Target account abnormality judgment method and device, computer device, and storage medium
By inserting target accounts and entities as graph vertices into a graph database, and using the minimum number of connected edges and propagation weights to determine the anomalies of target accounts, the problem of mining hidden information in graph databases without added data is solved, enabling anomaly detection of target accounts and in-depth data relationship mining.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- ZHAOLIAN CONSUMER FINANCE CO LTD
- Filing Date
- 2022-12-28
- Publication Date
- 2026-07-14
AI Technical Summary
Existing graph databases struggle to uncover hidden information not added to the database, making it difficult to effectively identify anomalies in target accounts.
By inserting the target account and target entity as graph vertices into the graph database, and based on multiple graph nodes connected by edges, abnormal accounts that are directly or indirectly associated with the target account are identified. Anomaly judgment is made by using the minimum number of edges, and the propagation weight is calculated to determine whether the account is abnormal.
It enables anomaly detection of target accounts, delves deeper into data relationships, improves the ability to identify hidden attributes, simplifies the process of identifying abnormal accounts, and improves data processing efficiency.
Smart Images

Figure CN116167005B_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of computer technology, and in particular to a method, apparatus, computer device, storage medium, and computer program product for judging the anomalies of a target account. Background Technology
[0002] With the development of computer technology, graph databases have been widely used. A graph database is a storage engine specifically designed for storing and retrieving vast information networks. Its implementation principle uses graphs to store data, efficiently storing data as graph nodes and edges, and allowing high-performance retrieval and querying of the node-edge structure. For the massive amounts of data generated by business systems, graph databases can be built to perform data retrieval and querying.
[0003] However, current graph databases can only retrieve and query existing data, making it difficult to uncover hidden information from data not added to the graph database. Summary of the Invention
[0004] Therefore, it is necessary to provide a method, apparatus, computer device, computer-readable storage medium, and computer program product for judging the anomalies of target accounts that can mine hidden information to judge the anomalies of target accounts.
[0005] Firstly, this application provides a method for determining the anomalies of a target account. The method includes:
[0006] Extract target accounts and target entities from target business data;
[0007] The target account and the target entity are inserted as graph vertices into the graph database. The graph database includes multiple graph nodes connected by edges. The graph nodes include known accounts and known entities. The known accounts include normal accounts and abnormal accounts.
[0008] Based on the target business data, determine the graph nodes to be connected that are directly associated with the graph vertices from each graph node, and establish the connection between the graph vertices and the graph nodes to be connected;
[0009] When there is an abnormal account that is directly or indirectly associated with the target account, and the minimum number of edges between the graph node where the abnormal account is located and the graph vertex where the target account is located is less than or equal to a preset threshold, the target account is judged to be abnormal based on the minimum number of edges, and the abnormal judgment result of the target account is obtained.
[0010] In some embodiments, the step of performing anomaly detection on the target account based on the minimum number of connected edges to obtain anomaly detection result for the target account includes:
[0011] Obtain the propagation weight data of graph nodes and the baseline weight of the associated abnormal accounts;
[0012] Based on the baseline weight, the graph node propagation weight data, and the minimum number of edges, the propagation weight of the target account is calculated;
[0013] When the propagation weight of the target account is greater than the preset weight data, the target account is determined to be an abnormal account.
[0014] In some embodiments, when there is an abnormal account directly or indirectly associated with the target account, and the minimum number of edges between the graph node containing the associated abnormal account and the graph vertex containing the target account is less than or equal to a preset threshold, the abnormality judgment of the target account is performed based on the minimum number of edges to obtain the abnormality judgment result of the target account, including:
[0015] Starting from the vertex of the graph where the target account is located, traverse the graph nodes whose number of edges connected to the graph vertex is less than or equal to a preset threshold.
[0016] When there is a target graph node representing an abnormal account among the traversed graph nodes, determine the minimum number of edges between the target graph node and the graph vertex where the target account is located;
[0017] Anomaly detection of the target account is performed based on the minimum number of connected edges, and anomaly detection result of the target account is obtained.
[0018] In some embodiments, when there is a target graph node representing an abnormal account among the traversed graph nodes, determining the minimum number of edges between the target graph node and the graph vertex where the target account is located includes:
[0019] When there is a target graph node representing an abnormal account among the traversed graph nodes, the graph node link between the target graph node and the graph vertex where the target account is located is determined;
[0020] The minimum number of edges between the target graph node and the vertex of the graph containing the fewest graph nodes is taken as the minimum number of edges between the target graph node and the vertex of the graph containing the target account.
[0021] In some embodiments, the abnormal accounts in the graph nodes carry abnormal account markers; the method for determining the abnormality of the target account further includes:
[0022] When the anomaly assessment result of the target account is that the account is abnormal, the graph vertex where the target account is located in the graph database is marked as an abnormal account.
