含多个不同的检测规则,每个检测规则对应每个交易项的检测;根据交易信息中所包含的交易项可以确定针对每个交易信息对应的多个检测规则,也就是针对每个交易信息形成的检测规则组。如此,可以针对每个交易信息进行灵活检测,增加检测结果的精确度。In the above method, the detection node includes multiple detection packets. That is to say, multiple detection groups in the detection node can be detected in parallel, increasing the detection speed of the detection node; and, each detection group contains a plurality of different detection rule groups, which are determined according to the transaction items included in the transaction information. The set of detection rules for transactions. That is to say, the detection group can contain multiple different detection rules, and each detection rule corresponds to the detection of each transaction item; according to the transaction items included in the transaction information, a plurality of detection rules corresponding to each transaction information can be determined , that is, the detection rule group formed for each transaction information. In this way, flexible detection can be performed for each transaction information, thereby increasing the accuracy of the detection result.
可选的,同一检测规则组中的各检测规则串行执行;不同检测规则组中的各检测规则并行执行。Optionally, each detection rule in the same detection rule group is executed serially; each detection rule in different detection rule groups is executed in parallel.
上述方法中,同一检测规则组中的各检测规则串行执行。如此,当一个检测规则的检测结果依赖于上一个检测规则时,通过串行可以实现获取所需要的所有检测结果。In the above method, each detection rule in the same detection rule group is executed serially. In this way, when the detection result of one detection rule depends on the previous detection rule, all the required detection results can be obtained through serialization.
可选的,确定统计节点中处理所述交易信息的统计单元之前,还包括:通过所述检测节点将所述交易信息发送至消息中间件;通过所述消息中间件将所述交易信息发送至所述统计节点。Optionally, before determining the statistical unit processing the transaction information in the statistical node, the method further includes: sending the transaction information to the message middleware through the detection node; sending the transaction information to the message middleware through the message middleware. the statistics node.
上述方法中,通过消息中间件传输交易信息,保证交易信息可以准确发送至对应的统计节点。In the above method, the transaction information is transmitted through the message middleware to ensure that the transaction information can be accurately sent to the corresponding statistical node.
可选的,按照所述维度的第一分发规则,确定处理所述交易信息的检测节点之前,还包括:确定所述维度为异常检测中设置的维度。Optionally, before determining the detection node that processes the transaction information according to the first distribution rule of the dimension, the method further includes: determining that the dimension is the dimension set in the abnormality detection.
上述方法中,在按照维度的第一分发规则进行分发之间,可以对交易信息进行过滤,若该交易信息无需进行某维度的检测,则无需将对应该维度的该交易信息分发并检测,增加维度检测的针对性。In the above method, the transaction information can be filtered before the distribution according to the first distribution rule of the dimension. The pertinence of dimension detection.
可选的,两个检测节点为一个探测组,所述探测组内的所述两个检测节点互相探测检测结果的更新时间,还包括:在所述探测组内的一个检测节点确定所述探测组内的另一个检测节点的所述更新时间高于设定时间阈值,则调整所述第一分发规则,使得所述探测组内的一个检测节点接收所述探测组内的另一个检测节点的待检测的交易信息,所述两个检测节点中的所述检测规则相同。Optionally, the two detection nodes are a detection group, and the two detection nodes in the detection group detect the update time of the detection results from each other, and further includes: determining the detection by a detection node in the detection group If the update time of another detection node in the group is higher than the set time threshold, the first distribution rule is adjusted so that one detection node in the detection group receives the update time of another detection node in the detection group. The transaction information to be detected, the detection rules in the two detection nodes are the same.
上述方法中,可以使得检测节点之间互相探测检测结果的更新时间,若更新时间异常,超出该检测节点更新的预设时间阈值,则可以认为该检测节点发生故障。由该探测组中正常检测的检测节点接管该故障检测节点的检测任务。保证交易异常检测的稳定性。In the above method, the detection nodes can mutually detect the update time of the detection results. If the update time is abnormal and exceeds the preset time threshold for update of the detection node, it can be considered that the detection node is faulty. The detection node that detects normally in the detection group takes over the detection task of the fault detection node. Ensure the stability of transaction anomaly detection.
第二方面,本发明实施例提供一种实时的交易异常检测装置,该装置包括:In a second aspect, an embodiment of the present invention provides a real-time transaction abnormality detection device, the device comprising:
获取模块,用于获取交易信息,所述交易信息中包含多个维度的交易特征值;an acquisition module for acquiring transaction information, where the transaction information includes transaction feature values of multiple dimensions;
分发模块,用于针对任一维度,按照所述维度的第一分发规则,确定处理所述交易信息的检测节点;所述检测节点中包含针对所述维度的检测规则;a distribution module, configured to determine a detection node for processing the transaction information according to the first distribution rule of the dimension for any dimension; the detection node includes a detection rule for the dimension;
所述获取模块还用于,从各检测节点获取所述交易信息在各维度的检测结果;其中,任一维度的检测结果是检测节点基于所述维度的交易特征值的统计结果,按照所述维度的检测规则确定所述交易信息在所述维度是否异常;The acquiring module is further configured to acquire, from each detection node, the detection result of the transaction information in each dimension; wherein, the detection result of any dimension is the statistical result of the transaction characteristic value of the detection node based on the dimension, according to the The detection rule of the dimension determines whether the transaction information is abnormal in the dimension;
处理模块,用于根据所述各维度的检测结果确定所述交易信息是否异常。A processing module, configured to determine whether the transaction information is abnormal according to the detection results of the various dimensions.
第三方面,本申请实施例还提供一种计算设备,包括:存储器,用于存储程序;处理器,用于调用所述存储器中存储的程序,按照获得的程序执行如第一方面的各种可能的设计中所述的方法。In a third aspect, an embodiment of the present application further provides a computing device, including: a memory for storing a program; a processor for calling a program stored in the memory, and executing various aspects of the first aspect according to the obtained program methods described in possible designs.
第四方面,本申请实施例还提供一种计算机可读非易失性存储介质,包括计算机可读程序,当计算机读取并执行所述计算机可读程序时,使得计算机执行如第一方面的各种可能的设计中所述的方法。In a fourth aspect, embodiments of the present application further provide a computer-readable non-volatile storage medium, including a computer-readable program, when the computer reads and executes the computer-readable program, the computer executes the first aspect. methods described in various possible designs.
本申请的这些实现方式或其他实现方式在以下实施例的描述中会更加简明易懂。These implementations or other implementations of the present application will be more concise and understandable in the description of the following embodiments.
附图说明Description of drawings
为了更清楚地说明本发明实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简要介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域的普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。In order to illustrate the technical solutions in the embodiments of the present invention more clearly, the following briefly introduces the accompanying drawings used in the description of the embodiments. Obviously, the drawings in the following description are only some embodiments of the present invention. For those of ordinary skill in the art, other drawings can also be obtained from these drawings without any creative effort.
图1为本发明实施例提供的一种实时的交易异常检测的架构示意图;1 is a schematic structural diagram of a real-time transaction abnormality detection provided by an embodiment of the present invention;
图2为本发明实施例提供的一种实时的交易异常检测的流程示意图;2 is a schematic flowchart of a real-time transaction abnormality detection provided by an embodiment of the present invention;
图3为本发明实施例提供的一种实时的交易异常检测的架构示意图;3 is a schematic structural diagram of a real-time transaction abnormality detection provided by an embodiment of the present invention;
图4为本发明实施例提供的一种实时的交易异常检测的流程示意图;4 is a schematic flowchart of a real-time transaction abnormality detection provided by an embodiment of the present invention;
图5为本发明实施例提供的一种实时的交易异常检测的流程示意图;5 is a schematic flowchart of a real-time transaction abnormality detection provided by an embodiment of the present invention;
图6为本发明实施例提供的一种实时的交易异常检测装置示意图。FIG. 6 is a schematic diagram of a real-time transaction abnormality detection apparatus provided by an embodiment of the present invention.
具体实施方式Detailed ways
为了使本发明的目的、技术方案和优点更加清楚,下面将结合附图对本发明作进一步地详细描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其它实施例,都属于本发明保护的范围。In order to make the objectives, technical solutions and advantages of the present invention clearer, the present invention will be further described in detail below with reference to the accompanying drawings. Obviously, the described embodiments are only a part of the embodiments of the present invention, not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.
