Data transfer request processing method, apparatus, device, and storage medium

By acquiring the data transfer attribute characteristics, target behavior characteristics, and behavior timing characteristics of the terminal, a state category prediction model is constructed, which solves the problem of accuracy in judging the terminal loss state, and realizes the interception of illegal requests, thus protecting the economic interests of legitimate users and application developers.

CN113468142BActive Publication Date: 2026-06-26TENCENT TECHNOLOGY (SHENZHEN) CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
TENCENT TECHNOLOGY (SHENZHEN) CO LTD
Filing Date
2021-07-05
Publication Date
2026-06-26

AI Technical Summary

Technical Problem

In existing technologies, the methods for determining whether a terminal is lost are limited and make it difficult to accurately determine whether a data transfer request is legitimate. This results in the inability to effectively intercept illegal requests, causing economic losses to legitimate users.

Method used

By acquiring the data transfer attribute characteristics, target behavior characteristics, and behavior timing characteristics of the terminal before abnormal behavior, a state category prediction model is constructed to determine the probability value of the terminal being in a lost state, and data transfer requests are processed based on the probability value.

Benefits of technology

Accurately determining whether a terminal is lost allows for the interception of illegal requests when the loss status is confirmed, preventing legitimate users from suffering economic losses and improving user experience and the scope of compensation for application providers.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN113468142B_ABST
    Figure CN113468142B_ABST
Patent Text Reader

Abstract

The application discloses a data transfer request processing method and device, equipment and a storage medium. The method comprises the following steps: receiving a data transfer request sent by a terminal; obtaining data transfer attribute characteristics, target behavior characteristics and behavior time sequence characteristics corresponding to the terminal; the data transfer attribute characteristics, the target behavior characteristics and the behavior time sequence characteristics are characteristics in a first preset time period before an abnormal behavior of the terminal, and the abnormal behavior is a behavior of the terminal in a second preset time period before the data transfer request; determining a probability value of the terminal being in a lost state according to the data transfer attribute characteristics, the target behavior characteristics and the behavior time sequence characteristics; and processing the data transfer request based on the probability value, wherein the probability value of the terminal being in the lost state can be determined by using an artificial intelligence technology. The application can accurately determine whether the terminal is in the lost state, so that an illegal data transfer request can be intercepted when it is determined that the terminal is in the lost state.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of Internet data processing technology, and in particular to a data transfer request processing method, apparatus, device and storage medium. Background Technology

[0002] When a user's mobile phone is lost, there is a risk that the password could be cracked and the user's account balance accessed, causing financial loss. Furthermore, some applications that store account balances are required to compensate users for these losses, resulting in financial losses for the application developers as well. To avoid this situation, related technologies typically rely on a few characteristics, such as the amount of data transferred, to determine whether the user making the data transfer request is legitimate. This approach is simplistic, unsystematic, and insufficient to accurately determine the legitimacy of the data transfer requester, thus failing to accurately determine whether the device is lost and to precisely intercept illegal data transfer requests.

[0003] Therefore, it is necessary to provide a data transfer request processing method, apparatus, device, and storage medium that can accurately determine whether a terminal is lost and process data transfer requests differently based on probability values; thereby, when it is determined that the terminal is lost, illegal data transfer requests can be intercepted to avoid economic losses to legitimate users of the terminal. Summary of the Invention

[0004] This application provides a data transfer request processing method, apparatus, device, and storage medium, which can accurately determine whether a terminal is lost and, when it is determined that the terminal is lost, intercept illegal data transfer requests, thereby avoiding economic losses to the legitimate users of the terminal.

[0005] On one hand, this application provides a data transfer request processing method, the method comprising:

[0006] Receive a data transfer request sent by the terminal;

[0007] The data transfer attribute features, target behavior features, and behavior timing features corresponding to the terminal are obtained; the data transfer attribute features, the target behavior features, and the behavior timing features are features within a first preset time period before the terminal exhibits abnormal behavior, and the abnormal behavior is the behavior of the terminal within a second preset time period before the data transfer request.

[0008] Based on the data transfer attribute characteristics, the target behavior characteristics, and the behavior timing characteristics, determine the probability value that the terminal is in a lost state;

[0009] The data transfer request is processed based on the probability value.

[0010] On the other hand, a data transfer request processing apparatus is provided, the apparatus comprising:

[0011] The data transfer request receiving module is used to receive data transfer requests sent by the terminal.

[0012] The feature acquisition module is used to acquire the data transfer attribute features, target behavior features, and behavior timing features corresponding to the terminal; the data transfer attribute features, the target behavior features, and the behavior timing features are features within a first preset time period before the terminal exhibits abnormal behavior, and the abnormal behavior is the behavior of the terminal within a second preset time period before the data transfer request.

[0013] The probability value determination module is used to determine the probability value that the terminal is in a lost state based on the data transfer attribute characteristics, the target behavior characteristics, and the behavior time sequence characteristics.

[0014] The request processing module is used to process the data transfer request based on the probability value.

[0015] On the other hand, a data transfer request processing device is provided, the device including a processor and a memory, the memory storing at least one instruction or at least one program, the at least one instruction or the at least one program being loaded and executed by the processor to implement the data transfer request processing method as described above.

[0016] On the other hand, a computer storage medium is provided that stores at least one instruction or at least one program, which is loaded and executed by a processor to implement the data transfer request processing method as described above.

[0017] On the other hand, a computer program product or computer program is provided, which includes computer instructions stored in a computer-readable storage medium. A processor of a computer device reads the computer instructions from the computer-readable storage medium, executes the computer instructions, and causes the computer device to perform the data transfer request processing method as described above.

