Abnormal employee determination method, device, apparatus, and storage medium

By setting multiple abnormal query rules and risk scores for bank employees, and calculating employee risk scores based on the number of triggers, the problem of accuracy and efficiency in bank employees' unauthorized inquiries into customer information has been solved, and abnormal employees have been identified efficiently.

CN115982210BActive Publication Date: 2026-07-03CHINA CONSTR BANK CORP SICHUAN BRANCH

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
CHINA CONSTR BANK CORP SICHUAN BRANCH
Filing Date
2022-11-29
Publication Date
2026-07-03

AI Technical Summary

Technical Problem

In existing technologies, the accuracy of identifying bank employees illegally accessing customer information is low, and it is difficult to distinguish the degree of risk, resulting in a large amount of warning data, a large workload for verifying suspicious points, and low accuracy.

Method used

Multiple anomaly query rules are preset, and a rule risk score is set for each rule. The employee risk score is calculated based on the number of times the employee triggers the rule risk score, the list of suspected abnormal employees is determined, and the abnormal employees are finally identified.

Benefits of technology

It improves the accuracy of identifying abnormal employees, distinguishes the degree of rule-based risk, rationally allocates verification resources, reduces workload, and improves efficiency.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN115982210B_ABST
    Figure CN115982210B_ABST
Patent Text Reader

Abstract

The present disclosure provides an abnormal employee determination method, device, equipment and storage medium. A plurality of abnormal query rules are preset, and a corresponding rule risk score is set for each abnormal query rule. Based on the number of triggers of each abnormal query rule by the employees and the rule risk score of each abnormal query rule, the employee risk score corresponding to each employee is determined. A first suspected abnormal employee list is determined based on the employee risk score of each employee. The abnormal employee is determined based on the first suspected abnormal employee list. The accuracy and efficiency of the method of the present disclosure are both high.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This disclosure relates to the field of computer technology, and in particular to a method, apparatus, device, and storage medium for identifying abnormal employees. Background Technology

[0002] Banks accumulate a wealth of customer information, such as credit information, by providing various financial services. To prevent bank employees from illegally accessing and selling this information, banks should implement measures to warn of or identify unusual inquiries about customer information or to identify employees who sell such information.

[0003] In related technologies, it is common to monitor employee query behavior based on business experience, using five rules: query volume fluctuation threshold, abnormal queries by dormant users, abnormal queries outside of working hours, unauthorized queries, and cross-regional queries, in order to identify abnormal query behavior. Alternatively, it can be based on data mining, predicting daily and monthly query volumes and setting abnormal thresholds to identify abnormal query behavior.

[0004] However, the following problems exist in the related technologies:

[0005] I. Single-rule alerts: an alert is issued as soon as a certain rule's alert threshold is triggered. However, due to the existence of some weak rules, this can lead to problems such as a large amount of alert data, a large workload for verifying suspicious points, and a low accuracy rate in identifying problems.

[0006] Second, relying solely on query records to identify abnormal query behavior makes it difficult to discern employee account misuse, motives for misconduct, and instances of buying and selling customer information, resulting in low accuracy.

[0007] Third, the lack of a comprehensive scoring model for the risk of employees illegally accessing credit information makes it difficult to distinguish the risk level of early warning rules, which is not conducive to concentrating limited verification resources on high-risk investigations. Summary of the Invention

[0008] This disclosure provides a method, apparatus, device, and storage medium for identifying abnormal employees, in order to solve the problem in the prior art where a large number of threads are created in a waiting state, causing tasks to run in vain.

[0009] Firstly, this disclosure provides a method for identifying abnormal employees, including:

[0010] Multiple anomaly query rules are preset, and corresponding rule risk scores are set for each of the multiple anomaly query rules;

[0011] Based on the number of times an employee triggers each abnormal query rule and the rule risk score of each abnormal query rule, the employee risk score corresponding to each employee is determined.

[0012] The first list of suspected abnormal employees was determined based on the employee risk scores of each employee.

[0013] The abnormal employees were identified based on the first list of suspected abnormal employees.

