[0028] In order to make the above objectives, features and advantages of the present invention more obvious and understandable, the present invention will be further described in detail below with reference to the accompanying drawings and specific embodiments.
[0029] The embodiment of the present invention proposes a business risk assessment method based on weight accumulation in view of the fact that it is difficult for the existing risk control system to make full use of all triggered rule information and the manual setting of rule priority is time-consuming and labor-intensive. For example, this method first trains the data obtained by the existing risk control system through the logistic regression algorithm to obtain the model weight, and then converts the model weight into the sub-rule score in the form of weight accumulation according to the risk level of each sub-rule. The low-level scores of the same type of rules are accumulated to the high-level to ensure that the high-level scores of the same type of rules are greater than the low-level, so as to achieve the purpose of automatically setting the rule scores.
[0030] See figure 2 , Is a flowchart of a business risk assessment method provided by an embodiment of the present invention, and the method includes:
[0031] S201: Receive business data to be evaluated, and identify a set of risk behavior rules matching the business data according to a preset risk rule engine.
[0032] The service data includes but is not limited to registration service data, login service data, authentication service data, and/or activity anti-brush service data, etc.
[0033] As mentioned above, the risk system generally includes a risk rule engine. In this step, the risk rule engine can be used to match each risk behavior rule corresponding to the business data to form a rule set based on malicious user information in the secure data warehouse. Among them, account information includes but is not limited to mobile phone number, IP, user name; operation behavior information includes but not limited to frequent logins, for example, frequent logins/accesses using the same IP address, multiple logins/accesses with incorrect passwords, etc.
[0034] It can be seen that risk behavior rules refer to risk behavior rules generated based on malicious user account information or operational behavior information. For example, risk behavior rules include but are not limited to: malicious user login/access, frequent login/access to the same address, frequent login/access with incorrect passwords/ Visit, wait.
[0035] S202: For multiple rules in the rule set, evaluate the risk score corresponding to each rule according to a pre-established risk assessment model.
[0036] Preferably, the above method further includes the step of establishing the risk assessment model. Specifically, the process of establishing the risk assessment model includes: obtaining sample data; training the obtained sample data to obtain the model weight of each rule; transforming the model weight of each rule into a score through linear mapping; For the risk of trigger frequency of each sub-rule, the score of each sub-rule is sequentially accumulated to obtain the score of the rule; and the total risk score threshold corresponding to different risk levels is set.
[0037] Preferably, a logistic regression algorithm is used to train the sample data. Logistic regression is essentially a classification algorithm that uses a sigmod function to map the linear weighted results of features to between 0 and 1, and this can be regarded as the probability that the data sample points belong to a certain class. If the result is closer to 0 or 1, the more reliable the classification result is.
[0038] S203: Accumulate the risk scores corresponding to multiple rules, and compare the sum of the accumulated risk scores with preset risk total score thresholds of each risk level to determine the risk level of the business data.
[0039] For the convenience of understanding, a simple example of the above scheme is: First, the business data to be evaluated matches 3 rules: rule1, rule2, rule3 (S201), and then, the risk scores corresponding to each rule are score1, score2, and score3. (S202). Finally, the risk scores corresponding to the three rules are added to obtain sum_score (sum_score=score1+score2+score3), and then sum_score is compared with the preset risk level total score threshold (S203), for example, Assuming that there are three risk levels, levle1, level2, and level3, and these three risk levels correspond to different total risk score thresholds (generally, the higher the risk level, the higher the total score threshold), sum_score and the total score of each level Comparison of sub-threshold values determines which level the business data belongs to.
[0040] The following describes the embodiment of the present invention with a practical example.
[0041] This example can be applied to services such as registration, login, authentication, and activity prevention on video websites, such as login services. A malicious user may use a user name and password leaked on the Internet to log in violently. IP, User_agent, device_id, access frequency, and the number of user names and passwords to be tried are determined, and all the rule sets triggered by them are determined, and then the risk level of malicious user access is determined by the method of the embodiment of the present invention for interception.
[0042] See image 3 , Is a schematic diagram of the principle of an example of a business risk assessment method provided by an embodiment of the present invention.
[0043] First of all, yes image 3 The various modules involved are introduced as follows.
[0044] Labeling data set: The sample data provided by the existing risk control system can be used. The sample data is mainly the user behavior data of each business, the set of all rules that the existing risk control system hits on its user behavior, and whether there is risk labeling, such as : For user login data, if it hits the rule set with IP high frequency access and IP password error rate higher than the threshold, it is marked as "risky";
[0045] Regression training module: It is mainly used to train the existing risk control system labeled data set to obtain the model weight of each rule under the risky label and the risk-free label, for example: "IP high-frequency access rules, risky, weight 2.112345 ", which means that the rule has a higher weight under the risk label, indicating that the risk level of this rule is higher;
[0046] Model weight conversion score module: Because the model weights are all decimals, such as 0.01234, which is not conducive to human judgment, therefore, it is converted into scores through linear mapping, such as 0 to 100 points;
[0047] The same type of rule weight accumulation module: Because in the existing risk control system, a certain rule may correspond to different risk levels because of its trigger frequency. For example, IP access rules may correspond to high risk levels and low risk levels according to their frequency. Risk level, and this is regarded as two sub-rules of the same type in the existing risk control system: IP high-frequency access rule and IP low-frequency access rule; therefore, in order to ensure that the same type of sub-rules increase the risk level according to their numerical range Therefore, the score weight is accumulated, for example, the IP intermediate frequency rule score accumulates the IP low frequency rule score, and the IP high frequency rule score accumulates the IP intermediate frequency rule score;
[0048] Risk control scoring module: According to a certain user behavior data provided by the business data to be evaluated, all the rules triggered by it are identified, and the scores of these rules are accumulated, and then the total score is compared with the preset threshold to output the risk grade.