[0018] The data transfer request processing method, apparatus, device, and storage medium provided in this application have the following technical advantages:

[0019] After receiving a data transfer request from a terminal, this application obtains data transfer attribute characteristics, target behavior characteristics, and behavior timing characteristics within a first preset time period prior to any abnormal behavior by the terminal. Abnormal behavior refers to the terminal's behavior within a second preset time period prior to the data transfer request. By using the data transfer attribute characteristics, target behavior characteristics, and behavior timing characteristics, the probability value of the terminal being in a lost state is determined. This allows for accurate judgment of whether the terminal is in a lost state, and different processing of the data transfer request is applied based on the probability value. Therefore, when it is determined that the terminal is in a lost state, illegal data transfer requests can be intercepted, preventing economic losses to legitimate users of the terminal. Attached Figure Description

[0020] To more clearly illustrate the technical solutions and advantages in the embodiments of this application or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0021] Figure 1 This is a schematic diagram of a data transfer request processing system provided in an embodiment of this application;

[0022] Figure 2 This is a flowchart illustrating a data transfer request processing method provided in an embodiment of this application;

[0023] Figure 3 This is a flowchart illustrating a method for obtaining data transfer attribute features, target behavior features, and behavior timing features corresponding to a terminal, provided in an embodiment of this application.

[0024] Figure 4 This is a flowchart illustrating a method for determining the probability value of a terminal being lost, as provided in an embodiment of this application.

[0025] Figure 5 This is a flowchart illustrating a method for determining target features provided in an embodiment of this application;

[0026] Figure 6 This is a flowchart illustrating a method for processing the aforementioned data transfer request based on probability values, provided in an embodiment of this application.

[0027] Figure 7 This is a flowchart illustrating another method for processing the above-mentioned transaction request based on probability values, provided in an embodiment of this application.

[0028] Figure 8This is a flowchart illustrating a method for processing the aforementioned data transfer request based on the aforementioned risk score, provided in an embodiment of this application.

[0029] Figure 9 This is a schematic diagram of the structure of a blockchain system provided in an embodiment of this application;

[0030] Figure 10 This is a schematic diagram of the block structure provided in an embodiment of this application;

[0031] Figure 11 This is a flowchart illustrating the storage method for data transfer attribute features, target behavior features, and behavior temporal features provided in the embodiments of this application;

[0032] Figure 12 This is a schematic diagram of the structure of a data transfer request processing device provided in an embodiment of this application;

[0033] Figure 13 This is a schematic diagram of the structure of a server provided in an embodiment of this application. Detailed Implementation

[0034] Artificial Intelligence (AI) is the theory, methods, technology, and application systems that use digital computers or machines controlled by digital computers to simulate, extend, and expand human intelligence, perceive the environment, acquire knowledge, and use that knowledge to achieve optimal results. In other words, AI is a comprehensive technology within computer science that attempts to understand the essence of intelligence and produce a new kind of intelligent machine that can react in a way similar to human intelligence. AI studies the design principles and implementation methods of various intelligent machines, enabling them to have perception, reasoning, and decision-making capabilities. AI technology is a comprehensive discipline involving a wide range of fields, encompassing both hardware and software technologies. Fundamental AI technologies generally include sensors, dedicated AI chips, cloud computing, distributed storage, big data processing, operating / interactive systems, and mechatronics. AI software technologies mainly include computer vision, speech processing, natural language processing, as well as machine learning / deep learning, autonomous driving, and intelligent transportation.

[0035] Specifically, the solutions provided in this application relate to the field of machine learning in artificial intelligence. Machine learning (ML) is a multidisciplinary field involving probability theory, statistics, approximation theory, convex analysis, algorithm complexity theory, and many other disciplines. It specifically studies how computers can simulate or implement human learning behavior to acquire new knowledge or skills and reorganize existing knowledge structures to continuously improve their performance. Machine learning is the core of artificial intelligence and the fundamental way to endow computers with intelligence; its applications span all areas of artificial intelligence. This application can construct a state category prediction model through machine learning to predict the lost state of a terminal.

[0036] The technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, and not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those of ordinary skill in the art without creative effort are within the scope of protection of this application.

[0037] It should be noted that the terms "first," "second," etc., in the specification, claims, and accompanying drawings of this application are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It should be understood that such data can be interchanged where appropriate so that the embodiments of this application described herein can be implemented in orders other than those illustrated or described herein. Furthermore, the terms "comprising" and "having," and any variations thereof, are intended to cover non-exclusive inclusion; for example, a process, method, system, product, or server that comprises a series of steps or units is not necessarily limited to those steps or units explicitly listed, but may include other steps or units not explicitly listed or inherent to such processes, methods, products, or devices.

[0038] Please see Figure 1 , Figure 1 This is a schematic diagram of a data transfer request processing system provided in an embodiment of this application, such as... Figure 1 As shown, the data transfer request processing system may include at least server 01 and client 02.

[0039] Specifically, in the embodiments of this specification, server 01 may include a standalone server, a distributed server, or a server cluster composed of multiple servers. It may also be a cloud server providing basic cloud computing services such as cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDN (Content Delivery Network), and big data and artificial intelligence platforms. Server 01 may include a network communication unit, a processor, and a memory, etc. Specifically, server 01 can be used to process data transfer requests issued by client 02 based on the probability value that client 02 is in a lost state.

[0040] Specifically, in this embodiment of the specification, the client 02 may include physical devices such as smartphones, desktop computers, tablets, laptops, digital assistants, smart wearable devices, smart speakers, in-vehicle terminals, and smart TVs, but is not limited to these. It may also include software running on the physical device, such as web pages provided to users by some service providers, or applications provided to users by such service providers. Specifically, the client 02 can be used to send data transfer requests to the server 01.

[0041] The following describes a data transfer request processing method according to this application. Figure 2 This is a flowchart illustrating a data transfer request processing method provided in an embodiment of this application. This specification provides the operational steps of the method as described in the embodiments or flowcharts, but based on conventional or non-inventive methods, more or fewer operational steps may be included. The order of steps listed in the embodiments is merely one possible execution order among many and does not represent the only possible execution order. In actual system or server product execution, the method can be executed sequentially or in parallel (e.g., in a parallel processor or multi-threaded processing environment) as shown in the embodiments or accompanying drawings. Specifically, as... Figure 2 As shown, this method is applied in a server, and the method may include:

[0042] S201: Receive a data transfer request sent by the terminal.