图1为本发明实施例提供的一种实时的交易异常检测的系统架构,分发服务器101在获取到交易信息后,根据交易信息的多个维度的交易特征值,针对任一维度,按照该维度的第一分发规则,将该交易信息发送至检测节点集群102中的对应检测节点,使得该检测节点根据该维度的检测规则对该交易信息进行检测,获取检测结果。这里该交易信息的各维度的检测结果获取方法可以为:通过分别在检测节点集群102中的不同检测节点中进行对应维度的交易特征值等信息的统计,以根据获取的统计结果获取检测结果;之后,检测节点集群102中的一个或多个检测节点,从该不同检测节点中获取该交易信息在各维度的检测结果,根据该各维度的检测结果确定该交易信息是否异常。此处,还可以另外设置判定服务器103,使得判定服务器103从该不同检测节点中获取该交易信息在各维度的检测结果,根据该各维度的检测结果确定该交易信息是否异常。如此,通过判定服务器103进行该交易信息是否异常的判定,可以分担检测节点的处理压力,保证交易异常检测的系统的良性运行。其中,若由多个检测节点,同时从该不同检测节点中获取该交易信息在各维度的检测结果,并根据该各维度的检测结果确定该交易信息是否异常时,其中一个检测节点确定该交易信息为异常交易或正常交易,则其余该多个检测节点可以停止判断处理。如此,可以加快交易检测速度。另外,分发服务器101可以为一个分发服务器集群中的分发服务器,判定服务器103可以分别为一个判定服务器集群中的判定服务器。1 is a system architecture for real-time transaction abnormality detection provided by an embodiment of the present invention. After acquiring transaction information, the distribution server 101, according to transaction feature values of multiple dimensions of the transaction information, for any dimension, according to the dimension According to the first distribution rule, the transaction information is sent to the corresponding detection node in the detection node cluster 102, so that the detection node detects the transaction information according to the detection rule of the dimension, and obtains the detection result. Here, the method for obtaining the detection results of each dimension of the transaction information may be as follows: by performing statistics of information such as transaction feature values of the corresponding dimensions in different detection nodes in the detection node cluster 102 respectively, to obtain the detection results according to the obtained statistical results; Afterwards, one or more detection nodes in the node cluster 102 are detected, the detection results of the transaction information in each dimension are obtained from the different detection nodes, and whether the transaction information is abnormal is determined according to the detection results of the various dimensions. Here, a determination server 103 may be additionally provided, so that the determination server 103 obtains the detection results of the transaction information in each dimension from the different detection nodes, and determines whether the transaction information is abnormal according to the detection results of the various dimensions. In this way, by judging whether the transaction information is abnormal by the judging server 103, the processing pressure of the detection node can be shared, and the benign operation of the system for detecting abnormal transactions can be ensured. Among them, if multiple detection nodes simultaneously obtain the detection results of the transaction information in each dimension from the different detection nodes, and determine whether the transaction information is abnormal according to the detection results of the various dimensions, one of the detection nodes determines the transaction. If the information is an abnormal transaction or a normal transaction, the remaining multiple detection nodes can stop the judgment processing. In this way, the transaction detection speed can be accelerated. In addition, the distribution server 101 may be a distribution server in a distribution server cluster, and the determination servers 103 may be respectively a determination server in a determination server cluster.
基于此,本申请实施例提供了一种实时的交易异常检测方法的流程,如图2所示,包括:Based on this, the embodiment of the present application provides a process of a real-time transaction abnormality detection method, as shown in FIG. 2 , including:
步骤201、获取交易信息,所述交易信息中包含多个维度的交易特征值;Step 201: Obtain transaction information, where the transaction information includes transaction feature values of multiple dimensions;
此处,多个维度可以包括:银行卡、商户、IP等维度;多个维度的交易特征值:例如,银行卡维度的交易特征值为该交易信息中的银行卡卡号、商户维度的交易特征值为该交易信息中的商户编号、IP维度的交易特征值为该交易信息中的IP地址等等。Here, the multiple dimensions may include: bank card, merchant, IP and other dimensions; transaction feature values of multiple dimensions: for example, the transaction feature value of the bank card dimension is the bank card number in the transaction information, and the transaction feature of the merchant dimension The value is the merchant number in the transaction information, the transaction feature value of the IP dimension is the IP address in the transaction information, and so on.
步骤202、针对任一维度,按照所述维度的第一分发规则,确定处理所述 交易信息的检测节点;所述检测节点中包含针对所述维度的检测规则; Step 202, for any dimension, according to the first distribution rule of the dimension, determine the detection node that processes the transaction information; In the detection node, the detection rule for the dimension is included;
此处,在一种示例中,第一分发规则可以为根据交易特征值进行分发;如,根据交易信息的银行卡卡号的倒数第一位的余数确定该交易信息的检测节点;根据交易信息的商户编号的倒数第一位的余数确定该交易信息的检测节点等。如,银行卡卡号:123456789,确定倒数第一位的余数:9/10的余数为9,则将该交易信息分发至银行卡卡号的倒数第一位的余数9所对应的检测节点中。检测节点中包含的检测规则;例如,可以为获取该交易信息的交易平均额,根据该交易平均额和交易平均额的阈值确定该交易信息在该维度的检测结果。例如,若该交易平均额大于交易平均额的阈值,则确定该交易信息在该维度为异常交易。Here, in an example, the first distribution rule may be to distribute according to the transaction characteristic value; for example, the detection node of the transaction information is determined according to the remainder of the last digit of the bank card number of the transaction information; The remainder of the last digit of the merchant number determines the detection node of the transaction information, and the like. For example, the bank card number: 123456789, determine the remainder of the last one: 9/10, the remainder is 9, then distribute the transaction information to the detection node corresponding to the remainder 9 of the last one of the bank card number. The detection rules contained in the detection node; for example, to obtain the transaction average amount of the transaction information, the detection result of the transaction information in this dimension can be determined according to the transaction average amount and the threshold of the transaction average amount. For example, if the average transaction amount is greater than the threshold of the transaction average amount, it is determined that the transaction information is an abnormal transaction in this dimension.
步骤203、从各检测节点获取所述交易信息在各维度的检测结果;其中,任一维度的检测结果是检测节点基于所述维度的交易特征值的统计结果,按照所述维度的检测规则确定所述交易信息在所述维度是否异常;Step 203: Obtain the detection results of the transaction information in each dimension from each detection node; wherein, the detection result of any dimension is the statistical result of the transaction feature value of the detection node based on the dimension, and is determined according to the detection rule of the dimension Whether the transaction information is abnormal in the dimension;
此处,在一种示例中,基于银行卡维度的交易特征值(可以为信用卡卡号)的统计结果为:当前交易与最近的9笔历史交易的交易平均额为100000元,该信用卡卡号的交易平均额的阈值为100元(例如,可以为根据前一个月、前两个月等历史时间段内的该信用卡卡号的所有交易信息确定的交易平均额的阈值);按照该维度的检测规则确定该交易信息在该维度是否异常为:交易平均额100000元大于交易平均额的阈值100元,该交易信息在银行卡维度为异常交易。Here, in an example, the statistical result of the transaction characteristic value (which can be a credit card number) based on the bank card dimension is: the average transaction amount between the current transaction and the last 9 historical transactions is 100,000 yuan, and the transaction of the credit card number is 100,000 yuan. The threshold of the average amount is 100 yuan (for example, it can be the threshold value of the average transaction amount determined according to all transaction information of the credit card number in the previous month, the first two months and other historical time periods); determined according to the detection rules of this dimension Whether the transaction information is abnormal in this dimension is: the average transaction amount of 100,000 yuan is greater than the threshold of 100 yuan for the average transaction amount, and the transaction information is an abnormal transaction in the bank card dimension.
步骤204、根据所述各维度的检测结果确定所述交易信息是否异常。Step 204: Determine whether the transaction information is abnormal according to the detection results of the various dimensions.
此处,例如,该交易信息在银行卡维度、商户维度、IP维度的检测结果均异常,则确定该交易信息异常。Here, for example, if the detection results of the transaction information in the bank card dimension, the merchant dimension, and the IP dimension are all abnormal, it is determined that the transaction information is abnormal.
上述方法中,获取交易信息,交易信息中包含多个维度的交易特征值,针对多个维度中的任一维度,根据该维度的第一分发规则,确定处理该交易信息的检测节点。也就是说,针对交易信息的多个维度进行检测。从各检测节点获取该交易信息在各维度的检测结果,根据各维度的检测结果确定该交 易信息是否异常。也就是说,根据多个维度的检测结果共同确定该交易信息是否异常。相比于现有技术中通过单一维度进行交易异常检测来说,本申请可以通过多维度进行交易异常检测,提高交易异常场景的覆盖率,提高识别异常交易的准确率。In the above method, transaction information is obtained, the transaction information includes transaction feature values of multiple dimensions, and for any dimension in the multiple dimensions, a detection node that processes the transaction information is determined according to the first distribution rule of the dimension. That is to say, detection is performed for multiple dimensions of transaction information. Obtain the detection results of the transaction information in each dimension from each detection node, and determine whether the transaction information is abnormal according to the detection results of each dimension. That is to say, whether the transaction information is abnormal is jointly determined according to the detection results of multiple dimensions. Compared with the single-dimensional transaction abnormality detection in the prior art, the present application can perform transaction abnormality detection through multiple dimensions, improve the coverage of abnormal transaction scenarios, and improve the accuracy of identifying abnormal transactions.
基于图1中的系统架构,图3为本发明实施例提供的一种实时的交易异常检测的系统架构;图3中的该实时的交易异常检测的系统架构为:将图1中系统架构的检测节点中的统计规则等相关程序,分离至统计节点集群305中;以降低检测节点集群302的处理压力。即,如图所示,分发服务器301在获取到交易信息后,根据交易信息的多个维度的交易特征值,针对任一维度,按照该维度的第一分发规则,将该交易信息发送至检测节点集群302中的对应检测节点,使得该检测节点将该交易信息通过消息中间件304将该交易信息发送至统计节点集群305中的对应统计节点中,并根据该维度的第二分发规则,确定该统计节点中处理该交易信息的统计单元。例如,该统计单元的该维度的统计规则为:根据该交易信息的交易特征值获取对应历史交易特征值的各历史交易信息,根据该交易信息和历史交易信息确定交易平均额。之后,将获取的统计结果交易平均额通过消息中间件304发送回检测节点集群302中的该检测节点。进一步,通过判定服务器303或任一个或多个检测节点根据各维度的检测结果确定该交易信息是否异常。这里,统计节点可以与检测节点一一对应,也可以为统计节点与检测节点非一一对应,各统计节点中可以包含相同的统计单元,该统计节点集群305中各统计节点的交易信息的统计任务平均分配。Based on the system architecture in FIG. 1, FIG. 3 is a system architecture of real-time transaction abnormality detection provided by an embodiment of the present invention; the system architecture of the real-time transaction abnormality detection in FIG. 3 is: Related programs such as statistical rules in the detection node are separated into the statistical node cluster 305 , so as to reduce the processing pressure of the detection node cluster 302 . That is, as shown in the figure, after acquiring the transaction information, the distribution server 301, according to the transaction feature values of multiple dimensions of the transaction information, for any dimension, according to the first distribution rule of the dimension, sends the transaction information to the detection The corresponding detection node in the node cluster 302, so that the detection node sends the transaction information to the corresponding statistical node in the statistical node cluster 305 through the message middleware 304, and determines according to the second distribution rule of the dimension. The statistical unit in the statistical node that processes the transaction information. For example, the statistical rule of the dimension of the statistical unit is: obtain each historical transaction information corresponding to the historical transaction characteristic value according to the transaction characteristic value of the transaction information, and determine the average transaction amount according to the transaction information and the historical transaction information. Afterwards, the obtained statistical result transaction average amount is sent back to the detection node in the detection node cluster 302 through the message middleware 304 . Further, whether the transaction information is abnormal is determined by the determination server 303 or any one or more detection nodes according to the detection results of each dimension. Here, the statistical nodes may be in one-to-one correspondence with the detection nodes, or the statistical nodes may not be in one-to-one correspondence with the detection nodes, and each statistical node may include the same statistical unit, and the statistics of the transaction information of each statistical node in the statistical node cluster 305 The tasks are evenly distributed.