[0023] In some embodiments, the anomaly detection method for the target account further includes:
[0024] Obtain offline business data containing account and entity information;
[0025] Based on the known accounts represented by the account information and the known entities represented by the entity information, and using the offline business data, determine the direct association between each known account and each known entity;
[0026] A graph database is constructed using the known accounts and known entities as graph nodes and the relationships as edges connecting the graph nodes.
[0027] Secondly, this application also provides an anomaly detection device for a target account. The device includes:
[0028] The information extraction module is used to extract target accounts and target entities from target business data;
[0029] The graph vertex insertion module is used to insert the target account and the target entity as graph vertices into the graph database. The graph database includes multiple graph nodes connected by edges. The graph nodes include known accounts and known entities. The known accounts include normal accounts and abnormal accounts.
[0030] The edge establishment module is used to determine, based on the target business data, the graph nodes to be connected that are directly associated with the graph vertices from each graph node, and to establish the edges between the graph vertices and the graph nodes to be connected.
[0031] The anomaly detection module is used to detect anomalies in the target account based on the minimum number of edges when there is an abnormal account that is directly or indirectly associated with the target account, and the minimum number of edges between the graph node where the abnormal account is located and the graph vertex where the target account is located is less than or equal to a preset threshold, thereby obtaining the anomaly detection result of the target account.
[0032] Thirdly, this application also provides a computer device. The computer device includes a memory and a processor, the memory storing a computer program, and the processor executing the computer program to perform the following steps:
[0033] Extract target accounts and target entities from target business data;
[0034] The target account and the target entity are inserted as graph vertices into the graph database. The graph database includes multiple graph nodes connected by edges. The graph nodes include known accounts and known entities. The known accounts include normal accounts and abnormal accounts.
[0035] Based on the target business data, determine the graph nodes to be connected that are directly associated with the graph vertices from each graph node, and establish the connection between the graph vertices and the graph nodes to be connected;
[0036] When there is an abnormal account that is directly or indirectly associated with the target account, and the minimum number of edges between the graph node where the abnormal account is located and the graph vertex where the target account is located is less than or equal to a preset threshold, the target account is judged to be abnormal based on the minimum number of edges, and the abnormal judgment result of the target account is obtained.
[0037] Fourthly, this application also provides a computer-readable storage medium. The computer-readable storage medium stores a computer program thereon, which, when executed by a processor, performs the following steps:
[0038] Extract target accounts and target entities from target business data;
[0039] The target account and the target entity are inserted as graph vertices into the graph database. The graph database includes multiple graph nodes connected by edges. The graph nodes include known accounts and known entities. The known accounts include normal accounts and abnormal accounts.
[0040] Based on the target business data, determine the graph nodes to be connected that are directly associated with the graph vertices from each graph node, and establish the connection between the graph vertices and the graph nodes to be connected;
[0041] When there is an abnormal account that is directly or indirectly associated with the target account, and the minimum number of edges between the graph node where the abnormal account is located and the graph vertex where the target account is located is less than or equal to a preset threshold, the target account is judged to be abnormal based on the minimum number of edges, and the abnormal judgment result of the target account is obtained.
[0042] Fifthly, this application also provides a computer program product. The computer program product includes a computer program that, when executed by a processor, performs the following steps:
[0043] Extract target accounts and target entities from target business data;
[0044] The target account and the target entity are inserted as graph vertices into the graph database. The graph database includes multiple graph nodes connected by edges. The graph nodes include known accounts and known entities. The known accounts include normal accounts and abnormal accounts.
[0045] Based on the target business data, determine the graph nodes to be connected that are directly associated with the graph vertices from each graph node, and establish the connection between the graph vertices and the graph nodes to be connected;
[0046] When there is an abnormal account that is directly or indirectly associated with the target account, and the minimum number of edges between the graph node where the abnormal account is located and the graph vertex where the target account is located is less than or equal to a preset threshold, the target account is judged to be abnormal based on the minimum number of edges, and the abnormal judgment result of the target account is obtained.