[0014] Secondly, this disclosure provides an apparatus for identifying abnormal employees, comprising:

[0015] The preset module is used to preset multiple anomaly query rules and set corresponding rule risk scores for each of the multiple anomaly query rules.

[0016] The first determination module is used to determine the employee risk score for each employee based on the number of times the employee triggers each abnormal query rule and the rule risk score of each abnormal query rule.

[0017] The second determination module is used to determine the first list of suspected abnormal employees based on the employee risk score of each employee.

[0018] The third determination module is used to determine abnormal employees based on the first list of suspected abnormal employees.

[0019] In summary, the abnormal employee identification method, apparatus, device, and storage medium provided in this disclosure pre-set multiple abnormal query rules and set corresponding rule risk scores for each of the multiple abnormal query rules; then, based on the number of times an employee triggers each abnormal query rule and the rule risk scores of each abnormal query rule, an employee risk score corresponding to each employee is determined; and based on the employee risk scores of each employee, a first list of suspected abnormal employees is determined; and further, abnormal employees are identified based on the first list of suspected abnormal employees.

[0020] Therefore, it can be seen that when identifying abnormal employees, this disclosure does not only rely on the number of abnormal queries for employees, but also sets corresponding rule risk scores for each abnormal query rule, and combines the rule risk score with the number of abnormal queries to identify abnormal employees, thus achieving a higher accuracy rate.

[0021] Furthermore, this disclosure introduces the concept of rule risk scoring for each anomaly query rule, which can distinguish the risk level of each rule. This allows limited resources to be concentrated on investigating high-risk anomaly query rules, thereby reducing workload and ensuring both accuracy and high efficiency and flexibility. Attached Figure Description

[0022] The accompanying drawings, which are incorporated in and form a part of this specification, illustrate embodiments consistent with this disclosure and, together with the description, serve to explain the principles of this disclosure.

[0023] Figure 1aA flowchart of the method for determining abnormal employees provided in this embodiment of the disclosure;

[0024] Figure 1b A statistical chart showing the historical trigger frequency of the anomaly query rules provided in this embodiment of the disclosure;

[0025] Figure 1c A schematic diagram of the structure of a risk matrix provided in an embodiment of this disclosure;

[0026] Figure 1d This is a schematic diagram of employee risk scoring statistics provided in an embodiment of the present disclosure;

[0027] Figure 2 A schematic diagram of the structure of the abnormal employee determination device provided in the embodiments of this disclosure;

[0028] Figure 3 This is a schematic diagram of the structure of an electronic device provided in an embodiment of this disclosure.

[0029] The accompanying drawings have illustrated specific embodiments of this disclosure, which will be described in more detail below. These drawings and descriptions are not intended to limit the scope of the concept in any way, but rather to illustrate the concepts of this disclosure to those skilled in the art through reference to particular embodiments. Detailed Implementation

[0030] Exemplary embodiments will now be described in detail, examples of which are illustrated in the accompanying drawings. When the following description relates to the drawings, unless otherwise indicated, the same numerals in different drawings denote the same or similar elements. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with this disclosure. Rather, they are merely examples of apparatuses and methods consistent with some aspects of this disclosure as detailed in the appended claims.

[0031] The technical solutions of this disclosure and how they solve the aforementioned technical problems will be described in detail below with specific embodiments. These specific embodiments can be combined with each other, and the same or similar concepts or processes may not be repeated in some embodiments. The embodiments of this disclosure will now be described with reference to the accompanying drawings.

[0032] Figure 1a A flowchart illustrating a method for determining abnormal employees provided in an embodiment of this disclosure. Figure 1a As shown, the method for identifying abnormal employees includes:

[0033] Step 101: Preset multiple anomaly query rules and set corresponding risk scores for each of these multiple anomaly query rules.

[0034] In one embodiment of this disclosure, the abnormal query rule can be used to reflect the situation when an employee abnormally queries customer information (such as customer credit information). Tables 1 and 2 are illustrative tables of the abnormal query rules provided in this embodiment of the disclosure.