本申请实施例提供了一种实时的交易异常检测方法,从各检测节点获取所述交易信息在各维度的检测结果之前,还包括:针对任一维度,按照所述维度的第二分发规则,确定统计节点中处理所述交易信息的统计单元;所述统计单元按照所述维度的统计规则,根据所述维度的交易特征值与历史交易特征值进行统计,将统计结果发送给处理所述交易信息的检测节点;所述统计节点中包括针对不同维度的统计单元,统计单元中包括针对不同统计对象 的统计规则。例如,针对商户维度,按照商户维度的第二分发规则,第二分发规则可以为根据商户编号1234的倒数第三位的余数,可以为3/10的余数为3,确定处理该交易信息的统计单元。该统计单元按照商户维度的统计规则,获取历史交易信息中商户编号为1234的历史交易信息,根据当前交易信息的交易额和各历史交易信息的交易额,确定统计结果-交易平均额。将交易平均额发送回处理该交易信息的检测节点。其中,统计对象可以是交易平均额、刷卡频率等。The embodiment of the present application provides a real-time transaction abnormality detection method. Before acquiring the detection results of the transaction information in each dimension from each detection node, the method further includes: for any dimension, according to the second distribution rule of the dimension, Determine the statistical unit that processes the transaction information in the statistical node; the statistical unit performs statistics according to the statistical rules of the dimension, according to the transaction characteristic value and historical transaction characteristic value of the dimension, and sends the statistical result to the processing of the transaction. Information detection node; the statistical node includes statistical units for different dimensions, and the statistical unit includes statistical rules for different statistical objects. For example, for the merchant dimension, according to the second distribution rule of the merchant dimension, the second distribution rule can be based on the remainder of the third last digit of the merchant number 1234, which can be 3/10. The remainder is 3, and the statistics for processing the transaction information are determined. unit. The statistical unit obtains the historical transaction information of the merchant number 1234 in the historical transaction information according to the statistical rules of the merchant dimension, and determines the statistical result - the average transaction amount according to the transaction amount of the current transaction information and the transaction amount of each historical transaction information. Send the transaction average back to the detection node that processes the transaction information. Among them, the statistical objects may be the average transaction amount, the frequency of swiping cards, and the like.
本申请实施例提供了一种实时的交易异常检测方法,所述多个维度设置有不同的维度优先级;按照所述维度的分发规则,确定处理所述交易信息的检测节点之前,还包括:所述维度的维度优先级为第一优先级;确定已获得第二优先级的各维度的检测结果,所述第二优先级高于所述第一优先级。此处,通过设置各维度的优先级可以使得各维度的检测串行执行。如此,当某一维度的检测结果需要依赖另一维度的检测结果时,可以通过该方法使得对应维度的检测串行执行,增加结果检测的准确性。The embodiment of the present application provides a real-time transaction abnormality detection method, wherein the multiple dimensions are set with different dimension priorities; before determining the detection node processing the transaction information according to the distribution rules of the dimensions, the method further includes: The dimension priority of the dimension is the first priority; the detection result of each dimension that has obtained the second priority is determined, and the second priority is higher than the first priority. Here, the detection of each dimension can be performed serially by setting the priority of each dimension. In this way, when the detection result of a certain dimension needs to depend on the detection result of another dimension, the detection of the corresponding dimension can be performed serially by this method, thereby increasing the accuracy of the result detection.
本申请实施例提供了一种实时的交易异常检测方法,确定处理所述交易信息的检测节点之后,还包括:在所述检测节点中开启针对所述交易信息的同步锁;将统计结果发送给处理所述交易信息的检测节点之后,还包括:在所述检测节点中关闭针对所述交易信息的同步锁。例如,基于图3中的系统架构,当检测节点接收到该交易信息时,在该检测节点中开启针对该交易信息的同步锁;当统计节点将该交易信息的统计结果返回至该检测节点时,该检测节点关闭针对该交易信息的同步锁。也可以说为,在该检测节点的该交易信息对应的检测分组中开启针对该交易信息的同步锁,当统计节点将该交易信息的统计结果返回至该检测分组时,该检测分组关闭该同步锁。其中,在一种可能的设计中,该同步锁可以用于:当各维度的检测串行执行的流程时,在进行第二个维度的检测时,即,在第一个维度的检测结果获取后,该检测分组开启同步锁,等待获取第二个维度的统计结果后,关闭同步锁;如此,保证针对一笔交易信息的统计结果获取完整,以根据统计结果进行检测, 获取检测结果。如此,防止检测节点中针对该交易信息的检测维度未获取到该交易信息的统计结果,导致检测节点中的对应维度的交易信息的统计信息不完整,进而使得检测结果不准确。The embodiment of the present application provides a real-time transaction abnormality detection method. After determining the detection node that processes the transaction information, the method further includes: opening a synchronization lock for the transaction information in the detection node; sending the statistical result to After processing the detection node of the transaction information, the method further includes: closing the synchronization lock for the transaction information in the detection node. For example, based on the system architecture in FIG. 3, when the detection node receives the transaction information, a synchronization lock for the transaction information is opened in the detection node; when the statistical node returns the statistical result of the transaction information to the detection node , the detection node closes the synchronization lock for the transaction information. It can also be said that the synchronization lock for the transaction information is opened in the detection group corresponding to the transaction information of the detection node. When the statistical node returns the statistical result of the transaction information to the detection group, the detection group closes the synchronization. Lock. Among them, in a possible design, the synchronization lock can be used for: when the detection of each dimension is performed serially, when the detection of the second dimension is performed, that is, the detection result of the first dimension is obtained. Then, the detection group opens the synchronization lock, and closes the synchronization lock after waiting to obtain the statistical results of the second dimension; in this way, it is ensured that the statistical results of a transaction information are obtained completely, so as to perform detection according to the statistical results and obtain the detection results. In this way, it is prevented that the detection dimension of the transaction information in the detection node does not obtain the statistical result of the transaction information, resulting in incomplete statistical information of the transaction information of the corresponding dimension in the detection node, thereby making the detection result inaccurate.
本申请实施例提供了一种实时的交易异常检测方法,按照所述维度的第一分发规则,确定处理所述交易信息的检测节点,包括:按照所述维度的第一分发规则,通过所述维度的交易特征值确定处理所述交易信息的检测节点及确定所述检测节点中处理所述交易信息的检测分组;通过所述交易信息中的各交易项,从所述检测分组中确定检测规则组;所述检测规则组由所述检测分组中的至少一个检测规则组成。The embodiment of the present application provides a real-time transaction abnormality detection method. According to the first distribution rule of the dimension, determining a detection node that processes the transaction information includes: according to the first distribution rule of the dimension, through the The transaction characteristic value of the dimension determines the detection node that processes the transaction information and determines the detection group that processes the transaction information in the detection node; through each transaction item in the transaction information, the detection rule is determined from the detection group group; the detection rule group is composed of at least one detection rule in the detection group.