[0047] The aforementioned method, apparatus, computer equipment, storage medium, and computer program product for anomaly judgment of target accounts extract target accounts and target entities from target business data, insert the target accounts and target entities as incremental graph vertices into a graph database, determine the graph nodes to be connected that are directly related to the graph vertices from each graph node based on the target business data, and establish the connections between the graph vertices and the graph nodes to be connected. Since the graph nodes include normal accounts, abnormal accounts, and known entities, in-depth data relationship mining can be achieved. When there are abnormal accounts in the graph database that are directly or indirectly related to the target account, and the minimum number of connections between the graph node containing the abnormal account and the graph vertex containing the target account is less than or equal to a preset threshold, the degree of association between the abnormal account and the target account, represented by the minimum number of connections, is used to predict and judge whether the target account may be an abnormal account, and obtain the anomaly judgment result of the target account, thereby achieving in-depth mining of the hidden attribute of whether the target account is abnormal in the target business data. Attached Figure Description
[0048] Figure 1 This is an application environment diagram of an anomaly detection method for a target account in one embodiment;
[0049] Figure 2 This is a flowchart illustrating an anomaly detection method for a target account in one embodiment;
[0050] Figure 3 This is a flowchart illustrating the anomaly detection method for a target account in another embodiment;
[0051] Figure 4 This is a flowchart illustrating an anomaly detection method for a target account in one embodiment;
[0052] Figure 5 This is a structural block diagram of an anomaly detection device for a target account in one embodiment;
[0053] Figure 6 This is an internal structural diagram of a computer device in one embodiment. Detailed Implementation
[0054] To make the objectives, technical solutions, and advantages of this application clearer, the following detailed description is provided in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative and not intended to limit the scope of this application.
[0055] The anomaly detection method for target accounts provided in this application embodiment can be applied to, for example... Figure 1 In the application environment shown, terminal 102 communicates with server 104 via a network. A data storage system can store the data that server 104 needs to process. The data storage system can be integrated onto server 104 or placed on a cloud or other network server. Server 104 extracts target accounts and target entities from the target business data provided by terminal 102, inserts the target accounts and target entities as graph vertices into a graph database. The graph database includes multiple graph nodes connected by edges. Graph nodes include known accounts and known entities; known accounts include normal accounts and abnormal accounts. Based on the target business data, server 104 determines the graph nodes directly associated with the graph vertices from each graph node to establish edges between the graph vertices and the graph nodes to be connected. When there are abnormal accounts directly or indirectly associated with the target account, and the minimum number of edges between the graph node containing the associated abnormal account and the graph vertex containing the target account is less than or equal to a preset threshold, the target account is judged as abnormal based on the minimum number of edges, and the abnormal judgment result of the target account is obtained. In some embodiments, server 104 may also feed back the anomaly judgment result of the target account to terminal 102, or perform a business processing flow corresponding to the anomaly judgment result for the target business data based on the anomaly judgment result of the target account. For example, in a risk control business scenario, when the anomaly judgment result of the target account is that the account is abnormal, the target business data or a portion of the data in the target business data is refused to be processed. When the anomaly judgment result of the target account is that the account is not abnormal, the target business data is processed normally.
[0056] The terminal 102 can be, but is not limited to, various personal computers, laptops, smartphones, tablets, IoT devices, and portable wearable devices. IoT devices can include smart speakers, smart TVs, smart air conditioners, and smart in-vehicle systems. Portable wearable devices can include smartwatches, smart bracelets, and head-mounted devices. The server 104 can be implemented using a standalone server or a server cluster consisting of multiple servers.
[0057] In one embodiment, such as Figure 2 As shown, a method for anomaly detection of a target account is provided, which is then applied to... Figure 1 Taking the server in the example, the following steps are included:
[0058] Step 202: Extract the target account and target entity from the target business data.
[0059] Specifically, target business data refers to business data that requires risk assessment. This data can be business data that the target object has authorized access to, including account information of the target object and entity information related to it. The target object involved in the business data is the one responsible for the data, i.e., the primary object of risk assessment. A target account refers to the account represented by the target object's account information. A target account belongs to only one object, but one object can have multiple different accounts.
[0060] The target account can be an account registered on a specific platform and bound to the target's identity, such as the target's email address, phone number, or social media account. The target entity can be a uniquely identified entity used by the target object and recorded in the business data; for example, a target entity can include a terminal device with a device ID or a Wi-Fi MAC address. The number of target entities can be one or multiple, determined based on data processing needs. For example, specific categories of entities can be extracted from the business data, or all entities recorded in the business data can be extracted.
[0061] Step 204: Insert the target account and target entity as graph vertices into the graph database. The graph database includes multiple graph nodes connected by edges. The graph nodes include known accounts and known entities. The known accounts include normal accounts and abnormal accounts.
[0062] The graph database is used to record multiple graph nodes and the edges between them. Graph nodes in the graph database include known accounts and known entities. Known accounts and entities can be extracted from offline business data. Known accounts include normal accounts and abnormal accounts. In specific applications, at least one of the abnormal or normal accounts can be specially marked using account tagging to distinguish them. For example, only abnormal accounts can be marked, while normal accounts remain unmarked. In subsequent processing, graph nodes carrying the abnormal mark are considered abnormal accounts. When the graph nodes corresponding to known entities and known accounts use different representations, normal accounts can also be marked, while abnormal accounts remain unmarked. In subsequent processing, accounts without the mark are considered abnormal accounts. Alternatively, normal and abnormal accounts can be marked separately by category.