[0035] Table 1

[0036]

[0037]

[0038]

[0039] Table 2

[0040]

[0041]

[0042] As shown in Tables 1 and 2, these multiple exception query rules can include RULE1 to RULE19. For example, RULE1 could be: An employee creates a query user account for a non-regular employee. RULE8 could be: An employee's query behavior does not match the business situation.

[0043] It should be noted that the model mentioned in RULE19 of Table 2 above can be a query volume prediction model. This model predicts employee credit inquiry volume based on a multiple linear regression model. The dependent variable is the monthly query volume of each employee. Nineteen explanatory variables are set based on scenarios where credit inquiries might occur, including "historical credit inquiry behavior, historical credit inquiry frequency, number of inquiring employees, credit business volume, and customer authorization." Furthermore, this model can be used to provide early warnings about whether an employee's monthly credit inquiry volume exceeds the model's predicted upper limit.

[0044] Furthermore, in one embodiment of this disclosure, the step of setting corresponding rule risk scores for each of the multiple abnormal query rules may include:

[0045] Step a: Determine the grade score corresponding to each anomaly query rule based on the historical trigger frequency of each anomaly query rule.

[0046] Specifically, you can first count the historical trigger frequency of each anomaly query rule for at least one month, and calculate the average historical trigger frequency of each anomaly query rule for at least one month. Then, based on the correspondence between the average value and the rating score, determine the rating score corresponding to each anomaly query rule.

[0047] The historical trigger frequency mentioned above can be calculated as: number of employees triggered by the abnormal query rule ÷ total number of employees who have had query records in the current month.

[0048] Furthermore, Table 3 is a table showing the correspondence between average values ​​and grade scores provided in an embodiment of this disclosure.

[0049] Table 3

[0050]

[0051] As shown in Table 3, when the average historical trigger frequency of the abnormal query rule is between [40% and 100%], the rating of the abnormal query rule is 1; when the average historical trigger frequency of the abnormal query rule is between [30% and 40%], the rating of the abnormal query rule is 2.

[0052] Based on this, in the example, Figure 1b A statistical chart showing the historical trigger frequency of the anomaly query rules provided in this embodiment of the disclosure, such as... Figure 1b As shown, the historical trigger frequencies of RULE17 in January, February, and March 2021 were 88.808%, 83.582%, and 90.821%, respectively. Therefore, the average historical trigger frequency of RULE17 in January, February, and March was 87.737%. Referring to Table 3, when the average historical trigger frequency of RULE17 is 87.737%, which falls between 40% and 100%, the rating for RULE17 is 1.

[0053] Step b: Set the risk severity value for each anomaly query rule.

[0054] In this way, the severity of risk corresponding to each abnormal query rule can be determined based on the rule content of each abnormal query rule, and then a specific risk severity value can be set for it.

[0055] Table 4 is an example table of risk severity value settings provided in the embodiments of this disclosure.

[0056] Table 4

[0057]

[0058] Referring to Table 4 above, when the abnormal query rule corresponds to untrustworthy behavior, such as when the rule content includes risks such as untrustworthy query objects or query volume exceeding the model prediction limit, the severity of the abnormal query rule is low, and the corresponding risk severity value can be set to 1. When the abnormal query rule corresponds to irregular use, such as when the content of the abnormal query rule includes risks such as sharing / borrowing / stealing accounts (i.e., renting / lending query accounts), the severity of the abnormal query rule is high, and the corresponding risk severity value can be set to 4.

[0059] It should be noted that Table 4 above is only an example of how to set the risk severity value using some abnormal query rules as examples. The method for setting the risk severity value of abnormal query rules not shown in Table 4 should be similar in principle to the method in Table 4. That is, both are based on the specific rule content of the abnormal query rule to determine the risk severity corresponding to the abnormal query rule, and then set a specific risk severity value for it based on the risk severity.

[0060] Step c: Using a preset risk matrix, determine the rule risk score corresponding to each anomaly query rule based on the level score and risk severity value of each anomaly query rule.