此处,检测节点中可以包含多个检测分组,多个检测分组可以检测逻辑相同。检测分组中可以包含多个检测规则,该多个检测规则中可以包含相同的检测规则。每个检测规则组中包括多个不同的检测规则,不同的检测规则组中可以包含相同的检测规则。例如,针对商户维度的交易特征值-商户编号1234的倒数第一位的余数确定检测节点;根据商户编号1234的倒数第二位的余数确定检测分组;根据交易信息中的各交易项,如,交易额、交易渠道等信息确定检测规则组;如,根据交易信息中的交易额确定针对交易平均额的检测规则、根据交易信息中的交易渠道确定针对交易渠道的检测规则等,由交易平均额的检测规则、交易渠道的检测规则等组成针对该交易信息的检测规则组。若当商户编号为2234的交易信息发送至该检测节点的该检测分组时,根据交易信息中的各交易项,如,交易额、交易时间等信息确定检测规则组,如,根据交易信息中的交易额确定针对交易平均额的检测规则、根据交易信息中的交易时间确定针对交易时间的检测规则等,由交易平均额的检测规则、交易时间的检测规则等组成针对该商户编号为2234的交易信息的检测规则组。如此,商户编号为1234和商户编号为2234的两笔交易信息的检测规则组中的检测规则可以包含相同的针对交易平均额的检测规则。这里需要说明的是,每个维度的检测规则组中包含多个的检测规则可以相同,也可以不同,可以根据需要设置,具体不做限定。Here, the detection node may include multiple detection groups, and the multiple detection groups may have the same detection logic. The detection group may contain multiple detection rules, and the multiple detection rules may contain the same detection rule. Each detection rule group includes multiple different detection rules, and different detection rule groups may contain the same detection rule. For example, for the transaction characteristic value of the merchant dimension - the remainder of the last digit of the merchant number 1234, the detection node is determined; the detection group is determined according to the remainder of the second last digit of the merchant number 1234; according to each transaction item in the transaction information, such as, The detection rule group is determined by the transaction amount, transaction channel and other information; for example, the detection rule for the average transaction amount is determined according to the transaction amount in the transaction information, and the detection rule for the transaction channel is determined according to the transaction channel in the transaction information. The detection rules of the transaction channel and the detection rules of the transaction channel constitute a detection rule group for the transaction information. If the transaction information with the merchant number 2234 is sent to the detection group of the detection node, the detection rule group is determined according to each transaction item in the transaction information, such as transaction amount, transaction time, etc., for example, according to the transaction information. The transaction amount determines the detection rules for the average transaction amount, determines the detection rules for the transaction time according to the transaction time in the transaction information, etc., which consists of the detection rules for the average transaction amount and the transaction time. A set of detection rules for information. In this way, the detection rules in the detection rule group of the two transaction information with the merchant number 1234 and the merchant number 2234 may include the same detection rule for the average transaction amount. It should be noted here that the detection rule group of each dimension contains multiple detection rules, which may be the same or different, and may be set as required, which is not specifically limited.
本申请实施例提供了一种实时的交易异常检测方法,同一检测规则组中的各检测规则串行执行;不同检测规则组中的各检测规则并行执行。在一种示例中,检测规则组包含多个不同的检测规则,针对交易信息的多个不同的检测结果,可以通过该检测节点中的该检测规则组中包含的多个不同的检测规则串行获取检测结果。The embodiment of the present application provides a real-time transaction abnormality detection method, in which each detection rule in the same detection rule group is executed serially; and each detection rule in different detection rule groups is executed in parallel. In an example, the detection rule group includes multiple different detection rules, and for multiple different detection results of transaction information, the multiple different detection rules included in the detection rule group in the detection node can be serialized Get test results.
本申请实施例提供了一种实时的交易异常检测方法,按照所述维度的第一分发规则,确定处理所述交易信息的检测节点之前,还包括:确定所述维度为异常检测中设置的维度。也就是说,在对交易信息进行检测前,可以先确定该交易信息的那些维度需要进行检测,那些维度无需进行检测;或者,那些交易信息用检测,那些交易信息不用检测;将无需进行该维度检测的交易信息删除或将无需检测的交易信息删除。如此,通过检测过滤,实现对交易信息有针对性的检测,即可以降低检测和/或统计的工作量,又可以提高检测结果的精确度。The embodiment of the present application provides a real-time transaction abnormality detection method. Before determining the detection node processing the transaction information according to the first distribution rule of the dimension, the method further includes: determining that the dimension is the dimension set in the abnormality detection. . That is to say, before detecting transaction information, it can be determined which dimensions of the transaction information need to be detected, and those dimensions do not need to be detected; or, those transaction information are detected, and those transaction information do not need to be detected; this dimension will not need to be detected. The detected transaction information is deleted or the transaction information that does not need to be detected is deleted. In this way, through detection and filtering, targeted detection of transaction information can be realized, which not only reduces the workload of detection and/or statistics, but also improves the accuracy of detection results.
本申请实施例提供了一种实时的交易异常检测方法,两个检测节点为一个探测组,所述探测组内的所述两个检测节点互相探测检测结果的更新时间,还包括:在所述探测组内的一个检测节点确定所述探测组内的另一个检测节点的所述更新时间高于设定时间阈值,则调整所述第一分发规则,使得所述探测组内的一个检测节点接收所述探测组内的另一个检测节点的待检测的交易信息,所述两个检测节点中的所述检测规则相同。也就是说,检测节点集群中的两两节点可以以一定的频率互相探测,若发现对方检测节点中的检测结果在设定时间阈值内未更新,则该对方检测节点出现故障,通过调整第一分发规则(可以根据需要对应调整第二分发规则),使得接管该对方检测节点中的检测任务。这里探测组中的检测节点可以为两个以上的检测节点互相探测,具体不做限定。The embodiment of the present application provides a real-time transaction abnormality detection method, two detection nodes are a detection group, and the two detection nodes in the detection group detect the update time of detection results from each other, and further includes: in the detection One detection node in the detection group determines that the update time of another detection node in the detection group is higher than the set time threshold, then adjusts the first distribution rule so that one detection node in the detection group receives The transaction information to be detected of another detection node in the detection group, and the detection rules in the two detection nodes are the same. That is to say, two or two nodes in the detection node cluster can detect each other at a certain frequency. If it is found that the detection result in the detection node of the other party has not been updated within the set time threshold, the detection node of the other party is faulty, and by adjusting the first detection node The distribution rule (the second distribution rule can be correspondingly adjusted as needed), so that the detection task in the detection node of the opposite party is taken over. Here, the detection nodes in the detection group may be two or more detection nodes to detect each other, which is not specifically limited.
基于上述方法流程,本申请实施例提供了一种交易信息维度串行的实时的交易异常检测方法的流程,如图4所示,包括:Based on the above method flow, an embodiment of the present application provides a flow of a real-time transaction abnormality detection method with transaction information dimension serialization, as shown in FIG. 4 , including:
步骤401、获取交易信息,该交易信息中包含多个维度的交易特征值。这 里的多个交易特征值可以是银行卡卡号、商户编号、IP地址等。Step 401: Obtain transaction information, where the transaction information includes transaction feature values of multiple dimensions. The multiple transaction characteristic values here can be bank card numbers, merchant numbers, IP addresses, and the like.
步骤402、根据第一分发规则确定为第二优先级的维度。该第二优先级的维度为优先进行检测的维度。在一种示例中,该第二优先级进行检测的维度为银行卡维度。Step 402: Determine the dimension of the second priority according to the first distribution rule. The dimension of the second priority is the dimension in which detection is performed first. In an example, the dimension in which the second priority is detected is the bank card dimension.
步骤403、根据第一分发规则确定该交易信息中该维度的交易特征值。如,交易特征值为银行卡卡号。Step 403: Determine the transaction feature value of the dimension in the transaction information according to the first distribution rule. For example, the transaction characteristic value is the bank card number.
步骤404、根据第一分发规则确定该交易特征值对应的检测节点。在上一示例中,根据银行卡卡号的倒数第一位的余数确定该交易信息对应检测节点1。Step 404: Determine the detection node corresponding to the transaction characteristic value according to the first distribution rule. In the previous example, it is determined that the transaction information corresponds to detection node 1 according to the remainder of the last digit of the bank card number.
步骤405、将该交易信息发送至该对应的检测节点。在上一示例中,该对应的检测节点为检测节点1。Step 405: Send the transaction information to the corresponding detection node. In the previous example, the corresponding detection node is detection node 1 .
步骤406、根据第一分发规则确定该交易特征值对应的检测分组。在上一示例中,根据银行卡卡号的倒数第二位的余数确定该交易信息对应检测节点1中的检测分组1。Step 406: Determine the detection group corresponding to the transaction feature value according to the first distribution rule. In the previous example, it is determined that the transaction information corresponds to detection group 1 in detection node 1 according to the remainder of the penultimate digit of the bank card number.
步骤407、根据该交易信息的交易项确定处理该交易信息的检测规则组。在上一示例中,根据交易信息中的交易额、交易渠道、交易时间等信息确定对应的检测规则,根据该对应的检测规则组成检测规则组。Step 407: Determine a detection rule group for processing the transaction information according to the transaction item of the transaction information. In the previous example, a corresponding detection rule is determined according to the transaction amount, transaction channel, transaction time and other information in the transaction information, and a detection rule group is formed according to the corresponding detection rule.
步骤408、检测节点针对该交易信息设置同步锁。这里需要说明的是,若本方案最先执行的是银行卡维度的检测,由于针对一个银行卡的历史交易信息、检测结果以及统计结果都存储在本地,可以无需设置同步锁。Step 408: The detection node sets a synchronization lock for the transaction information. It should be noted here that, if the first implementation of this solution is the detection of the bank card dimension, since the historical transaction information, detection results and statistical results of a bank card are stored locally, there is no need to set a synchronization lock.
步骤409、将该交易信息发送至对应统计节点的统计单元中,通过统计单元中针对该维度的交易信息的不同的统计对象的统计规则分别进行统计,获取统计结果。在上一示例中,通过统计对象-交易平均额的统计规则(如,获取与该交易信息的银行卡卡号相同的最近的9笔历史交易的历史交易信息,根据该交易信息和该9笔历史交易信息确定平均交易额)确定统计结果-平均交易额为1000元。Step 409 : Send the transaction information to the statistics unit of the corresponding statistics node, and perform statistics respectively according to the statistics rules of different statistics objects of the transaction information of the dimension in the statistics unit to obtain the statistics results. In the previous example, the historical transaction information of the last 9 historical transactions with the same bank card number as the transaction information is obtained through the statistical rules of the statistical object-transaction average amount, according to the transaction information and the nine historical transactions The transaction information determines the average transaction amount) to determine the statistical result - the average transaction amount is 1,000 yuan.
步骤410、将该统计结果返回至该对应的检测节点。在上述示例中,将该统计结果返回至检测节点1。Step 410: Return the statistical result to the corresponding detection node. In the above example, the statistical result is returned to detection node 1 .
步骤411、该检测节点获取该统计结果后,关闭针对该交易信息的同步锁。这里需要说明的是,在一种实施例中银行卡维度的检测若没有设置同步锁,则无需执行本步骤。Step 411: After acquiring the statistical result, the detection node closes the synchronization lock for the transaction information. It should be noted here that, in an embodiment, if the synchronization lock is not set in the detection of the bank card dimension, this step does not need to be performed.