[0043] In the embodiments described in this specification, a data transfer request may be a transfer request or a payment request; the data transfer request may be a request sent by a target application in the terminal, and the target application may be an application with transfer and / or payment functions.

[0044] S203: Obtain the data transfer attribute features, target behavior features, and behavior timing features corresponding to the aforementioned terminal; the aforementioned data transfer attribute features, target behavior features, and behavior timing features are features within a first preset time period before the aforementioned terminal exhibits abnormal behavior, and the aforementioned abnormal behavior is the behavior of the aforementioned terminal within a second preset time period before the aforementioned data transfer request.

[0045] In the embodiments of this specification, abnormal behavior can be sensitive behavior, including repeatedly entering the wrong password, repeatedly binding a bank card, and repeatedly changing the password. When abnormal behavior occurs in the second preset time period before the data transfer request, it indicates that the operator of the terminal is likely not a legitimate user, that is, the terminal is likely in a lost state. At this time, the characteristics of the terminal in the first preset time period before the abnormal behavior are obtained to determine whether the terminal is in a lost state.

[0046] In the embodiments of this specification, data transfer attribute features may include features such as data transfer time, data transfer amount, and data transfer frequency; target behavior features may include actions such as clicking on the wallet, the nine-square grid, payment management, viewing bank cards, clicking on the back of the card (bank card logo), and adding a bank card within the payment page; behavior sequence features may include the sequence of the target behavior and related behaviors. For example, before clicking on the wallet or entering a password, an unauthorized user may query information such as payment password and bank card password in files such as the terminal's memo, thereby determining whether the terminal is lost based on the behavior sequence features. In this application, by combining the terminal's corresponding data transfer attribute features, target behavior features, and behavior sequence features, the terminal's status information can be accurately determined, that is, whether the operator corresponding to the terminal is an unauthorized user can be accurately determined.

[0047] Both the first and second preset time periods can be set according to actual conditions. For example, the first preset time period can be 20 minutes, 30 minutes, etc., and the second preset time period can be 5 minutes, 10 minutes, etc. The first and second preset time periods can be the same or different.

[0048] In the embodiments of this specification, data transfer attribute features, target behavior features, and behavior timing features can be features in the target application; the local server may include a near real-time risk control system, a cache database, and offline data tables; such as Figure 3 As shown, obtaining the data transfer attribute features, target behavior features, and behavior timing features corresponding to the aforementioned terminal may include:

[0049] S2031: The terminal sends multiple click behavior data to the risk control near real-time system (TSSD) through the target application;

[0050] In the embodiments of this specification, in order to ensure the accuracy and integrity of the data, the risk control near real-time system can compare the sampled click behavior with the actual click behavior. When the comparison is consistent, the risk control near real-time system saves the received click behavior data.

[0051] In the embodiments of this specification, for the target application, the amount of click data is extremely large, reaching up to 2 billion times per day. In order to reduce the frequency of interface interaction, a preset number of click behavior data corresponding to each click behavior can be sent to the risk control near real-time system each time. This ensures that the TSSD interface can handle the load and avoids interface failure due to excessive data volume. The preset number can be set according to the actual situation. For example, it can be set to transmit data via UDP protocol once for every 10 click behaviors.

[0052] S2033: The risk control near real-time system statistically analyzes the multiple click behavior data, calculates the number of clicks for each click behavior within a preset time period, and thus determines the data transfer attribute characteristics, target behavior characteristics, and behavior time sequence characteristics;

[0053] In the embodiments of this specification, the preset time period can be 24 hours, 12 hours, 6 hours, 1 hour, etc. Click behavior data refers to the data corresponding to the user's click behavior in the target application; the target application can be one or more, and the click behavior can include a first click behavior for determining the data transfer value, a second click behavior for determining the recipient's account, a third click behavior for entering a password, a fourth click behavior for viewing a memo and / or retrieving a password from an email, etc.; during the user's data transfer process, the number of times each click behavior is performed is calculated in real time.

[0054] In the embodiments of this specification, data transfer attribute features may include features such as the data transfer value determined based on the click behavior and the recipient account; target behavior features may include features such as the first click behavior, the second click behavior, the third click behavior, the fourth click behavior, and the number of times each click behavior occurs; behavior timing features may be the click time features corresponding to the third click behavior and the fourth click behavior. For example, when the clicking user is an illegal user, the recipient account they input may be multiple, and the data transfer value may be large; the corresponding number of third click behaviors may be multiple, and multiple fourth click behaviors may occur when the third click behavior occurs.

[0055] S2035: The near real-time risk control system writes back data transfer attribute characteristics, target behavior characteristics, and behavior time series characteristics to the cache database (ckv);

[0056] In the embodiments described in this specification, there will be a delay in writing back from TSSD to CKV. The delay time can be shortened to the maximum extent, for example, by 15 seconds.

[0057] S2037: Taking data transfer orders as the dimension, the cache database sends the data transfer attribute characteristics, target behavior characteristics, and behavior time sequence characteristics in the cache database to the offline data table (twd);

[0058] In the embodiments of this specification, since the storage space of the cache database is limited and new data will continuously overwrite old data, it is necessary to send the data in the cache database to an offline data table for long-term storage.

[0059] In a specific embodiment, the storage method for data transfer attribute features, target behavior features, and behavior temporal features is as follows: Figure 9 As shown, the WeChat application transmits the corresponding click behavior data to the near real-time system. If the data access is slow, other data transfer dimensions and features can be selected for data transmission. The data is then written back to the cache database through the near real-time system. In practical applications, the write-back can be triggered by sensitive behaviors. Finally, the data is stored in the offline data table (twd).

[0060] In the embodiments of this specification, before obtaining the data transfer attribute features, target behavior features, and behavior timing features corresponding to the aforementioned terminal, the method further includes:

[0061] Determine whether the terminal exhibited any abnormal behavior during a second preset time period prior to the aforementioned data transfer request;

[0062] In some embodiments, if no abnormal behavior is observed, the above method further includes:

[0063] The above data transfer request will be responded to and processed.