[0049] Below, the specific steps of this example will be illustrated as follows.
[0050] S1: Use the existing risk control system to mark data set D as risky and non-risk, and at the same time mark the sub-rules triggered by each piece of data in a binary manner;
[0051] S2: Use the logistic regression algorithm to train D with L2 regularization to obtain the model weight β. In the following formula, y represents whether there is risk, and x represents the triggered rule;
[0052]
[0053]
[0054]
[0055] S3: Map β to the score s of each sub-rule through linear mapping, and at the same time correct the weight with a lower weight according to the default level of each rule;
[0056] s=Aβ
[0057] S4: Accumulate the low-level points of the same type of rules to the high level in order to ensure that the high-level points of the same type of rules are greater than the low levels. For example, there are three levels 1, 2, and 3 for the same type of rules, and the scores are as follows:
[0058] s 1 =Aβ 1
[0059] s 2 =s 1 +Aβ 2
[0060] s 3 =s 2 +Aβ 3
[0061] S5: Set the ratio of different levels of data a priori to obtain the boundary value S of the total score of different levels;
[0062] S=s 1 x 1 +s 2 x 2 +...+s n x n
[0063] S6: Accumulate the scores of the rules triggered by the abnormal behavior data to determine the risk level.
[0064] It can be seen that, in the business risk control method based on weight accumulation provided by the embodiment of the present invention, it no longer only relies on a single rule triggered by an abnormal behavior, but accumulates scores with multi-dimensional rules through all the rules triggered by the abnormal behavior. To make risk judgments in a way; moreover, there is no need to manually set the priority of each non-rule. Instead, the model is obtained by training the data of the existing risk control system, and then according to the risk level of the sub-rule, the weight of the model is converted into the form of weight accumulation Rule score, and then achieve the purpose of automatically setting the rule score and outputting the risk level. Compared with the prior art risk control method that only relies on a single rule, the present invention improves the generalization ability of the risk control system. First, the present invention improves the processing efficiency by manually setting the priority of rules in the prior art.
[0065] It should be noted that, for the sake of simple description, the method embodiments are all expressed as a series of action combinations, but those skilled in the art should know that the embodiments of the present invention are not limited by the described sequence of actions, because According to the embodiments of the present invention, certain steps may be performed in other order or simultaneously. Secondly, those skilled in the art should also know that the embodiments described in the specification are all preferred embodiments, and the actions involved are not necessarily required by the embodiments of the present invention.
[0066] Reference Figure 4 , Is a schematic structural diagram of a business risk assessment device provided by an embodiment of the present invention. The device includes: a business data processing unit 401, a risk score evaluation unit 402, and a risk level determination unit 403
[0067] The business data processing unit 401 is configured to receive business data to be evaluated, and identify a set of rules matching the business data according to a preset risk rule engine.
[0068] The service data includes but is not limited to registration service data, login service data, authentication service data, and/or activity anti-brush service data, etc. Risk behavior rules refer to risk behavior rules generated based on malicious user account information or operational behavior information. For example, risk behavior rules include but are not limited to: malicious user login/access, frequent login/access to the same address, frequent login/access with incorrect passwords, and many more.
[0069] The risk score evaluation unit 402 is configured to evaluate the risk score corresponding to each rule according to a pre-established risk evaluation model for multiple rules in the rule set;
[0070] The risk level determining unit 403 is configured to accumulate the risk scores corresponding to multiple rules, and compare the accumulated total risk scores with preset risk total score thresholds for each risk level to determine the risk of the business data grade.
[0071] Preferably, the device further includes: a risk assessment model establishment unit 404, configured to establish the risk assessment model; the risk assessment model establishment unit 404 is specifically configured to obtain sample data; train the obtained sample data to obtain each The model weight of the rule; convert the model weight of each rule into a score through linear mapping; add the scores of the same type of rules according to the risk of the same type of sub-rule trigger frequency; and set the total risk score threshold corresponding to different risk levels .
[0072] Preferably, the risk assessment model establishment unit 404 is specifically configured to perform logistic regression training on the acquired sample data to obtain the model weight of each rule. Logistic regression is essentially a classification algorithm that uses a sigmod function to map the linear weighted results of features to between 0 and 1, and this can be regarded as the probability that the data sample points belong to a certain class. If the result is closer to 0 or 1, the more reliable the classification result is.