[0063] Step 206: Based on the target business data, determine the graph nodes to be connected that are directly associated with the graph vertices from each graph node, and establish the connection between the graph vertices and the graph nodes to be connected.
[0064] In this context, graph nodes, as existing nodes in the graph database, are connected to other nodes in the graph database based on edges. Graph vertices, as newly added nodes in the graph database, are not yet connected to other nodes in the graph database. Therefore, based on the target business data, it is necessary to determine the graph nodes that are directly associated with graph vertices in each graph node and establish the edges between graph vertices and graph nodes to be connected.
[0065] For example, graph vertices include the target object's mobile phone number, Wi-Fi MAC address, mobile device identifier, etc., while graph nodes in the graph database include other entity information such as various accounts and addresses of other objects. From the target business data authorized by the target object, data such as the target object's social relationships and recent transaction records can be obtained. Based on the target object's social relationships and recent transaction records, the direct association between the target object's mobile phone number, Wi-Fi MAC address, mobile device identifier, and other accounts or other entities can be obtained. Thus, using this direct association as a bridge, the connection between the graph vertices and graph nodes with direct association is established, and the graph vertices are integrated into the graph database as graph nodes.
[0066] Step 208: When there is an abnormal account that is directly or indirectly associated with the target account, and the minimum number of edges between the graph node where the associated abnormal account is located and the graph vertex where the target account is located is less than or equal to a preset threshold, the target account is judged as abnormal based on the minimum number of edges, and the abnormal judgment result of the target account is obtained.
[0067] In this context, a direct association between the target account and other accounts refers to a graph vertex containing the target account being connected to a graph node containing another account through a single edge. An indirect association between the target account and other accounts refers to a graph vertex containing the target account being connected to a graph node containing another account through at least two edges. When there is only one connection between a graph node containing an abnormal account and a graph vertex containing the target account, the minimum number of edges is the number of edges contained in that connection. When there are two or more connection links between a graph node containing an abnormal account and a graph vertex containing the target account, the minimum number of edges is the number of edges contained in the connection link that contains the fewest graph nodes.
[0068] Furthermore, when the server determines that there is an abnormal account in the graph database that is directly or indirectly associated with the target account, and the minimum number of edges between the graph nodes of the associated abnormal account and the graph vertices of the target account is less than or equal to a preset threshold, the server performs anomaly judgment on the target account based on the minimum number of edges, and obtains the anomaly judgment result for the target account. The smaller the minimum number of edges, the higher the probability of the target account being abnormal; the larger the minimum number of edges, the lower the probability of the target account being abnormal. For example, the server calculates the anomaly probability of the target account based on the minimum number of edges. When the anomaly probability of the target account is greater than or equal to the set threshold, the target account is determined to be abnormal; when the anomaly probability of the target account is less than the set threshold, the target account is determined not to be abnormal.
[0069] The aforementioned method for anomaly detection of target accounts extracts target accounts and target entities from target business data, inserts them as incremental graph vertices into the graph database, and, based on the target business data, identifies graph nodes directly associated with the graph vertices to be connected from each graph node. It then establishes edges between the graph vertices and the nodes to be connected. Since graph nodes include normal accounts, abnormal accounts, and known entities, it enables in-depth data relationship mining. When there are abnormal accounts in the graph database that are directly or indirectly associated with the target account, and the minimum number of edges between the graph node containing the associated abnormal account and the graph vertex containing the target account is less than or equal to a preset threshold, it predicts whether the target account might be an abnormal account based on the degree of association between the abnormal account and the target account represented by the minimum number of edges. This yields the anomaly detection result for the target account, enabling in-depth mining of the hidden attribute of whether the target account is abnormal in the target business data.
[0070] In some embodiments, anomaly detection of the target account is performed based on the minimum number of connected edges to obtain the anomaly detection result of the target account, including:
[0071] Obtain the propagation weight data of graph nodes and the baseline weight of associated abnormal accounts; calculate the propagation weight of the target account based on the baseline weight, the propagation weight data of graph nodes and the minimum number of connected edges; when the propagation weight of the target account is greater than the preset weight data, the target account is determined to be an abnormal account.
[0072] The baseline weight of the associated abnormal accounts can be pre-set data. Different abnormal accounts can have the same or different baseline weights. For example, the baseline weight of all abnormal accounts can be set to 1. Alternatively, the baseline weight of the abnormal accounts can be determined based on the level of abnormality. For example, an account with severe abnormality can have a baseline weight of 1.5, an account with moderate abnormality can have a baseline weight of 1.2, and an account with minor abnormality can have a baseline weight of 1, and so on.