[0061] In this embodiment of the disclosure, a risk matrix can be pre-set, where the horizontal axis represents the risk severity value and the vertical axis represents the level score. Then, the rule risk score corresponding to each abnormal query rule can be determined in the risk matrix based on the level score and risk severity value of each abnormal query rule.

[0062] Figure 1c This is a schematic diagram of the structure of a risk matrix provided in an embodiment of this disclosure. Table 5 is a schematic table illustrating the determination of rule-based risk scores based on the risk matrix provided in an embodiment of this disclosure.

[0063] Table 5

[0064]

[0065] Combination Figure 1c As shown in Table 5, when the RULE1 rating is 2 and the risk severity value is 5, then based on... Figure 1c The risk matrix shown has a horizontal axis of 5 and a vertical axis of 2, corresponding to a rule risk score of 4. Therefore, the rule risk score for RULE1 is 4. Similarly, when RULE2 has a rating of 1 and a risk severity value of 3, then based on... Figure 1c The risk matrix shown determines that the rule risk score corresponding to RULE2 is 2.

[0066] By executing the above steps ac, you can set corresponding rule risk scores for each of the multiple abnormal query rules.

[0067] Step 102: Based on the number of times an employee triggers each abnormal query rule and the rule risk score of each abnormal query rule, determine the employee risk score corresponding to each employee.

[0068] Specifically, in one embodiment of this disclosure, step 202 may include the following steps:

[0069] Step 1: For each exception query rule, sort the number of times each employee triggers that exception query rule.

[0070] The trigger count can be the number of times an employee triggers the exception query rule this month at the current moment.

[0071] Furthermore, the above sorting can be from high to low, or from low to high.

[0072] For example, regarding exception query rule #10, the number of times each employee triggers exception query rule #10, in descending order, can be sorted. For instance, if employee one triggers exception query rule #10 0 times, employee two triggers it 5 times, and employee three triggers it 3 times, then the trigger counts sorted from highest to lowest would be: 5, 3, 0.

[0073] Step 2: Determine the risk adjustment coefficient for each employee under each anomaly query rule based on the number of triggers after sorting; where the risk adjustment coefficient is positively correlated with the number of triggers.

[0074] Specifically, in one embodiment of this disclosure, for a certain anomaly query rule, the risk adjustment coefficient corresponding to the trigger counts in the first interval among all sorted trigger counts can be set as a first value, the risk adjustment coefficient corresponding to the trigger counts in the second interval can be set as a second value, and the risk adjustment coefficient corresponding to the trigger counts in the third interval can be set as a third value. The first interval precedes the second interval, and the second interval precedes the third interval.

[0075] Furthermore, the aforementioned "positive correlation between the risk adjustment coefficient and the number of triggers" is specifically reflected in the following ways:

[0076] When the trigger counts of each exception query rule are sorted from highest to lowest, the trigger counts in the first interval are ranked higher, which are considered high-frequency trigger counts. The trigger counts in the second interval are ranked in the middle, which are considered medium-frequency trigger counts. The trigger counts in the third interval are ranked lower, which are considered low-frequency trigger counts. In this case, the first value should be greater than the second value, which should be greater than the third value.

[0077] Furthermore, when the trigger counts of each exception query rule are sorted in ascending order, the trigger counts in the first interval are ranked higher, which are low-frequency trigger counts; the trigger counts in the second interval are ranked in the middle, which are medium-frequency trigger counts; and the trigger counts in the third interval are ranked lower, which are high-frequency trigger counts. In this case, the first value should be less than the second value, which is less than the third value.

[0078] For example, in one embodiment of this disclosure, the first interval can be [0, 1 / 4), the second interval can be [1 / 4, 3 / 4), and the third interval can be [3 / 4, 1]. That is, the number of triggers in the first interval is the first 25% of the triggers, the number of triggers in the second interval is from 25% to 75% of the triggers, and the number of triggers in the third interval is the last 25% of the triggers.

[0079] Based on this, Table 6 is an example of a risk adjustment coefficient setting table provided by an embodiment of this disclosure.