步骤412、该检测节点根据该维度交易信息的检测规则组和该统计结果确定检测结果。在上述示例中,平均交易额为1000元大于预设平均交易额100元,该维度的交易信息的检测结果为异常。这里在一种可能的流程中,将该交易信息和该检测结果保存,并将该交易信息和该检测结果发送至消息中间件。 Step 412, the detection node determines the detection result according to the detection rule group of the dimension transaction information and the statistical result. In the above example, the average transaction amount is 1,000 yuan greater than the preset average transaction amount of 100 yuan, and the detection result of the transaction information in this dimension is abnormal. Here, in a possible process, the transaction information and the detection result are saved, and the transaction information and the detection result are sent to the message middleware.
步骤413、确定该交易信息为第二优先级(该第二优先级高于第一优先级,也就是说,在剩余的未检测的维度中,确定最高优先级的维度)的维度。在一种示例中,若上述银行卡维度为第二优先级维度,则商户维度为第一优先级维度。银行卡维度检测完成后,再次确定该交易信息的第二优先级的维度后(可以是商户维度),在步骤412中所述的可能的流程中,也可以是该维度的交易特征值对应的检测节点从消息中间件中获取该交易信息,并进行步骤406至步骤413的流程。Step 413: Determine that the transaction information is a dimension with a second priority (the second priority is higher than the first priority, that is, among the remaining undetected dimensions, determine the dimension with the highest priority). In one example, if the aforementioned bank card dimension is the second priority dimension, the merchant dimension is the first priority dimension. After the bank card dimension detection is completed, after the second priority dimension of the transaction information is determined again (it may be the merchant dimension), in the possible process described in step 412, it may also be the transaction feature value corresponding to the dimension. The detection node obtains the transaction information from the message middleware, and performs the flow from step 406 to step 413 .
循环执行步骤403至步骤413:Execute step 403 to step 413 cyclically:
步骤403、根据第一分发规则确定该交易信息中该维度的交易特征值。如,交易特征值为商户编号。Step 403: Determine the transaction feature value of the dimension in the transaction information according to the first distribution rule. For example, the transaction characteristic value is the merchant number.
步骤404、根据第一分发规则确定该交易特征值对应的检测节点。在上一示例中,根据商户编号的倒数第一位的余数确定该交易信息对应检测节点2,这里也可以是上一维度该交易信息对应的检测节点1,这里对同一交易信息的不同维度的检测处理的检测节点具体不做限定。Step 404: Determine the detection node corresponding to the transaction characteristic value according to the first distribution rule. In the previous example, it is determined that the transaction information corresponds to detection node 2 according to the remainder of the last digit of the merchant number. Here, it can also be the detection node 1 corresponding to the transaction information in the previous dimension. Here, for the same transaction information of different dimensions The detection node of the detection processing is not specifically limited.
步骤405、将该交易信息发送至该对应的检测节点。在上一示例中,该对应的检测节点为检测节点2。Step 405: Send the transaction information to the corresponding detection node. In the previous example, the corresponding detection node is detection node 2 .
步骤406、根据第一分发规则确定该交易特征值对应的检测分组。在上一示例中,根据商户编号的倒数第二位的余数确定该交易信息对应检测节点2中的检测分组2。Step 406: Determine the detection group corresponding to the transaction feature value according to the first distribution rule. In the previous example, it is determined that the transaction information corresponds to detection group 2 in detection node 2 according to the remainder of the penultimate digit of the merchant number.
步骤407、根据该交易信息的交易项确定处理该交易信息的检测规则组。在上一示例中,根据交易信息中的交易额、交易渠道、交易时间、交易地点等信息确定对应的检测规则,根据该对应的检测规则组成检测规则组。Step 407: Determine a detection rule group for processing the transaction information according to the transaction item of the transaction information. In the previous example, a corresponding detection rule is determined according to the transaction amount, transaction channel, transaction time, transaction location and other information in the transaction information, and a detection rule group is formed according to the corresponding detection rule.
步骤408、检测节点针对该交易信息设置同步锁。Step 408: The detection node sets a synchronization lock for the transaction information.
步骤409、将该交易信息发送至对应统计节点的统计单元中,通过统计单元中针对该维度的交易信息的不同的统计对象的统计规则分别进行统计,获取统计结果。在上一示例中,通过统计对象-交易总额的统计规则(如,获取与该交易信息的商户编号相同的历史交易的历史交易信息,根据该交易信息和该历史交易信息确定交易总额)确定统计结果-交易总额为100万元。Step 409 : Send the transaction information to the statistics unit of the corresponding statistics node, and perform statistics respectively according to the statistics rules of different statistics objects of the transaction information of the dimension in the statistics unit to obtain the statistics results. In the previous example, statistics are determined by the statistical rules of the statistical object-total transaction amount (eg, obtaining historical transaction information of the historical transaction with the same merchant number as the transaction information, and determining the total transaction amount according to the transaction information and the historical transaction information) Result - The total transaction amount is 1 million yuan.
步骤410、将该统计结果返回至该对应的检测节点,在上述示例中,将该统计结果返回至检测节点2。Step 410 : Return the statistical result to the corresponding detection node. In the above example, return the statistical result to the detection node 2 .
步骤411、该检测节点获取该统计结果后,关闭针对该交易信息的同步锁。Step 411: After acquiring the statistical result, the detection node closes the synchronization lock for the transaction information.
步骤412、该检测节点根据该维度的检测规则组和该统计结果确定检测结果。在上述示例中,交易总额为100万元大于预设交易总额90万元,该维度的交易信息的检测结果为异常。Step 412: The detection node determines the detection result according to the detection rule group of the dimension and the statistical result. In the above example, if the total transaction amount is 1 million yuan greater than the preset transaction amount of 900,000 yuan, the detection result of the transaction information in this dimension is abnormal.
步骤413、若该检测节点确定该交易信息还需要进行下一优先级(剩余维度中的第二优先级)的维度的检测,则继续循环执行步骤403至步骤412,获取该维度的统计结果。Step 413: If the detection node determines that the transaction information needs to be detected for the dimension of the next priority (the second priority in the remaining dimensions), then continue to perform steps 403 to 412 in a loop to obtain the statistical results of the dimension.
步骤414、获取该交易信息的各维度的检测结果,根据该交易信息的各维度的检测结果确定该交易信息是否异常。在上述示例中,该交易信息中的银行卡维度的检测结果为交易异常以及该交易信息中的商户维度的检测结果为交易异常,该交易信息异常,如,该交易很可能为该银行卡用户和该商户进行合作非法套现。Step 414: Acquire detection results of each dimension of the transaction information, and determine whether the transaction information is abnormal according to the detection results of each dimension of the transaction information. In the above example, the detection result of the bank card dimension in the transaction information is transaction abnormality and the detection result of the merchant dimension in the transaction information is transaction abnormality, the transaction information is abnormal, for example, the transaction is likely to be the bank card user Cooperate with the merchant to illegally cash out.
这里需要说明的是,上述流程步骤并不唯一,例如,步骤408可以在步骤406-407的任意步骤前后执行。步骤406和步骤407可以在步骤405前执行。It should be noted here that the above process steps are not unique, for example, step 408 may be executed before and after any of steps 406-407. Steps 406 and 407 may be performed before step 405 .
基于上述方法流程,本申请实施例提供了一种交易信息维度并行的实时的交易异常检测方法的流程,如图5所示,包括:Based on the above method flow, an embodiment of the present application provides a flow of a real-time transaction abnormality detection method with parallel transaction information dimensions, as shown in FIG. 5 , including:
步骤501、获取交易信息,该交易信息中包含多个维度的交易特征值。这里的多个交易特征值可以是银行卡卡号、商户编号、IP地址等。Step 501: Obtain transaction information, where the transaction information includes transaction feature values of multiple dimensions. The multiple transaction characteristic values here may be a bank card number, a merchant number, an IP address, and the like.
步骤502、根据第一分发规则确定该交易信息各维度的交易特征值。在一种示例中,各维度的交易特征值包括:银行卡维度和商户维度。Step 502: Determine transaction characteristic values of each dimension of the transaction information according to the first distribution rule. In an example, the transaction feature values of each dimension include: a bank card dimension and a merchant dimension.
步骤503、根据第一分发规则分别确定该交易信息中各维度的交易特征值对应的检测节点。在上一示例中,根据银行卡卡号的倒数第一位的余数确定该交易信息对应检测节点1,根据商户编号的倒数第一位的余数确定该交易信息对应检测节点2,这里该交易信息的多个维度对应的检测节点也可以为不同的检测节点。Step 503: Determine the detection nodes corresponding to the transaction feature values of each dimension in the transaction information according to the first distribution rule. In the previous example, the transaction information is determined to correspond to detection node 1 according to the remainder of the last one of the bank card number, and the detection node 2 is determined to be corresponding to the transaction information according to the remainder of the last one of the merchant number. Detection nodes corresponding to multiple dimensions may also be different detection nodes.
步骤504、将该交易信息发送至该对应的检测节点。在上一示例中,将该交易信息分别发送至检测节点1和检测节点2。Step 504: Send the transaction information to the corresponding detection node. In the previous example, the transaction information is sent to detection node 1 and detection node 2, respectively.
步骤505、根据第一分发规则确定各维度的交易特征值对应的检测分组。在上一示例中,根据银行卡卡号的倒数第二位的余数确定该交易信息对应检测节点1中的检测分组1,根据商户编号的倒数第二位的余数确定该交易信息对应检测节点2中的检测分组2。Step 505: Determine the detection group corresponding to the transaction feature value of each dimension according to the first distribution rule. In the previous example, the transaction information is determined to correspond to detection group 1 in detection node 1 according to the remainder of the penultimate digit of the bank card number, and the transaction information is determined to correspond to detection group 1 in detection node 2 according to the remainder of the penultimate digit of the merchant number. The detection packet 2.