[0073] Graph node propagation weights can be pre-defined; the weights can be the same or different across different graph nodes. For example, all graph node propagation weights can be set to 0.9. Alternatively, the propagation weights can be determined by the strength of the association between each graph node and the node containing the abnormal account, forming a graph node link with the vertex containing the target account as endpoints. A stronger association between a graph node and the node containing the abnormal account results in a higher propagation weight. The strength of the association between a graph node and the abnormal account can be determined by the minimum number of edges between them; a fewer minimum number of edges indicates a stronger association. For example, the graph node link formed by the graph node where the abnormal account is located and the graph vertex where the target account is located as the endpoint includes graph node 1 where the abnormal account is located, intermediate graph node 2, intermediate graph node 3, and graph vertex 4 where the target account is located. The graph node propagation weight data between graph node 1 and intermediate graph node 2 is 0.9, the graph node propagation weight data between intermediate graph node 2 and intermediate graph node 3 is 0.8, and the graph node propagation weight data between intermediate graph node 3 and graph vertex 4 is 0.7.
[0074] Furthermore, the server calculates the propagation weight of the target account based on the baseline weight, graph node propagation weight data, and minimum number of edges. When the propagation weight of the target account is greater than the preset weight data, the target account is determined to be an abnormal account. When the propagation weight of the target account is less than or equal to the preset weight data, the target account is determined to be a normal account.
[0075] In one embodiment, the graph node starting with the abnormal account has a base weight of 1 (r = 1), and the weight is multiplied by 0.9 every 5 nodes connected by an edge, resulting in a propagation weight x = r * 0.9. n , where n is a positive integer representing the minimum number of connected edges. A threshold m = 0.7 is set; if the propagation weight x exceeds this threshold, the account can be identified as abnormal.
[0076] In this embodiment, propagation weights are calculated by setting a baseline weight, graph node propagation weight data, and minimum number of connected edges to determine whether an account is abnormal. This simplifies the process of identifying abnormal accounts and improves the data processing efficiency of abnormal account identification.
[0077] 0 In some embodiments, such as Figure 3 As shown, when there are abnormal accounts directly or indirectly associated with the target account, and the minimum number of edges between the graph nodes of the associated abnormal accounts and the graph vertices of the target account is less than or equal to a preset threshold, the target account is judged as abnormal based on the minimum number of edges, and the abnormal judgment result of the target account is obtained, including:
[0078] Step 302: Starting from the vertex of the graph where the target account is located, traverse the graph nodes whose number of edges connected to the graph vertex is less than or equal to a preset threshold.
[0079] Step 304: When there is a target graph node representing an abnormal account among the traversed graph nodes, determine the minimum number of edges between the target graph node and the graph vertex where the target account is located.
[0080] Step 306: Based on the minimum number of connected edges, perform anomaly detection on the target account and obtain the anomaly detection result of the target account.
[0081] Specifically, the preset threshold can be set based on the actual application scenario. When the criteria for judging abnormal accounts need to be configured more strictly, the preset threshold can be set to a smaller value, in which case the number of accounts judged as abnormal accounts will be relatively large. When the criteria for judging abnormal accounts need to be configured more leniently, the preset threshold can be set to a larger value, in which case the number of accounts judged as abnormal accounts will be relatively small.
[0082] 5. Taking a preset threshold of N (N is a positive integer) as an example, the server uses the vertex of the graph where the target account is located as the starting point.
[0083] For each node, the process iterates through graph nodes whose number of edges connected to graph vertices is ≤ N. The traversal result can be one of three cases: no target graph node representing an abnormal account, one target graph node representing an abnormal account, or multiple target graph nodes representing abnormal accounts. If no target graph node represents an abnormal account, the target account is determined as a normal node. If one target graph node represents an abnormal account, the minimum number of edges between the target graph node and the vertex containing the target account is determined. Based on this minimum number of edges, the target account is judged as abnormal, and the abnormal judgment result is obtained. The abnormal judgment method is the same as in the above embodiment and will not be repeated.
[0084] For scenarios with multiple target graph nodes representing abnormal accounts, the minimum number of edges between each target graph node and the vertex containing the target account can be determined. The minimum of these minimum edge counts is then used to determine the anomaly of the target account. Alternatively, for each target graph node, the minimum number of edges between it and the vertex containing the target account can be determined. Based on each minimum edge count, the anomaly probability of the target account relative to each target graph node can be determined. Finally, based on these multiple anomaly probabilities, the anomaly status of the target account can be determined.