[0080] Table 6

[0081]

[0082] As shown in Table 6, for example, suppose that the exception query rule #10 is triggered by three employees. Employee 1 triggers the exception query rule #10 X times, employee 2 triggers it Y times, and employee 3 triggers it Z times. The trigger counts for all employees corresponding to the exception query rule are sorted from highest to lowest as Z, Y, X. Z is in the first position, that is, in the first 25% of the sorted data. Y is in the second position, that is, between the 25% and 75% of the sorted data. X is in the third position, that is, after the 75% of the sorted data (i.e., in the last 25%). Therefore, if employee 1 triggers the anomaly query rule #10 in a low frequency, the risk adjustment coefficient corresponding to the anomaly query rule #10 triggered by employee 1 can be set to a relatively small value, such as 1; if employee 2 triggers the anomaly query rule #10 in a medium frequency, the risk adjustment coefficient corresponding to the anomaly query rule #10 triggered by employee 2 can be set to a moderate value, such as 1.1; and if employee 3 triggers the anomaly query rule #10 in a high frequency, the risk adjustment coefficient corresponding to the anomaly query rule #10 triggered by employee 3 can be set to a relatively high value, such as 1.2.

[0083] Therefore, as can be seen from the above, in this disclosure, the higher the number of triggers, the larger the corresponding risk adjustment coefficient should be. The following provides a detailed explanation of why "the higher the number of triggers, the larger the corresponding risk adjustment coefficient should be":

[0084] Specifically, in this embodiment, the risk adjustment coefficient is subsequently used to adjust the employee's risk score based on the number of times the employee triggers the abnormal query rule. Therefore, the value of the risk adjustment coefficient affects the calculation of the employee's risk score. Based on this, a higher trigger frequency indicates that the employee has frequently triggered the abnormal query rule, making the employee more suspicious. In this case, by setting a larger risk adjustment coefficient, the calculated employee risk score can reflect the suspiciousness of the employee's frequent triggering of the abnormal query rule, thereby ensuring that the first list of suspicious employees can be accurately determined based on the employee risk score, thus guaranteeing the accuracy of the identification of suspicious employees.

[0085] Step 3: The sum of the products of the risk adjustment coefficient corresponding to each employee under each anomaly query rule and the rule risk score of each anomaly query rule is determined as the employee risk score.

[0086] Specifically, the risk adjustment coefficient corresponding to each abnormal query rule for an employee can be multiplied by the rule risk score of each abnormal query rule to obtain the employee risk sub-score. Then, the employee risk sub-scores corresponding to the employee under all abnormal query rules are added together to obtain the employee risk score.

[0087] For example, Table 7 is a schematic table illustrating an embodiment of this disclosure for calculating the risk adjustment coefficient of Rule 1 and the employee risk sub-score of the rule risk score for each anomaly query rule.

[0088]

[0089] As shown in Table 7, the rule risk score for Rule 1 is 4. The risk adjustment coefficient for employee A under Rule 1 is 1, so the employee risk sub-score for employee A under Rule 1 is 4 × 1 = 4. Similarly, the risk adjustment coefficient for employee B under Rule 1 is 1.2, so the employee risk sub-score for employee A under Rule 1 is 4 × 1.2 = 4.8.

[0090] As a further example, Figure 1d This is a schematic diagram illustrating employee risk scoring statistics as provided in an embodiment of this disclosure. (Reference) Figure 1d As shown, the portion enclosed in the dashed box represents the employee risk sub-score, which is the risk adjustment coefficient and rule risk score for each employee under each anomaly query rule. The employee risk score is obtained by summing the employee risk sub-scores for each employee under all anomaly query rules. Figure 1d The "risk score" mentioned is the same as the "employee risk score" disclosed herein. And, Figure 1d The warning rules can be those included in Table 1 above. Figure 1d The untrusted rules can be those included in Table 2 above.

[0091] Step 103: Determine the first list of suspected abnormal employees based on the employee risk score of each employee.