[0064] In the embodiments of this specification, obtaining the data transfer attribute characteristics, target behavior characteristics, and behavior timing characteristics corresponding to the terminal includes:

[0065] If abnormal behavior is found, the data transfer attribute characteristics, target behavior characteristics, and behavior timing characteristics of the aforementioned terminal during the first preset time period prior to the abnormal behavior are obtained.

[0066] In the embodiments of this specification, when the terminal exhibits abnormal behavior, it is possible to quickly and accurately determine whether the terminal is in a lost state based on the data transfer attribute characteristics, target behavior characteristics, and behavior timing characteristics corresponding to the terminal.

[0067] S205: Based on the above data transfer attribute characteristics, the above target behavior characteristics, and the above behavior timing characteristics, determine the probability value that the above terminal is in a lost state.

[0068] In the embodiments of this specification, a terminal being in a lost state means that the current operator corresponding to the terminal is an unauthorized user. Based on the probability value of the terminal being in a lost state, it can be determined whether an unauthorized user is operating the terminal, thereby facilitating the subsequent interception of unauthorized data transfer requests.

[0069] In some embodiments, such as Figure 4 As shown, the aforementioned data transfer attribute features, target behavior features, and behavior timing features are all multiple. The determination of the probability value that the terminal is in a lost state based on the aforementioned data transfer attribute features, target behavior features, and behavior timing features includes:

[0070] S2051: Determine the target features based on multiple data transfer attribute features, multiple target behavior features, and multiple behavior time sequence features;

[0071] In some embodiments, such as Figure 5 As shown, the target features are determined based on multiple data transfer attribute features, multiple target behavior features, and multiple behavior time series features, including:

[0072] S20511: Calculate the information value of each data transfer attribute feature, each target behavior feature, and each behavior temporal feature. The above information value represents the predictive ability of the feature to predict the state category of the above terminal.

[0073] S20513: Based on the above information values, determine the above target features.

[0074] In the embodiments described in this specification, the information value primarily measures the correlation between a binary target variable and a categorical variable, serving as an indicator of the variable's predictive ability in model development. A feature with a larger information value has stronger predictive power.

[0075] Specifically, in the embodiments of this specification, determining the target feature based on the aforementioned information values ​​includes:

[0076] Among multiple data transfer attribute features, multiple target behavior features, and multiple behavior time series features, the feature whose information value is greater than a preset information threshold is identified as the target feature.

[0077] In the embodiments of this specification, features with strong predictive ability can be identified as target features by setting a preset information threshold.

[0078] Specifically, in the embodiments of this specification, determining the target feature based on the aforementioned information values ​​includes:

[0079] Based on the information values ​​of each data transfer attribute feature, each target behavior feature, and each behavior time sequence feature, the priority of each data transfer attribute feature, each target behavior feature, and each behavior time sequence feature is determined.

[0080] Among multiple data transfer attribute features, multiple target behavior features, and multiple behavior time series features, the feature with a priority greater than the preset level is determined as the target feature.

[0081] In the embodiments of this specification, priorities can be set from high to low based on the information value corresponding to each feature, thereby determining the target feature based on the feature priority; features with information values ​​within a preset range can be set to the same priority. For example, based on the required number of target features, one or more features with higher priority levels can be determined as target features.

[0082] In the embodiments of this specification, the specific calculation method for the information value is as follows:

[0083] As shown in Table 1 below, assume there is a categorical or binned independent variable x with three categories A, B, and C, and a binary dependent variable y of 0 and 1. The frequency distributions are as follows: the first column is the value of x, the second and third columns are the number of rows for each value of x when y is 0 or 1, P_0 is the proportion of y = 0 for a certain value of x, for example, when x = A, P_0 = 100 / 600, P_1 is the proportion of y = 1 for a certain value of x, and the last column is the logarithm of P_0 divided by P_1.

[0084] Table 1 Frequency Distribution Table

[0085]

[0086]

[0087] The formula for calculating the information value obtained from the frequency distribution table above is as follows:

[0088]

[0089] Where IV is the information value, P0i is P_0 in the i-th row of the table, and the information value is actually the weighted sum of the logarithms of the proportions of terminals in the safe state and the lost state corresponding to each x. In this example, the information value is 0.5348.

[0090] In this embodiment, the correspondence between information values ​​and predictive capabilities is shown in Table 2 below:

[0091] Table 2: Information Value Range & Variable Predictive Power

[0092] Information value range Predictability <-0.02 Unpredictable 0.02-0.10 weak 0.10-0.30 medium >0.30 powerful

[0093] S2053: Based on the above target characteristics, determine the probability value that the above terminal is in a lost state.

[0094] In some embodiments, determining the probability value that the terminal is in a lost state based on the target characteristics includes:

[0095] The aforementioned target features are input into the state category prediction model to obtain the probability value of the terminal being in a lost state; the aforementioned probability value represents the state category of the terminal, and the aforementioned state category prediction model is constructed based on the sample target features of sample terminals labeled with state category labels.

[0096] In some embodiments, the training method for the above-described state category prediction model includes:

[0097] Obtain the target features of sample terminals labeled with state category tags, including positive sample terminals and negative sample terminals;

[0098] Based on the above target features of the samples, a preset machine learning model is used to train the state category recognition of the above sample terminals.

[0099] In the state category recognition training, the model parameters of the above-mentioned preset machine learning model are adjusted until the state category label output by the above-mentioned preset machine learning model matches the target features of the input sample.

[0100] The machine learning model corresponding to the current model parameters is determined to be the state category prediction model mentioned above; the current model parameters are the model parameters when the output state category label matches the input sample target features.

[0101] In the embodiments of this specification, the preset machine learning model can be a logistic regression model. Logistic regression is a generalized linear regression analysis model and one of the discrete choice models. It is commonly used in data mining, credit prediction, and other fields. Compared with other models, it involves fewer features, has simpler algorithm logic, and shorter judgment time, which meets the requirement of quickly judging the risk of each data transfer in the case of massive data transfers in WeChat Pay. Alternatively, models such as Gradient Boosting Machine (gbm), eXtreme Gradient Boosting (xgboost), and Light Gradient Boosting Machine (lightgbm) can be used to replace the logistic regression model.