[0085] In this embodiment, the server, based on a preset threshold, takes the vertex of the graph where the target account is located as the starting point and traverses the graph nodes whose number of edges connected to the graph vertices is less than or equal to the preset threshold. When there is a target graph node representing an abnormal account among the traversed graph nodes, the minimum number of edges between the target graph node and the vertex of the graph where the target account is located is determined. This avoids traversing all graph nodes, reduces the range of graph nodes traversed, effectively improves data processing efficiency, and reduces the occupation of data processing resources.
[0086] In some embodiments, when there is a target graph node representing an abnormal account among the traversed graph nodes, determining the minimum number of edges between the target graph node and the graph vertex where the target account is located includes:
[0087] When there is a target graph node representing an abnormal account among the traversed graph nodes, determine the graph node link between the target graph node and the graph vertex where the target account is located; take the number of edges of the graph node link with the fewest graph nodes as the minimum number of edges between the target graph node and the graph vertex where the target account is located.
[0088] Determining the graph node link between the target graph node and the vertex where the target account is located refers to the link formed by the intermediate graph nodes traversed from the target graph node to the vertex where the target account is located, based on the edges. A graph node link must include at least the target graph node, the vertex where the target account is located, and at least one edge. By determining the graph node link between the target graph node and the vertex where the target account is located, the number of graph nodes contained in the graph node link can be determined. The graph node link with the fewest graph nodes is the shortest link connecting the target graph node and the vertex where the target account is located, and the corresponding number of edges is the minimum number of edges.
[0089] In this embodiment, the server determines the graph node links between the target graph node and the graph vertex where the target account is located, and filters out the graph node links with the fewest graph nodes, thereby quickly determining the minimum number of edges between the target graph node and the graph vertex where the target account is located.
[0090] In some embodiments, abnormal accounts in graph nodes carry abnormal account tags; the abnormal judgment method for target accounts further includes: when the abnormal judgment result of the target account is that the account is abnormal, marking the graph vertex where the target account is located in the graph database as an abnormal account.
[0091] Among them, the abnormal account identifier is the identification information used to distinguish between normal accounts and abnormal accounts. The abnormal account identifier can be identified by specific characters so that the server can quickly identify whether a graph node is an abnormal account when traversing graph nodes, thereby improving processing efficiency.
[0092] Furthermore, for target accounts whose anomaly assessment results indicate account anomalies, the graph vertices containing the target account can be marked as anomalies in the graph database. This expands the data in the graph database, providing a basis for anomaly assessment of more incremental accounts and improving the accuracy of account anomaly assessment results.
[0093] In some embodiments, the method for determining the anomaly of a target account further includes:
[0094] Obtain offline business data containing account information and entity information; based on the offline business data, determine the direct association between each known account and each known entity according to the known accounts represented by the account information and the known entities represented by the entity information; construct a graph database with each known account and each known entity as graph nodes and the association as the edges between graph nodes.
[0095] Offline business data refers to historical business data that can be acquired or processed offline. Based on offline business data, account information and entity information can be extracted. Account information represents known accounts, and entity information represents known entities. The server can determine the direct relationships between each known account and each known entity based on offline business data. The server can construct a graph database using each known account and each known entity as graph nodes and the relationships as edges between graph nodes.
[0096] In this embodiment, the server extracts known accounts and entities from offline business data, determines the direct relationships between them, and can quickly and easily construct a graph database. This allows the server to use known information from known nodes to predict hidden information from unknown nodes.
[0097] In a specific application, a method for anomaly detection of target accounts is provided. Taking the account tagging of risky users in the risk control field as an example, this method can be implemented through graph databases and business systems. Business systems generate massive amounts of data every moment, using this data to establish relationship graphs between customers, devices, addresses, etc. The method in this application establishes the relationships between entities through a graph database, and then uses graph mining algorithms to find hidden information between entities, applying it to actual risk control operations.
[0098] Specifically, taking the graph computing platform as an example, which executes the anomaly judgment method for the target account, after receiving offline business risk control data, the graph computing platform establishes the association relationship between user accounts (such as mobile phone numbers, email addresses, etc.) and entities such as device numbers and Wi-Fi MAC addresses. Among them, device numbers and Wi-Fi MAC addresses can be associated with multiple user accounts. If the associated user accounts have been tagged, such as "fake", then for newly received user accounts, according to a certain algorithm, the probability that the user to which the new user account belongs is a "fake" customer is determined.