[0092] Specifically, employees whose risk scores exceed a first preset value can be added to the first list of suspected abnormal employees. And / or

[0093] Employees whose risk scores are sorted from highest to lowest and who are in the top 25% can be added to the first list of suspected abnormal employees.

[0094] Therefore, the first list of suspected abnormal employees in this embodiment includes employees with high risk scores. As mentioned above, the employee risk score is determined based on the number of times an employee triggers abnormal query rules and the rule risk score of each abnormal query rule. Therefore, when an employee has a high risk score, it means that the employee has frequently queried customer information, or that the employee has triggered high-risk rules, which means that the employee may subsequently engage in selling customer information. Therefore, it is necessary to add this employee to the first list of suspected abnormal employees so that subsequent investigations can be conducted based on this list to identify and warn of employees selling customer information.

[0095] Step 104: Identify abnormal employees based on the first list of suspected abnormal employees.

[0096] In one embodiment of this disclosure, the above-mentioned "determining abnormal employees based on the first list of suspected abnormal employees" may include: directly determining the employees in the first list of suspected abnormal employees as abnormal employees.

[0097] Alternatively, in another embodiment of this disclosure, the above-mentioned "determining abnormal employees based on the first list of suspected abnormal employees" may include: filtering employees in the first list of suspected abnormal employees based on preset rules to obtain a second list of suspected abnormal employees, and determining employees in the second list of suspected abnormal employees as abnormal employees.

[0098] Specifically, the preset rule can be used to screen employees suspected of selling customer information. Specifically, the preset rule can be: selecting employees from the first list of suspected abnormal employees whose account and / or related account transaction characteristics match specific transaction characteristics of selling customer information (such as the transaction characteristics corresponding to "selling customer information all at once after accumulating a certain number of queries," or the transaction characteristics corresponding to "querying and selling customer information monthly") to form a second list of suspected abnormal employees.

[0099] Furthermore, once the above methods are used to identify abnormal employees, the identified abnormal employees can be subject to further investigation to confirm whether they will sell customer information.

[0100] In summary, the abnormal employee identification method provided in this disclosure pre-sets multiple abnormal query rules and sets corresponding rule risk scores for each of the multiple abnormal query rules; then, based on the number of times an employee triggers each abnormal query rule and the rule risk scores of each abnormal query rule, it determines the employee risk score corresponding to each employee; and based on the employee risk scores of each employee, it determines the first list of suspected abnormal employees; and it also determines abnormal employees based on the first list of suspected abnormal employees.

[0101] Therefore, it can be seen that when identifying abnormal employees, this disclosure does not only rely on the number of abnormal queries for employees, but also sets corresponding rule risk scores for each abnormal query rule, and combines the rule risk score with the number of abnormal queries to identify abnormal employees, thus achieving a higher accuracy rate.

[0102] Furthermore, this disclosure introduces the concept of rule risk scoring for each anomaly query rule, which can distinguish the risk level of each rule. This allows limited resources to be concentrated on investigating high-risk anomaly query rules, thereby reducing workload and ensuring both accuracy and high efficiency and flexibility.

[0103] Figure 2 This is a schematic diagram of the abnormal employee identification device provided in an embodiment of this disclosure. Figure 2 As shown, the abnormal employee identification device includes:

[0104] The preset module 201 is used to preset multiple anomaly query rules and set corresponding rule risk scores for each of the multiple anomaly query rules.

[0105] The first determining module 202 is used to determine the employee risk score for each employee based on the number of times the employee triggers each abnormal query rule and the rule risk score of each abnormal query rule.

[0106] The second determination module 203 is used to determine the first list of suspected abnormal employees based on the employee risk score of each employee.

[0107] The third determination module 204 is used to determine abnormal employees based on the first list of suspected abnormal employees.

[0108] The abnormal employee identification device provided in this embodiment can be used to execute the technical solution of the abnormal employee identification method in the above embodiment. Its implementation principle and technical effect are similar, and will not be described again here.