步骤506、根据该交易信息的各交易项确定处理该交易信息的检测规则组。Step 506: Determine a detection rule group for processing the transaction information according to each transaction item of the transaction information.
步骤507、检测节点针对该交易信息设置同步锁。Step 507: The detection node sets a synchronization lock for the transaction information.
步骤508、将该交易信息发送至对应统计节点的统计单元中,通过统计单元中针对该维度的交易信息的不同的统计对象的统计规则分别进行统计,获取统计结果。在上述示例中,分别获取银行卡维度和商户维度的该交易信息的统计结果。Step 508 : Send the transaction information to the statistics unit of the corresponding statistics node, and perform statistics respectively according to the statistics rules of different statistics objects of the transaction information of the dimension in the statistics unit to obtain the statistics results. In the above example, the statistical results of the transaction information in the bank card dimension and the merchant dimension are obtained respectively.
步骤509、将该统计结果返回至该对应的检测节点。在上述示例中,将银行卡维度的统计结果返回至检测节点1,商户维度的统计结果返回至检测节点2。Step 509: Return the statistical result to the corresponding detection node. In the above example, the statistical result of the bank card dimension is returned to the detection node 1, and the statistical result of the merchant dimension is returned to the detection node 2.
步骤510、检测节点获取该统计结果后,关闭针对该交易信息的同步锁。Step 510: After acquiring the statistical result, the detection node closes the synchronization lock for the transaction information.
步骤511、检测节点根据该维度交易信息的检测规则组和该统计结果确定检测结果。Step 511: The detection node determines the detection result according to the detection rule group of the dimension transaction information and the statistical result.
步骤512、获取该交易信息的各维度的检测结果,根据该交易信息的各维度的检测结果确定该交易信息是否异常。Step 512: Acquire detection results of each dimension of the transaction information, and determine whether the transaction information is abnormal according to the detection results of each dimension of the transaction information.
这里需要说明的是,上述流程中各维度的检测可以是并发进行的,不同维度的检测流程中的相同阶段的检测步骤,并不一定同时进行,例如,银行卡维度的统计结果返回速度可以比商户维度的统计结果的返回速度快。且上述流程步骤并不唯一,例如,步骤507可以在步骤505、步骤506中任一步骤前或任一步骤后执行。It should be noted here that the detection of each dimension in the above process can be performed concurrently, and the detection steps of the same stage in the detection process of different dimensions are not necessarily performed at the same time. For example, the return speed of the statistical results of the bank card dimension can be faster than The return speed of the statistics results of the merchant dimension is fast. And the above process steps are not unique, for example, step 507 can be executed before any step of step 505 and step 506 or after any step.
基于同样的构思,本发明实施例提供一种实时的交易异常检测装置,图6为本申请实施例提供的一种实时的交易异常检测装置示意图,如图6示,包括:Based on the same concept, an embodiment of the present invention provides a real-time transaction abnormality detection device. FIG. 6 is a schematic diagram of a real-time transaction abnormality detection device provided by an embodiment of the application, as shown in FIG. 6 , including:
获取模块601,用于获取交易信息,所述交易信息中包含多个维度的交易特征值;an acquisition module 601, configured to acquire transaction information, where the transaction information includes transaction feature values of multiple dimensions;
分发模块602,用于针对任一维度,按照所述维度的第一分发规则,确定处理所述交易信息的检测节点;所述检测节点中包含针对所述维度的检测规则;The distribution module 602 is configured to, for any dimension, determine a detection node for processing the transaction information according to the first distribution rule of the dimension; the detection node includes a detection rule for the dimension;
所述获取模块601还用于,从各检测节点获取所述交易信息在各维度的检测结果;其中,任一维度的检测结果是检测节点基于所述维度的交易特征值的统计结果,按照所述维度的检测规则确定所述交易信息在所述维度是否异常;The acquisition module 601 is further configured to acquire the detection results of the transaction information in each dimension from each detection node; wherein, the detection result of any dimension is the statistical result of the transaction feature value of the detection node based on the dimension, according to the The detection rule of the dimension determines whether the transaction information is abnormal in the dimension;
处理模块603,用于根据所述各维度的检测结果确定所述交易信息是否异常。The processing module 603 is configured to determine whether the transaction information is abnormal according to the detection results of the various dimensions.
可选的,所述分发模块602还用于,针对任一维度,按照所述维度的第二分发规则,确定统计节点中处理所述交易信息的统计单元;所述统计单元按照所述维度的统计规则,根据所述维度的交易特征值与历史交易特征值进行统计,将统计结果发送给处理所述交易信息的检测节点;所述统计节点中包括针对不同维度的统计单元,统计单元中包括针对不同统计对象的统计规则。Optionally, the distribution module 602 is further configured to, for any dimension, determine the statistical unit that processes the transaction information in the statistical node according to the second distribution rule of the dimension; Statistical rules, perform statistics according to the transaction characteristic values and historical transaction characteristic values of the dimension, and send the statistical results to the detection node that processes the transaction information; the statistical node includes statistical units for different dimensions, and the statistical units include Statistical rules for different statistical objects.
可选的,所述分发模块602还用于,所述多个维度设置有不同的维度优先级;按照所述维度的分发规则,确定处理所述交易信息的检测节点之前,还包括:所述维度的维度优先级为第一优先级;确定已获得第二优先级的各维度的检测结果,所述第二优先级高于所述第一优先级。Optionally, the distribution module 602 is further configured to set different dimension priorities for the multiple dimensions; before determining the detection node that processes the transaction information according to the distribution rules of the dimensions, the method further includes: the The dimension priority of the dimension is the first priority; the detection result of each dimension that has obtained the second priority is determined, and the second priority is higher than the first priority.
可选的,所述处理模块603还用于,在所述检测节点中开启针对所述交易信息的同步锁;所述处理模块603还用于,在所述检测节点中关闭针对所述交易信息的同步锁。Optionally, the processing module 603 is further configured to open a synchronization lock for the transaction information in the detection node; the processing module 603 is further configured to disable the synchronization lock for the transaction information in the detection node synchronization lock.
可选的,所述分发模块602具体用于,按照所述维度的第一分发规则,通过所述维度的交易特征值确定处理所述交易信息的检测节点及确定所述检测节点中处理所述交易信息的检测分组;通过所述交易信息中的各交易项,从所述检测分组中确定检测规则组;所述检测规则组由所述检测分组中的至少一个检测规则组成。Optionally, the distribution module 602 is specifically configured to, according to the first distribution rule of the dimension, determine the detection node that processes the transaction information by the transaction characteristic value of the dimension and determine the detection node to process the transaction information. A detection grouping of transaction information; a detection rule group is determined from the detection group by each transaction item in the transaction information; the detection rule group is composed of at least one detection rule in the detection group.
可选的,同一检测规则组中的各检测规则串行执行;不同检测规则组中的各检测规则并行执行。Optionally, each detection rule in the same detection rule group is executed serially; each detection rule in different detection rule groups is executed in parallel.
可选的,所述分发模块602还用于,通过所述检测节点将所述交易信息发送至消息中间件;通过所述消息中间件将所述交易信息发送至所述统计节点。Optionally, the distribution module 602 is further configured to send the transaction information to the message middleware through the detection node; and send the transaction information to the statistics node through the message middleware.
可选的,所述处理模块603还用于,确定所述维度为异常检测中设置的维度。Optionally, the processing module 603 is further configured to determine that the dimension is the dimension set in the abnormality detection.
可选的,所述处理模块603还用于,在所述探测组内的一个检测节点确定所述探测组内的另一个检测节点的所述更新时间高于设定时间阈值,则调整所述第一分发规则,使得所述探测组内的一个检测节点接收所述探测组内的另一个检测节点的待检测的交易信息,所述两个检测节点中的所述检测规则相同。Optionally, the processing module 603 is further configured to, when a detection node in the detection group determines that the update time of another detection node in the detection group is higher than a set time threshold, adjust the The first distribution rule enables one detection node in the detection group to receive transaction information to be detected of another detection node in the detection group, and the detection rules in the two detection nodes are the same.
本领域内的技术人员应明白,本申请的实施例可提供为方法、系统、或计算机程序产品。因此,本申请可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个 其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。As will be appreciated by those skilled in the art, the embodiments of the present application may be provided as a method, a system, or a computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
本申请是参照根据本申请的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to the present application. It will be understood that each flow and/or block in the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to the processor of a general purpose computer, special purpose computer, embedded processor or other programmable data processing device to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing device produce Means for implementing the functions specified in a flow or flow of a flowchart and/or a block or blocks of a block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory result in an article of manufacture comprising instruction means, the instructions The apparatus implements the functions specified in the flow or flow of the flowcharts and/or the block or blocks of the block diagrams.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded on a computer or other programmable data processing device to cause a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process such that The instructions provide steps for implementing the functions specified in the flow or blocks of the flowcharts and/or the block or blocks of the block diagrams.
显然,本领域的技术人员可以对本申请进行各种改动和变型而不脱离本申请的精神和范围。这样,倘若本申请的这些修改和变型属于本申请权利要求及其等同技术的范围之内,则本申请也意图包含这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to the present application without departing from the spirit and scope of the present application. Thus, if these modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is also intended to include these modifications and variations.