[0099] For example, such as Figure 4 As shown, the graph computing platform uses offline data to initialize and establish associations between entities such as phone numbers, device numbers, and Wi-Fi MAC addresses. "Fake" customers are labeled as such. The platform obtains risk control events in real-time through Kafka, parses these events to retrieve new entity information such as phone numbers, device numbers, Wi-Fi MAC addresses, and IMEIs, inserting them as vertices in the graph database. Simultaneously, it establishes edge associations between entities. Then, starting with the new phone number, it checks if any related entities within three hops contain "fake" customers. If so, it uses these "fake" customers as the starting point, setting their value to 1 (r = 1). For each hop, the value is multiplied by 0.9. If multiple paths relate to the phone number, the maximum value (max(r * 0.9)) is taken. n This represents the probability that the user corresponding to this mobile number is a "fake" customer. The business system sets a threshold; if the probability exceeds the threshold, the user can be identified as a "fake" customer.
[0100] It should be understood that although the steps in the flowcharts of the above embodiments are shown sequentially according to the arrows, these steps are not necessarily executed in the order indicated by the arrows. Unless explicitly stated herein, there is no strict order restriction on the execution of these steps, and they can be executed in other orders. Moreover, at least some steps in the flowcharts of the above embodiments may include multiple steps or multiple stages. These steps or stages are not necessarily completed at the same time, but can be executed at different times. The execution order of these steps or stages is not necessarily sequential, but can be performed alternately or in turn with other steps or at least some of the steps or stages of other steps.
[0101] Based on the same inventive concept, this application also provides an anomaly detection device for target accounts used to implement the above-described anomaly detection method for target accounts. The solution provided by this device is similar to the implementation described in the above-described method. Therefore, the specific limitations in one or more anomaly detection device embodiments for target accounts provided below can be found in the limitations of the anomaly detection method for target accounts described above, and will not be repeated here.
[0102] In one embodiment, such as Figure 5 As shown, an anomaly detection device for a target account is provided, comprising: an information extraction module 502, a graph vertex insertion module 504, an edge establishment module 506, and an anomaly detection module 508, wherein:
[0103] Information extraction module 502 is used to extract target accounts and target entities from target business data;
[0104] The graph vertex insertion module 504 is used to insert the target account and the target entity as graph vertices into the graph database. The graph database includes multiple graph nodes connected by edges. The graph nodes include known accounts and known entities. The known accounts include normal accounts and abnormal accounts.
[0105] The edge establishment module 506 is used to determine, based on the target business data, the graph nodes to be connected that are directly associated with the graph vertices from each graph node, and to establish the edges between the graph vertices and the graph nodes to be connected.
[0106] The anomaly detection module 508 is used to detect anomalies in the target account based on the minimum number of edges when there is an abnormal account that is directly or indirectly associated with the target account, and the minimum number of edges between the graph node where the abnormal account is located and the graph vertex where the target account is located is less than or equal to a preset threshold, thereby obtaining the anomaly detection result of the target account.
[0107] In some embodiments, the anomaly detection module is further configured to obtain graph node propagation weight data and the baseline weight of the associated abnormal account; calculate the propagation weight of the target account based on the baseline weight, the graph node propagation weight data and the minimum number of edges; and determine the target account as an abnormal account when the propagation weight of the target account is greater than the preset weight data.
[0108] In some embodiments, the anomaly judgment module is further configured to: take the vertex of the graph where the target account is located as the starting point, traverse the graph nodes whose number of edges connected to the graph vertex is less than or equal to a preset threshold; when there is a target graph node representing an abnormal account among the traversed graph nodes, determine the minimum number of edges between the target graph node and the vertex of the graph where the target account is located; and perform anomaly judgment on the target account based on the minimum number of edges to obtain the anomaly judgment result of the target account.
[0109] In some embodiments, the anomaly detection module is further configured to determine the graph node link between the target graph node and the graph vertex where the target account is located when there is a target graph node representing an abnormal account among the traversed graph nodes; and to take the number of edges of the graph node link with the fewest number of graph nodes as the minimum number of edges between the target graph node and the graph vertex where the target account is located.
[0110] In some embodiments, abnormal accounts in the graph nodes carry abnormal account tags; the abnormal judgment device for the target account further includes an abnormal account tagging module, which is used to tag the graph vertex where the target account is located in the graph database with an abnormal account when the abnormal judgment result of the target account is that the account is abnormal.
[0111] In some embodiments, the anomaly detection device for the target account further includes a graph database module, used to acquire offline business data containing account information and entity information; determine the direct association between each known account and each known entity based on the offline business data according to the known accounts represented by the account information and the known entities represented by the entity information; and construct a graph database with each known account and each known entity as graph nodes and the association as the edges between graph nodes.