[0102] In the modeling samples, the labeled data comes from historical user complaints about lost mobile phones. After manual screening to eliminate moral hazard, these cases were deemed valid, and the data transfer slips from these cases were used as negative samples for model training, with a label value of 0. Normal data transfer slips from normal users (users who did not complain about lost phones) were used as positive samples for model training, with a label value of 1. In the labeled samples, the ratio of positive to negative samples used for model training is approximately 10:1, and the binary classification mode of the logistic regression model is used during training. Both positive and negative sample data can be obtained through an offline data table (twd).

[0103] In the embodiments described in this specification, during model training, the probability value can be calculated based on the target features using the following formula:

[0104]

[0105] Where x1 and x2 are target features, β1 and β2 are the coefficients corresponding to features x1 and x2 respectively, b and β0 are constants, b is a preset constant, p is the probability value, and l is the logistic regression index. During model training, the coefficients corresponding to the features and β0 are continuously adjusted to make l reach the target index, and the parameters corresponding to the target index are determined as model parameters.

[0106] In the embodiments of this specification, the characteristic coefficients β0, β1, and β2 can be determined using the maximum likelihood estimation algorithm. The principle of the maximum likelihood estimation algorithm is as follows:

[0107] Using known sample results, we can infer the parameters most likely to lead to such an outcome. When the model is defined but the parameters are unknown, we need to conduct several experiments, observe the results, and use the experimental results to determine a parameter value that maximizes the probability of the sample occurring. This is called "maximum likelihood estimation."

[0108] S207: Based on the above probability values, process the above data transfer request.

[0109] In some embodiments, the probability value can be any value between 0 and 1.

[0110] In some embodiments, such as Figure 6 As shown, the above-mentioned data transfer request is processed based on the above-mentioned probability value, including:

[0111] S2071: When the above probability value is greater than or equal to the preset probability threshold, the above data transfer request shall be intercepted.

[0112] In the embodiments of this specification, the preset probability threshold can be a critical value of the terminal state category, which can be set according to the actual situation.

[0113] In the embodiments described in this specification, such as Figure 6 As shown, the above-mentioned data transfer request is processed based on the above-mentioned probability value, including:

[0114] S2073: When the above probability value is less than the above preset probability threshold, the above data transfer request shall be responded to.

[0115] In the embodiments of this specification, the aforementioned data transfer attribute features, target behavior features, and behavior timing features can quickly and accurately determine whether the terminal is in a lost state, and can return whether to intercept within 20 milliseconds; and when it is determined that the terminal is in a lost state, the data transfer request is quickly intercepted, thereby effectively reducing the losses of legitimate terminal users and target application providers, allowing target application providers to increase the scope of compensation and improve user experience.

[0116] In the embodiments described in this specification, such as Figure 7 As shown, before processing the data transfer request based on the aforementioned probability value, the method further includes:

[0117] S206: Obtain the password acquisition method corresponding to the above data transfer request;

[0118] Accordingly, based on the aforementioned probability values, the aforementioned data transfer request is processed, including:

[0119] S20701: Based on the above password acquisition method, convert the above probability value into a risk score;

[0120] In the embodiments of this specification, the predictive capabilities of different features vary depending on the application scenario. Different application scenarios can be distinguished based on the password acquisition method, such as multiple password attempts or changing passwords after linking a bank card, and the probability value can be converted into a risk score. Abnormal password acquisition behavior (such as multiple password attempts or changing passwords after linking a bank card) serves as a condition to trigger the interception strategy. If the triggering condition is not met, the strategy does not make a judgment, avoiding unnecessary strategy judgment time during data transfer and reducing latency.

[0121] In the embodiments of this specification, the method for converting probability values ​​into risk scores includes:

[0122] 1) Convert by directly multiplying by 100 / 1000, etc.

[0123] 2) Traditional risk model scoring conversion methods in the credit industry:

[0124] This involves three parameters:

[0125] 1. Baseline Odds: These are the odds of default, corresponding one-to-one with the actual default probability. The default probability can be calculated from them. For example, if bad is 2 and good is 1, then Odds = bad / good = 2, and the default probability = bad / (bad + good) = 2 / (2 + 1) = 67%. Here, bad refers to illegal users, and good refers to legitimate users.

[0126] 2. Baseline score: The score corresponding to the baseline Odds.

[0127] 3. PDO: (Points to Double the Odds): The number of points that are reduced when the Odds are doubled.

[0128] Next, we can derive the formulas for calculating probability and fractions, as follows:

[0129]

[0130] To illustrate with specific figures, suppose the expected base score is 600, corresponding to an odds ratio (good to bad ratio) of 1:50. When the odds ratio doubles to 2:50, the credit score decreases by 20 points to 580 (PDO = 20). Therefore:

[0131]

[0132] Where A and B are constants.

[0133] S20703: Based on the above risk score, process the above data transfer request.

[0134] In some embodiments, the data transfer request is processed based on the aforementioned risk score, including:

[0135] Based on the aforementioned risk score and the attribute information corresponding to the data transfer request, the aforementioned data transfer request is processed.

[0136] In the embodiments of this specification, the attribute information corresponding to the data transfer request may include information such as the data transfer counterparty, time, and amount. For example, the score can be combined with the time to determine the prediction result. When the risk score is higher than a preset score threshold and the data transfer time is in the early morning, it can be determined that the terminal is in a lost state. The preset score threshold can be set according to the actual situation. This application can formulate strategies by combining the score with abnormal dimensions such as the data transfer recipient's account, time, amount, and frequency, and integrate the strategies under each sub-scenario into a unified strategy system for identifying that the terminal is in a lost state, thereby further improving the accuracy of identifying terminal status information.