Claims (12)

  1. 一种实时的交易异常检测方法,其特征在于,所述方法包括:A real-time transaction abnormality detection method, characterized in that the method comprises:
    获取交易信息,所述交易信息中包含多个维度的交易特征值;Obtain transaction information, where the transaction information includes transaction feature values of multiple dimensions;
    针对任一维度,按照所述维度的第一分发规则,确定处理所述交易信息的检测节点;所述检测节点中包含针对所述维度的检测规则;For any dimension, according to the first distribution rule of the dimension, determine a detection node for processing the transaction information; the detection node includes a detection rule for the dimension;
    从各检测节点获取所述交易信息在各维度的检测结果;其中,任一维度的检测结果是检测节点基于所述维度的交易特征值的统计结果,按照所述维度的检测规则确定所述交易信息在所述维度是否异常;Obtain the detection results of the transaction information in each dimension from each detection node; wherein, the detection result of any dimension is the statistical result of the transaction feature value of the detection node based on the dimension, and the transaction is determined according to the detection rules of the dimension. Whether the information is abnormal in the dimension;
    根据所述各维度的检测结果确定所述交易信息是否异常。Whether the transaction information is abnormal is determined according to the detection results of the dimensions.
  2. 如权利要求1中所述的方法,其特征在于,从各检测节点获取所述交易信息在各维度的检测结果之前,还包括:The method according to claim 1, wherein before acquiring the detection results of the transaction information in each dimension from each detection node, the method further comprises:
    针对任一维度,按照所述维度的第二分发规则,确定统计节点中处理所述交易信息的统计单元;所述统计单元按照所述维度的统计规则,根据所述维度的交易特征值与历史交易特征值进行统计,将统计结果发送给处理所述交易信息的检测节点;所述统计节点中包括针对不同维度的统计单元,统计单元中包括针对不同统计对象的统计规则。For any dimension, according to the second distribution rule of the dimension, determine the statistical unit processing the transaction information in the statistical node; the statistical unit according to the statistical rule of the dimension, according to the transaction feature value and history of the dimension The transaction characteristic value is counted, and the statistical result is sent to the detection node that processes the transaction information; the statistical node includes statistical units for different dimensions, and the statistical unit includes statistical rules for different statistical objects.
  3. 如权利要求1或2中所述的方法,其特征在于,所述多个维度设置有不同的维度优先级;The method according to claim 1 or 2, wherein the multiple dimensions are set with different dimension priorities;
    按照所述维度的分发规则,确定处理所述交易信息的检测节点之前,还包括:According to the distribution rule of the dimension, before determining the detection node that processes the transaction information, the method further includes:
    所述维度的维度优先级为第一优先级;The dimension priority of the dimension is the first priority;
    确定已获得第二优先级的各维度的检测结果,所述第二优先级高于所述第一优先级。A detection result of each dimension for which a second priority has been obtained, the second priority being higher than the first priority, is determined.
  4. 如权利要求1中所述的方法,其特征在于,确定处理所述交易信息的检测节点之后,还包括:The method according to claim 1, wherein after determining the detection node that processes the transaction information, the method further comprises:
    在所述检测节点中开启针对所述交易信息的同步锁;opening a synchronization lock for the transaction information in the detection node;
    将统计结果发送给处理所述交易信息的检测节点之后,还包括:After sending the statistical results to the detection node that processes the transaction information, the method further includes:
    在所述检测节点中关闭针对所述交易信息的同步锁。The synchronization lock for the transaction information is closed in the detection node.
  5. 如权利要求1中所述的方法,其特征在于,按照所述维度的第一分发规则,确定处理所述交易信息的检测节点,包括:The method according to claim 1, wherein determining the detection node processing the transaction information according to the first distribution rule of the dimension, comprising:
    按照所述维度的第一分发规则,通过所述维度的交易特征值确定处理所述交易信息的检测节点及确定所述检测节点中处理所述交易信息的检测分组;According to the first distribution rule of the dimension, the detection node for processing the transaction information and the detection group for processing the transaction information in the detection node are determined by the transaction feature value of the dimension;
    通过所述交易信息中的各交易项,从所述检测分组中确定检测规则组;所述检测规则组由所述检测分组中的至少一个检测规则组成。Through each transaction item in the transaction information, a detection rule group is determined from the detection group; the detection rule group is composed of at least one detection rule in the detection group.
  6. 如权利要求5中所述的方法,其特征在于,同一检测规则组中的各检测规则串行执行;不同检测规则组中的各检测规则并行执行。The method of claim 5, wherein each detection rule in the same detection rule group is executed serially; each detection rule in different detection rule groups is executed in parallel.
  7. 如权利要求2中所述的方法,其特征在于,确定统计节点中处理所述交易信息的统计单元之前,还包括:The method according to claim 2, wherein before determining the statistical unit in the statistical node that processes the transaction information, the method further comprises:
    通过所述检测节点将所述交易信息发送至消息中间件;Send the transaction information to the message middleware through the detection node;
    通过所述消息中间件将所述交易信息发送至所述统计节点。The transaction information is sent to the statistics node through the message middleware.
  8. 如权利要求5至7任一项中所述的方法,其特征在于,按照所述维度的第一分发规则,确定处理所述交易信息的检测节点之前,还包括:The method according to any one of claims 5 to 7, wherein, before determining the detection node processing the transaction information according to the first distribution rule of the dimension, the method further comprises:
    确定所述维度为异常检测中设置的维度。It is determined that the dimension is the dimension set in the anomaly detection.
  9. 如权利要求1中所述的方法,其特征在于,两个检测节点为一个探测组,所述探测组内的所述两个检测节点互相探测检测结果的更新时间,还包括:The method according to claim 1, wherein two detection nodes are a detection group, and the two detection nodes in the detection group detect the update time of detection results from each other, further comprising:
    在所述探测组内的一个检测节点确定所述探测组内的另一个检测节点的所述更新时间高于设定时间阈值,则调整所述第一分发规则,使得所述探测组内的一个检测节点接收所述探测组内的另一个检测节点的待检测的交易信息,所述两个检测节点中的所述检测规则相同。One detection node in the detection group determines that the update time of another detection node in the detection group is higher than the set time threshold, and adjusts the first distribution rule so that one detection node in the detection group The detection node receives transaction information to be detected of another detection node in the detection group, and the detection rules in the two detection nodes are the same.
  10. 一种实时的交易异常检测装置,其特征在于,所述装置包括:A real-time transaction abnormality detection device, characterized in that the device comprises:
    获取模块,用于获取交易信息,所述交易信息中包含多个维度的交易特征值;an acquisition module for acquiring transaction information, where the transaction information includes transaction feature values of multiple dimensions;
    分发模块,用于针对任一维度,按照所述维度的第一分发规则,确定处理所述交易信息的检测节点;所述检测节点中包含针对所述维度的检测规则;a distribution module, configured to determine a detection node for processing the transaction information according to the first distribution rule of the dimension for any dimension; the detection node includes a detection rule for the dimension;
    所述获取模块还用于,从各检测节点获取所述交易信息在各维度的检测结果;其中,任一维度的检测结果是检测节点基于所述维度的交易特征值的统计结果,按照所述维度的检测规则确定所述交易信息在所述维度是否异常;The acquiring module is further configured to acquire, from each detection node, the detection result of the transaction information in each dimension; wherein, the detection result of any dimension is the statistical result of the transaction characteristic value of the detection node based on the dimension, according to the The detection rule of the dimension determines whether the transaction information is abnormal in the dimension;
    处理模块,用于根据所述各维度的检测结果确定所述交易信息是否异常。A processing module, configured to determine whether the transaction information is abnormal according to the detection results of the various dimensions.
  11. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质存储有程序,当所述程序在计算机上运行时,使得计算机实现执行权利要求1至9中任一项所述的方法。A computer-readable storage medium, characterized in that the computer-readable storage medium stores a program that, when the program runs on a computer, enables the computer to implement the method according to any one of claims 1 to 9 .
  12. 一种计算机设备,其特征在于,包括:A computer device, comprising:
    存储器,用于存储计算机程序;memory for storing computer programs;
    处理器,用于调用所述存储器中存储的计算机程序,按照获得的程序执行如权利要求1至9任一权利要求所述的方法。The processor is configured to call the computer program stored in the memory, and execute the method according to any one of claims 1 to 9 according to the obtained program.
PCT/CN2021/134953 2021-01-21 2021-12-02 Real-time transaction anomaly detection method and device WO2022156380A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202110080166.9 2021-01-21
CN202110080166.9A CN112801667A (en) 2021-01-21 2021-01-21 Real-time transaction abnormity detection method and device