[0109] It should be noted that the division of the various modules in the above device is merely a logical functional division. In actual implementation, they can be fully or partially integrated into a single physical entity, or they can be physically separated. Furthermore, these modules can be implemented entirely in software via processing element calls; they can be fully implemented in hardware; or some modules can be implemented by processing element calls to software, while others are implemented in hardware. For example, the preset module 201 can be a separately established processing element, or it can be integrated into a chip in the above device. Alternatively, it can be stored as program code in the memory of the above device, and its function can be called and executed by a processing element of the above device. The implementation of other modules is similar. Moreover, these modules can be fully or partially integrated together, or they can be implemented independently. The processing element here can be an integrated circuit with signal processing capabilities. In the implementation process, each step of the above method or each of the above modules can be completed through the integrated logic circuits in the hardware of the processor element or through software instructions.

[0110] Optionally, the preset module is further configured to:

[0111] The rating of each anomaly query rule is determined based on its historical trigger frequency.

[0112] Set a risk severity value for each anomaly query rule;

[0113] The rule risk score for each anomaly query rule is determined based on its level rating and risk severity value.

[0114] Optionally, the first determining module is further configured to:

[0115] For each exception query rule, the number of times each employee triggers the exception query rule is sorted.

[0116] The risk adjustment coefficient for each employee under each anomaly query rule is determined based on the number of triggers after sorting; the risk adjustment coefficient is positively correlated with the number of triggers.

[0117] The employee risk score is determined by multiplying the risk adjustment coefficient corresponding to each employee under each anomaly query rule by the rule risk score of each anomaly query rule.

[0118] Optionally, the second determining module is further configured to:

[0119] Employees whose risk scores are higher than the first preset value are added to the first list of suspected abnormal employees; and / or

[0120] Employees whose risk scores are sorted from highest to lowest, representing the first preset percentage, are added to the first list of suspected abnormal employees.

[0121] Optionally, the third determining module 204 is further configured to:

[0122] The employees in the first list of suspected abnormal employees are identified as abnormal employees.

[0123] Optionally, the third determining module 204 is further configured to:

[0124] The employees in the first list of suspected abnormal employees are filtered based on preset rules to obtain the second list of suspected abnormal employees.

[0125] The employees in the second list of suspected abnormal employees are identified as abnormal employees.

[0126] Figure 3 This is a schematic diagram of the structure of an electronic device provided in an embodiment of this disclosure. Figure 3 As shown, the electronic device may include: transceiver 121, processor 122, and memory 123.

[0127] Processor 122 executes computer execution instructions stored in memory, causing processor 122 to perform the scheme in the above embodiments. Processor 122 may be a general-purpose processor, including a central processing unit (CPU), a network processor (NP), etc.; it may also be a digital signal processor (DSP), an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or other programmable logic devices, discrete gate or transistor logic devices, or discrete hardware components.

[0128] The memory 123 is connected to the processor 122 via the system bus and completes communication between them. The memory 123 is used to store computer program instructions.

[0129] Transceiver 121 can be used to obtain the task to be run and its configuration information.

[0130] The system bus can be a Peripheral Component Interconnect (PCI) bus or an Extended Industry Standard Architecture (EISA) bus, etc. The system bus can be divided into address bus, data bus, control bus, etc. For ease of representation, only one thick line is used in the diagram, but this does not indicate that there is only one bus or one type of bus. Transceivers are used to enable communication between database access devices and other computers (e.g., clients, read-write libraries, and read-only libraries). Memory may include random access memory (RAM) and may also include non-volatile memory.

[0131] The electronic device provided in this embodiment can be a terminal device that executes the above-described method for determining abnormal employees.

[0132] This disclosure also provides a chip for executing instructions, which is used to execute the technical solution of the abnormal employee determination method in the above embodiments.

[0133] This disclosure also provides a computer-readable storage medium storing computer instructions that, when executed on a computer, cause the computer to perform the technical solution of the abnormal employee determination method described above.

[0134] This disclosure also provides a computer program product, which includes a computer program stored in a computer-readable storage medium. At least one processor can read the computer program from the computer-readable storage medium, and when the at least one processor executes the computer program, it can implement the technical solution of the abnormal employee determination method in the above embodiments.