[0137] In some embodiments, such as Figure 8As shown, the above-mentioned data transfer request is processed based on the aforementioned risk score, including:

[0138] S207031: Based on the above risk score, determine the status category of the above terminal, which includes lost status and non-lost status;

[0139] S207033: Process the data transfer request according to the status category of the terminal.

[0140] In the embodiments described in this specification, processing the data transfer request according to the state category of the terminal includes:

[0141] When the aforementioned terminal is lost, the aforementioned data transfer request will be intercepted.

[0142] When the aforementioned terminal is in a non-lost state, the aforementioned data transfer request is processed.

[0143] In the embodiments described in this specification, the method may further include:

[0144] The blockchain system stores the data transfer attribute characteristics, target behavior characteristics, and behavior time sequence characteristics corresponding to the terminal. The blockchain system includes multiple nodes, and the multiple nodes form a peer-to-peer network.

[0145] In some embodiments, the blockchain system can be Figure 9 The structure shown depicts a peer-to-peer (P2P) network formed by multiple nodes. The P2P protocol is an application layer protocol that runs on top of the Transmission Control Protocol (TCP). In a blockchain system, any machine, such as a server or terminal, can join and become a node. A node comprises a hardware layer, a middleware layer, an operating system layer, and an application layer.

[0146] Figure 9 The functions of each node in the blockchain system shown include:

[0147] 1) Routing: A basic function of nodes used to support communication between nodes.

[0148] In addition to routing capabilities, nodes can also have the following functions:

[0149] 2) Applications are deployed in the blockchain to implement specific business needs. They record data related to the implementation of functions to form record data, carry digital signatures in the record data to indicate the source of the task data, and send the record data to other nodes in the blockchain system. When other nodes successfully verify the source and integrity of the record data, they add the record data to a temporary block.

[0150] 3) A blockchain consists of a series of blocks that are sequentially generated. Once a new block is added to the blockchain, it will not be removed. The blocks contain the data submitted by the nodes in the blockchain system.

[0151] In some embodiments, the block structure can be Figure 10 The structure shown includes a hash value for each block containing the data transfer records stored in that block (the hash value of this block) and the hash value of the previous block. These blocks are linked together to form the blockchain. Additionally, blocks may include information such as a timestamp when they were generated. Essentially, a blockchain is a decentralized database, a chain of data blocks linked together using cryptographic methods. Each data block contains relevant information used to verify the validity of the information (anti-counterfeiting) and to generate the next block.

[0152] As can be seen from the technical solutions provided in the embodiments of this specification above, after receiving a data transfer request sent by a terminal, the embodiments of this specification obtain data transfer attribute characteristics, target behavior characteristics, and behavior timing characteristics within a first preset time period before the terminal exhibits abnormal behavior. Abnormal behavior refers to the terminal's behavior within a second preset time period before the data transfer request. By using the data transfer attribute characteristics, target behavior characteristics, and behavior timing characteristics, the probability value of the terminal being in a lost state is determined. This allows for accurate judgment of whether the terminal is in a lost state, and different processing of the data transfer request is applied based on the probability value. Therefore, when it is determined that the terminal is in a lost state, illegal data transfer requests can be intercepted, preventing economic losses to legitimate users of the terminal.

[0153] This application also provides a data transfer request processing apparatus, such as... Figure 12 As shown, the device includes:

[0154] The data transfer request receiving module 1210 is used to receive data transfer requests sent by the terminal.

[0155] The feature acquisition module 1220 is used to acquire the data transfer attribute features, target behavior features and behavior timing features corresponding to the terminal; the data transfer attribute features, target behavior features and behavior timing features are features within a first preset time period before the terminal exhibits abnormal behavior, and the abnormal behavior is the behavior of the terminal within a second preset time period before the data transfer request.

[0156] The probability value determination module 1230 is used to determine the probability value of the terminal being in a lost state based on the above-mentioned data transfer attribute characteristics, the above-mentioned target behavior characteristics and the above-mentioned behavior timing characteristics.

[0157] The request processing module 1240 is used to process the data transfer request based on the above probability value.

[0158] In some embodiments, the request processing module may include:

[0159] The interception processing unit is used to intercept the data transfer request when the probability value is greater than or equal to a preset probability threshold.

[0160] In some embodiments, the apparatus may further include:

[0161] The password retrieval method retrieval module is used to retrieve the password retrieval method corresponding to the above data transfer request;

[0162] The above request processing module may include:

[0163] The conversion unit is used to convert the above probability value into a risk score based on the above password acquisition method.

[0164] The data transfer request processing unit is used to process the data transfer request based on the aforementioned risk score.

[0165] In some embodiments, the data transfer request processing unit may include:

[0166] The status category determination subunit is used to determine the status category of the terminal based on the risk score mentioned above. The status category includes lost status and non-lost status.

[0167] The data transfer request processing subunit is used to process the data transfer request according to the status category of the terminal.

[0168] In some embodiments, the data transfer attribute features, the target behavior features, and the behavior time series features are all multiple, and the probability value determination module may include:

[0169] The target feature determination unit is used to determine target features based on multiple data transfer attribute features, multiple target behavior features, and multiple behavior time series features;

[0170] The first probability value determination unit is used to determine the probability value that the terminal is in a lost state based on the above target characteristics.

[0171] In some embodiments, the target feature determination unit may include:

[0172] The information value calculation subunit is used to calculate the information value of each data transfer attribute feature, each target behavior feature, and each behavior temporal feature. The information value represents the predictive ability of the feature to predict the state category of the terminal.

[0173] The target feature determination subunit is used to determine the target features based on the above information values.

[0174] In some embodiments, the probability value determination module described above may include:

[0175] The second probability value determination unit is used to input the above target features into the state category prediction model to obtain the probability value of the above terminal being in a lost state; the above probability value represents the state category of the above terminal, and the above state category prediction model is constructed based on the sample target features of sample terminals labeled with state category labels.

[0176] The apparatus and method embodiments described herein are based on the same inventive concept.