Publications (1)

Publication Number Publication Date
WO2022156380A1 true WO2022156380A1 (en) 2022-07-28

Family

ID=75810968

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/134953 WO2022156380A1 (en) 2021-01-21 2021-12-02 Real-time transaction anomaly detection method and device

Country Status (2)

Country Link
CN (1) CN112801667A (en)
WO (1) WO2022156380A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112801667A (en) * 2021-01-21 2021-05-14 中国银联股份有限公司 Real-time transaction abnormity detection method and device
CN114338102B (en) * 2021-12-14 2024-03-19 北京安天网络安全技术有限公司 Security detection method, security detection device, electronic equipment and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120166327A1 (en) * 2010-12-22 2012-06-28 HyannisPort Research Data capture and real time risk controls for electronic markets
CN105590216A (en) * 2015-11-18 2016-05-18 中国银联股份有限公司 Method and system of real-time monitoring of transaction risk
CN106484791A (en) * 2016-09-21 2017-03-08 中国银联股份有限公司 A kind of data statistical approach and device
CN107886431A (en) * 2017-10-18 2018-04-06 上海瀚银信息技术有限公司 Financial air control system based on big data and artificial intelligence
CN108920686A (en) * 2018-07-12 2018-11-30 李俊山 A kind of distributed transaction institute real-time monitoring and management system
CN112801667A (en) * 2021-01-21 2021-05-14 中国银联股份有限公司 Real-time transaction abnormity detection method and device

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
SG11201908270QA (en) * 2017-03-08 2019-10-30 Jewel Paymentech Pte Ltd Apparatus and method for real-time detection of fraudulent digital transactions
CN110648214B (en) * 2018-06-27 2022-06-24 银联数据服务有限公司 Method and device for determining abnormal account

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120166327A1 (en) * 2010-12-22 2012-06-28 HyannisPort Research Data capture and real time risk controls for electronic markets
CN105590216A (en) * 2015-11-18 2016-05-18 中国银联股份有限公司 Method and system of real-time monitoring of transaction risk
CN106484791A (en) * 2016-09-21 2017-03-08 中国银联股份有限公司 A kind of data statistical approach and device
CN107886431A (en) * 2017-10-18 2018-04-06 上海瀚银信息技术有限公司 Financial air control system based on big data and artificial intelligence
CN108920686A (en) * 2018-07-12 2018-11-30 李俊山 A kind of distributed transaction institute real-time monitoring and management system
CN112801667A (en) * 2021-01-21 2021-05-14 中国银联股份有限公司 Real-time transaction abnormity detection method and device

Also Published As

Publication number Publication date
CN112801667A (en) 2021-05-14

Similar Documents

Publication Publication Date Title
RU2746568C1 (en) Method and device for determining the legality of transaction based on blockchain
WO2022156380A1 (en) Real-time transaction anomaly detection method and device
WO2017076176A1 (en) Service processing method and apparatus
US8458090B1 (en) Detecting fraudulent mobile money transactions
CN106952158A (en) Solve the problems, such as the bookkeeping methods and equipment of focus account
US20140012724A1 (en) Automated fraud detection method and system
CA2439435A1 (en) System and method for depicting on-line transactions
US20130185191A1 (en) Systems and method for correlating transaction events
WO2019014821A1 (en) Fault early warning method for financial terminal, terminal device and storage medium
CN111179066B (en) Batch processing method and device for business data, server and storage medium
CN107330776A (en) One kind book keeping operation and the detailed detection method and device of abnormal book keeping operation
WO2015101166A1 (en) Method for detecting false card risk and transaction processing system for implementing same
WO2020064463A1 (en) An apparatus, computer program and method
AU2018220785B8 (en) An apparatus, computer program and method
CN110458688A (en) A kind of method for processing business, device and equipment
US20050027667A1 (en) Method and system for determining whether a situation meets predetermined criteria upon occurrence of an event
WO2020064462A1 (en) An apparatus, computer program and method
CN108133540B (en) Detection method and detection device for abnormal number of paper money in paper money box and electronic equipment
US7991663B1 (en) System for volume and stress testing bank debit card processing systems
CN110322346A (en) A kind of condition that supporting uxto model can set method of payment and system
US11429725B1 (en) Automated security risk assessment systems and methods
CN108648330B (en) Deposit and withdrawal management method, deposit and withdrawal management device and self-service terminal
TWI680438B (en) Method of monitoring atm and atm using the same
KR20140118233A (en) Fraud detection method and apparatus for card payment
Kang Fraud Detection in Mobile Money Transactions Using Machine Learning

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21920755

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21920755

Country of ref document: EP

Kind code of ref document: A1