[0135] Other embodiments of this disclosure will readily occur to those skilled in the art upon consideration of the specification and practice of the invention disclosed herein. This disclosure is intended to cover any variations, uses, or adaptations of this disclosure that follow the general principles of this disclosure and include common knowledge or customary techniques in the art not disclosed herein. The specification and examples are to be considered exemplary only, and the true scope and spirit of this disclosure are indicated by the following claims.

[0136] It should be understood that this disclosure is not limited to the precise structures described above and shown in the accompanying drawings, and various modifications and changes can be made without departing from its scope. The scope of this disclosure is limited only by the appended claims.

Claims

1. A method for identifying abnormal employees, characterized in that, include: Multiple anomaly query rules are preset, and the level score corresponding to each anomaly query rule is determined based on the historical trigger frequency of each anomaly query rule; the historical trigger frequency is obtained based on the number of times the anomaly query rule is triggered within a preset time period. Set a risk severity value for each anomaly query rule; Using a pre-defined risk matrix, the rule risk score corresponding to each anomaly query rule is determined based on the level score and risk severity value of each anomaly query rule; Based on the number of times an employee triggers each abnormal query rule and the rule risk score of each abnormal query rule, the employee risk score corresponding to each employee is determined. The first list of suspected abnormal employees was determined based on the employee risk scores of each employee. The abnormal employees were identified based on the first list of suspected abnormal employees.

2. The method according to claim 1, characterized in that, The employee risk score is determined based on the number of times an employee triggers each abnormal query rule and the rule risk score of each abnormal query rule, including: For each exception query rule, the number of times each employee triggers the exception query rule is sorted. The risk adjustment coefficient for each employee under each anomaly query rule is determined based on the number of triggers after sorting; the risk adjustment coefficient is positively correlated with the number of triggers. The employee risk score is determined by multiplying the risk adjustment coefficient corresponding to each employee under each anomaly query rule by the rule risk score of each anomaly query rule.

3. The method according to claim 1, characterized in that, The process of determining the first list of suspected abnormal employees based on each employee's employee risk score includes: Employees whose risk scores are higher than the first preset value are added to the first list of suspected abnormal employees; and / or Employees whose risk scores are sorted from highest to lowest, representing the first preset percentage, are added to the first list of suspected abnormal employees.

4. The method according to claim 1, characterized in that, The step of determining abnormal employees based on the first list of suspected abnormal employees includes: The employees in the first list of suspected abnormal employees are identified as abnormal employees.

5. The method according to claim 1, characterized in that, The step of determining abnormal employees based on the first list of suspected abnormal employees includes: The employees in the first list of suspected abnormal employees are filtered based on preset rules to obtain the second list of suspected abnormal employees. The employees in the second list of suspected abnormal employees are identified as abnormal employees.

6. An abnormal employee identification device, characterized in that, include: The preset module is used to preset multiple anomaly query rules and determine the level score corresponding to each anomaly query rule based on the historical trigger frequency of each anomaly query rule; the historical trigger frequency is obtained based on the number of times the anomaly query rule is triggered within a preset time period; a risk severity value is set for each anomaly query rule; and a rule risk score corresponding to each anomaly query rule is determined based on the level score and risk severity value of each anomaly query rule using a preset risk matrix. The first determination module is used to determine the employee risk score for each employee based on the number of times the employee triggers each abnormal query rule and the rule risk score of each abnormal query rule. The second determination module is used to determine the first list of suspected abnormal employees based on the employee risk score of each employee. The third determination module determines abnormal employees based on the first list of suspected abnormal employees.

7. An electronic device, characterized in that, include: A processor, and a memory communicatively connected to the processor; The memory stores computer-executed instructions; The processor executes computer execution instructions stored in the memory to implement the method as described in any one of claims 1-5.

8. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores computer-executable instructions, which, when executed by a processor, are used to implement the method as described in any one of claims 1-5.

9. A computer program product, characterized in that, Includes a computer program that, when executed by a processor, implements the method of any one of claims 1-5.