[0177] This application provides a data transfer request processing device, which includes a processor and a memory. The memory stores at least one instruction or at least one program, which is loaded and executed by the processor to implement the data transfer request processing method provided in the above method embodiments.

[0178] Embodiments of this application also provide a computer storage medium, which can be disposed in a terminal to store at least one instruction or at least one program related to implementing a data transfer request processing method in the method embodiment. The at least one instruction or at least one program is loaded and executed by the processor to implement the data transfer request processing method provided in the above method embodiment.

[0179] Embodiments of this application also provide a computer program product or computer program that includes computer instructions stored in a computer-readable storage medium. A processor of a computer device reads the computer instructions from the computer-readable storage medium and executes the computer instructions, causing the computer device to perform the data transfer request processing method as described above.

[0180] Optionally, in the embodiments of this specification, the storage medium may be located at at least one of the multiple network servers in a computer network. Optionally, in this embodiment, the storage medium may include, but is not limited to, various media capable of storing program code, such as USB flash drives, read-only memory (ROM), random access memory (RAM), portable hard drives, magnetic disks, or optical disks.

[0181] The memory described in the embodiments of this specification can be used to store software programs and modules. The processor executes various functional applications and data processing by running the software programs and modules stored in the memory. The memory may mainly include a program storage area and a data storage area. The program storage area may store the operating system, application programs required for the functions, etc.; the data storage area may store data created according to the use of the device, etc. In addition, the memory may include high-speed random access memory, and may also include non-volatile memory, such as at least one disk storage device, flash memory device, or other volatile solid-state storage device. Accordingly, the memory may also include a memory controller to provide the processor with access to the memory.

[0182] The data transfer request processing method embodiments provided in this application can be executed on a mobile terminal, computer terminal, server, or similar computing device. Taking running on a server as an example, Figure 13 This is a hardware structure block diagram of a server for a data transfer request processing method provided in an embodiment of this application. For example... Figure 13As shown, the server 1300 can vary significantly due to different configurations or performance. It may include one or more central processing units (CPUs) 1310 (CPUs 1310 may include, but are not limited to, microprocessors (MCUs) or programmable logic devices (FPGAs), a memory 1330 for storing data, and one or more storage media 1320 (e.g., one or more mass storage devices) for storing application programs 1323 or data 1322. The memory 1330 and storage media 1320 may be temporary or persistent storage. The program stored in the storage media 1320 may include one or more modules, each module may include a series of instruction operations on the server. Furthermore, the CPU 1310 may be configured to communicate with the storage media 1320 and execute the series of instruction operations stored in the storage media 1320 on the server 1300. Server 1300 may also include one or more power supplies 1360, one or more wired or wireless network interfaces 1350, one or more input / output interfaces 1340, and / or one or more operating systems 1321, such as Windows Server™, Mac OS X™, Unix™, Linux™, FreeBSD™, etc.

[0183] The input / output interface 1340 can be used to receive or send data via a network. Specific examples of the network described above may include a wireless network provided by the communication provider of server 1300. In one example, the input / output interface 1340 includes a network interface controller (NIC), which can connect to other network devices via a base station to communicate with the Internet. In another example, the input / output interface 1340 may be a radio frequency (RF) module for wireless communication with the Internet.

[0184] Those skilled in the art will understand that Figure 13 The structure shown is for illustrative purposes only and does not limit the structure of the aforementioned electronic device. For example, server 1300 may also include... Figure 13 The more or fewer components shown, or having the same Figure 13 The different configurations shown.

[0185] As can be seen from the embodiments of the data transfer request processing method, apparatus, server, or storage medium provided in this application, after receiving a data transfer request sent by a terminal, this application obtains the data transfer attribute characteristics, target behavior characteristics, and behavior timing characteristics within a first preset time period before the terminal exhibits abnormal behavior. The abnormal behavior refers to the terminal's behavior within a second preset time period before the data transfer request. By using the data transfer attribute characteristics, target behavior characteristics, and behavior timing characteristics, the probability value of the terminal being in a lost state is determined. This allows for accurate judgment of whether the terminal is in a lost state, and different processing of the data transfer request is applied based on the probability value. Therefore, when it is determined that the terminal is in a lost state, illegal data transfer requests can be intercepted, preventing economic losses to legitimate users of the terminal.

[0186] It should be noted that the order of the embodiments described above is merely for descriptive purposes and does not represent the superiority or inferiority of the embodiments. Furthermore, specific embodiments have been described above. Other embodiments are within the scope of the appended claims. In some cases, the actions or steps described in the claims can be performed in a different order than that shown in the embodiments and still achieve the desired result. Additionally, the processes depicted in the drawings do not necessarily require a specific or sequential order to achieve the desired result. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.

[0187] The various embodiments in this specification are described in a progressive manner. Similar or identical parts between embodiments can be referred to mutually. Each embodiment focuses on describing the differences from other embodiments. In particular, the embodiments of apparatus, devices, and storage media are basically similar to the method embodiments, so the descriptions are relatively simple; relevant parts can be referred to the descriptions of the method embodiments.

[0188] Those skilled in the art will understand that all or part of the steps of the above embodiments can be implemented by hardware or by a program instructing related hardware. The program can be stored in a computer storage medium, such as a read-only memory, a disk, or an optical disk.

[0189] The above description is only a preferred embodiment of this application and is not intended to limit this application. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this application should be included within the protection scope of this application.