[0073] Preferably, the business data processing unit 401 is specifically configured to: use the risk rule engine to match each risk behavior rule corresponding to the business data to form the rule based on malicious user account information or operation behavior information in the secure data warehouse set.
[0074] As mentioned above, the risk system generally includes a risk rule engine. In this step, the risk rule engine can be used to match each risk behavior rule corresponding to the business data to form a rule set based on malicious user information in the secure data warehouse. Among them, account information includes but is not limited to mobile phone number, IP, user name; operation behavior information includes but not limited to frequent logins, for example, frequent logins/accesses using the same IP address, multiple logins/accesses with incorrect passwords, etc.
[0075] Reference Figure 5 , Is a schematic structural diagram of a risk control system provided by an embodiment of the present invention. The system includes: a business processing device 501, a service access device 502, a risk rule engine 503, a secure data warehouse 504, and an interception processing device 505. In particular, the system also includes a risk assessment device 506, wherein:
[0076] The service processing device 501 connects service data to the risk rule engine 503 through the service access model 502;
[0077] The risk rule engine 503 matches various risk behavior rules corresponding to the business data to form a risk rule set according to malicious user account information or operation behavior information in the secure data warehouse 504;
[0078] The risk assessment device 506 is used to evaluate the risk scores corresponding to each rule according to a pre-established risk assessment model for multiple rules in the rule set, and to accumulate the risk scores corresponding to the multiple rules, And compare the accumulated total risk score with the preset risk total score threshold of each risk level to determine the risk level of the business data;
[0079] The interception processing device 505 is used to intercept the business data based on the preset interception strategy according to the risk level of the business data.
[0080] Preferably, the risk assessment device 506 is also used for establishing a risk assessment model, specifically, obtaining sample data; training the obtained sample data to obtain the model weight of each rule; and converting the model weight of each rule into Score; according to the risk of trigger frequency of each sub-rule of the rule, sequentially accumulate the scores of each sub-rule to obtain the score of the rule; and set the total risk score threshold corresponding to different risk levels.
[0081] Preferably, the service data includes: registration service data, login service data, authentication service data, and/or activity anti-brushing service data; the risk behavior rule refers to a rule generated based on malicious user account information or operational behavior information Risk behavior rules.
[0082] As for the device embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and the relevant part can refer to the part of the description of the method embodiment.
[0083] The various embodiments in this specification are described in a progressive manner. Each embodiment focuses on the differences from other embodiments, and the same or similar parts between the various embodiments can be referred to each other.
[0084] Those skilled in the art should understand that the embodiments of the embodiments of the present invention may be provided as methods, devices, or computer program products. Therefore, the embodiments of the present invention may adopt the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, the embodiments of the present invention may take the form of computer program products implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program codes.
[0085] The embodiments of the present invention are described with reference to the flowcharts and/or block diagrams of the methods, terminal devices (systems), and computer program products according to the embodiments of the present invention. It should be understood that each process and/or block in the flowchart and/or block diagram, and the combination of processes and/or blocks in the flowchart and/or block diagram can be implemented by computer program instructions. These computer program instructions can be provided to the processors of general-purpose computers, special-purpose computers, embedded processors, or other programmable data processing terminal equipment to generate a machine, so that instructions executed by the processor of the computer or other programmable data processing terminal equipment Generated for implementation in the process Figure one Process or multiple processes and/or boxes Figure one A device with functions specified in a block or multiple blocks.
[0086] These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing terminal equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device. The instruction device is implemented in the process Figure one Process or multiple processes and/or boxes Figure one Functions specified in a box or multiple boxes.
[0087] These computer program instructions can also be loaded on a computer or other programmable data processing terminal equipment, so that a series of operation steps are executed on the computer or other programmable terminal equipment to produce computer-implemented processing, so that the computer or other programmable terminal equipment The instructions executed on the Figure one Process or multiple processes and/or boxes Figure one Steps of functions specified in a box or multiple boxes.
[0088] Although the preferred embodiments of the embodiments of the present invention have been described, those skilled in the art can make additional changes and modifications to these embodiments once they learn the basic creative concept. Therefore, the appended claims are intended to be interpreted as including the preferred embodiments and all changes and modifications falling within the scope of the embodiments of the present invention.
[0089] Finally, it should be noted that in this article, relational terms such as first and second are only used to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply these entities Or there is any such actual relationship or sequence between operations. Moreover, the terms "include", "include" or any other variants thereof are intended to cover non-exclusive inclusion, so that a process, method, article or terminal device including a series of elements not only includes those elements, but also includes those that are not explicitly listed. Other elements listed, or also include elements inherent to this process, method, article or terminal device. If there are no more restrictions, the element defined by the sentence "including a..." does not exclude the existence of other same elements in the process, method, article or terminal device that includes the element.
[0090] The above provides a detailed introduction to the scheduling method and system of a relational database provided by the present invention. Specific examples are used in this article to explain the principles and implementation of the present invention. The description of the above embodiments is only used to help understanding The method of the present invention and its core idea; at the same time, for those skilled in the art, according to the idea of the present invention, there will be changes in the specific implementation and the scope of application. In summary, the content of this specification should not It is understood as a limitation of the present invention.