Claims

1. A data transfer request processing method, characterized in that, The method includes: Receive a data transfer request sent by the terminal; If the terminal performs at least one of the following operations during the second preset time period prior to the data transfer request: multiple incorrect password entries, multiple bank card bindings, or multiple password changes, it is determined that there is abnormal behavior. Multiple click behavior data are sent to the risk control near real-time system through the target application; the risk control near real-time system then performs statistics on the multiple click behavior data, calculates the number of clicks for each click behavior within a preset time period, and determines the data transfer attribute characteristics, target behavior characteristics, and behavior time sequence characteristics of the terminal within a first preset time period before the abnormal behavior; the data transfer attribute characteristics, target behavior characteristics, and behavior time sequence characteristics are features in the target application; the behavior time sequence characteristics include the time sequence of the target behavior and the related behaviors of the target behavior, and the terminal is determined to be in a lost state based on the behavior time sequence characteristics; the data transfer attribute characteristics, target behavior characteristics, and behavior time sequence characteristics are written back to the cache database; and the data transfer attribute characteristics, target behavior characteristics, and behavior time sequence characteristics in the cache database are sent to the offline data table, using the data transfer order as the dimension; Based on the data transfer attribute characteristics, target behavior characteristics, and behavior time sequence characteristics in the offline data table, determine the probability value that the terminal is in a lost state; When the probability value is greater than or equal to a preset probability threshold, the data transfer request is intercepted.

2. The method according to claim 1, characterized in that, The method further includes: Obtain the password retrieval method corresponding to the data transfer request; Based on the password acquisition method, the probability value is converted into a risk score; The data transfer request is processed based on the risk score.

3. The method according to claim 2, characterized in that, The process of processing the data transfer request based on the risk score includes: Based on the risk score, the status category of the terminal is determined, including lost status and non-lost status; The data transfer request is processed according to the status category of the terminal.

4. The method according to any one of claims 1-3, characterized in that, The data transfer attribute features, the target behavior features, and the behavior time sequence features are all multiple. Determining the probability value that the terminal is in a lost state based on the data transfer attribute features, target behavior features, and behavior time sequence features in the offline data table includes: The target features are determined based on multiple data transfer attribute features, multiple target behavior features, and multiple behavior time series features; Based on the target characteristics, determine the probability value that the terminal is in a lost state.

5. The method according to claim 4, characterized in that, The determination of target features based on multiple data transfer attribute features, multiple target behavior features, and multiple behavior time sequence features includes: Calculate the information value of each data transfer attribute feature, each target behavior feature, and each behavior temporal feature, wherein the information value represents the predictive ability of the feature to predict the state category of the terminal; The target feature is determined based on the information value.

6. The method according to claim 4, characterized in that, Determining the probability value that the terminal is in a lost state based on the target characteristics includes: The target features are input into the state category prediction model to obtain the probability value that the terminal is in a lost state; the probability value represents the state category of the terminal, and the state category prediction model is constructed based on the sample target features of sample terminals labeled with state category labels.

7. A data transfer request processing apparatus, characterized in that, The device includes: The data transfer request receiving module is used to receive data transfer requests sent by the terminal. The feature acquisition module is used to determine abnormal behavior if the terminal performs at least one of the following operations within a second preset time period before the data transfer request: multiple incorrect password inputs, multiple bank card bindings, and multiple password changes. The module then sends multiple click behavior data to the risk control near-real-time system via the target application. The risk control near-real-time system then statistically analyzes the multiple click behavior data, calculates the number of clicks for each click behavior within the preset time period, and determines the data transfer attribute features, target behavior features, and behavior sequence features of the terminal within a first preset time period before the abnormal behavior. The data transfer attribute features, target behavior features, and behavior sequence features are features within the target application. The behavior sequence features include the time sequence of the target behavior and its associated behaviors. Based on the behavior sequence features, the module determines whether the terminal is in a lost state. The module writes the data transfer attribute features, target behavior features, and behavior sequence features back to the cache database. Using a data transfer order as a dimension, the module sends the data transfer attribute features, target behavior features, and behavior sequence features from the cache database to an offline data table. The probability value determination module is used to determine the probability value that the terminal is in a lost state based on the data transfer attribute characteristics, the target behavior characteristics, and the behavior time sequence characteristics in the offline data table. The request processing module is used to process the data transfer request based on the probability value; the request processing module includes: an interception processing unit, used to intercept the data transfer request when the probability value is greater than or equal to a preset probability threshold.

8. The apparatus according to claim 7, characterized in that, The device further includes: The password acquisition method acquisition module is used to acquire the password acquisition method corresponding to the data transfer request; The request processing module includes: A conversion unit is used to convert the probability value into a risk score based on the password acquisition method. A data transfer request processing unit is used to process the data transfer request based on the risk score.

9. The apparatus according to claim 8, characterized in that, The data transfer request processing unit includes: The status category determination subunit is used to determine the status category of the terminal based on the risk score, wherein the status category includes a lost state and a non-lost state; The data transfer request processing subunit is used to process the data transfer request according to the status category of the terminal.

10. The apparatus according to any one of claims 7-9, characterized in that, The data transfer attribute features, the target behavior features, and the behavior time-series features are all multiple, and the probability value determination module includes: The target feature determination unit is used to determine target features based on multiple data transfer attribute features, multiple target behavior features, and multiple behavior time series features; The first probability value determination unit is used to determine the probability value that the terminal is in a lost state based on the target characteristics.

11. The apparatus according to claim 10, characterized in that, The target feature determination unit includes: The information value calculation subunit is used to calculate the information value of each data transfer attribute feature, each target behavior feature, and each behavior temporal feature. The information value represents the predictive ability of the feature to predict the state category of the terminal. The target feature determination subunit is used to determine the target feature based on the information value.

12. The apparatus according to claim 11, characterized in that, The probability value determination module includes: The second probability value determination unit is used to input the target features into the state category prediction model to obtain the probability value that the terminal is in a lost state; the probability value represents the state category of the terminal, and the state category prediction model is constructed based on the sample target features of sample terminals labeled with state category labels.

13. A data transfer request processing device, characterized in that, The device includes a processor and a memory, the memory storing at least one instruction or at least one program, the at least one instruction or the at least one program being loaded and executed by the processor to implement the data transfer request processing method as described in any one of claims 1-6.

14. A computer storage medium, characterized in that, The computer storage medium stores at least one instruction or at least one program, which is loaded and executed by a processor to implement the data transfer request processing method as described in any one of claims 1-6.

15. A computer program product, characterized in that, The computer program product includes computer instructions that are executed by a processor to implement the data transfer request processing method as described in any one of claims 1-6.