[0112] The aforementioned anomaly detection device for target accounts extracts target accounts and target entities from target business data, inserts these targets as incremental graph vertices into the graph database, and, based on the target business data, determines graph nodes directly associated with the graph vertices to be connected from each graph node. It then establishes edges between the graph vertices and the nodes to be connected. Since graph nodes include normal accounts, abnormal accounts, and known entities, it enables in-depth data relationship mining. When there are abnormal accounts in the graph database that are directly or indirectly associated with the target account, and the minimum number of edges between the graph node containing the associated abnormal account and the graph vertex containing the target account is less than or equal to a preset threshold, it predicts whether the target account might be an abnormal account based on the degree of association between the abnormal account and the target account represented by the minimum number of edges. This yields the anomaly detection result for the target account, enabling in-depth mining of the hidden attribute of whether the target account is abnormal in the target business data.
[0113] The various modules in the aforementioned anomaly detection device for target accounts can be implemented entirely or partially through software, hardware, or a combination thereof. These modules can be embedded in or independent of the processor in a computer device, or stored in the memory of a computer device as software, so that the processor can call and execute the corresponding operations of each module.
[0114] In one embodiment, a computer device is provided, which may be a server, and its internal structure diagram may be as follows: Figure 6 As shown, the computer device includes a processor, memory, and a network interface connected via a system bus. The processor provides computing and control capabilities. The memory includes non-volatile storage media and internal memory. The non-volatile storage media stores the operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs stored in the non-volatile storage media. The database stores business data. The network interface communicates with external terminals via a network connection. When executed by the processor, the computer program implements a method for anomaly detection of a target account.
[0115] Those skilled in the art will understand that Figure 6 The structure shown is merely a block diagram of a portion of the structure related to the present application and does not constitute a limitation on the computer device to which the present application is applied. Specific computer devices may include more or fewer components than those shown in the figure, or combine certain components, or have different component arrangements.
[0116] In one embodiment, a computer device is provided, including a memory and a processor, wherein the memory stores a computer program, and the processor executes the computer program to perform the following steps:
[0117] Extract target accounts and target entities from target business data; insert the target accounts and target entities as graph vertices into a graph database, the graph database including multiple graph nodes connected by edges, the graph nodes including known accounts and known entities, the known accounts including normal accounts and abnormal accounts; based on the target business data, determine the graph nodes directly associated with the graph vertices from each graph node to be connected, and establish the edges between the graph vertices and the graph nodes to be connected; when there are abnormal accounts directly or indirectly associated with the target account, and the minimum number of edges between the graph node containing the associated abnormal account and the graph vertex containing the target account is less than or equal to a preset threshold, perform an anomaly judgment on the target account based on the minimum number of edges, and obtain the anomaly judgment result of the target account.
[0118] In one embodiment, the processor, when executing a computer program, also performs the following steps:
[0119] Obtain the propagation weight data of graph nodes and the baseline weight of the associated abnormal account; calculate the propagation weight of the target account based on the baseline weight, the propagation weight data of graph nodes and the minimum number of edges; when the propagation weight of the target account is greater than the preset weight data, determine that the target account is an abnormal account.
[0120] In one embodiment, the processor, when executing a computer program, also performs the following steps:
[0121] Starting from the vertex of the graph where the target account is located, traverse the graph nodes whose number of edges connected to the graph vertex is less than or equal to a preset threshold; when there is a target graph node representing an abnormal account among the traversed graph nodes, determine the minimum number of edges between the target graph node and the vertex of the graph where the target account is located; perform an anomaly judgment on the target account based on the minimum number of edges, and obtain the anomaly judgment result of the target account.
[0122] In one embodiment, the processor, when executing a computer program, also performs the following steps:
[0123] When a target graph node representing an abnormal account exists among the traversed graph nodes, the graph node link between the target graph node and the graph vertex where the target account is located is determined; the number of edges in the graph node link with the fewest graph nodes is taken as the minimum number of edges between the target graph node and the graph vertex where the target account is located.
[0124] In one embodiment, the processor, when executing a computer program, also performs the following steps:
[0125] When the anomaly assessment result of the target account is that the account is abnormal, the graph vertex where the target account is located in the graph database is marked as an abnormal account.
[0126] In one embodiment, the processor, when executing a computer program, also performs the following steps:
[0127] Obtain offline business data containing account information and entity information; based on the offline business data, determine the direct association between each known account and each known entity according to the known accounts represented by the account information and the known entities represented by the entity information; construct a graph database with each known account and each known entity as graph nodes and the association as the edges between graph nodes.
[0128] In one embodiment, a computer-readable storage medium is provided having a computer program stored thereon, the computer program performing the following steps when executed by a processor:
[0129] Extract target accounts and target entities from target business data; insert the target accounts and target entities as graph vertices into a graph database, the graph database including multiple graph nodes connected by edges, the graph nodes including known accounts and known entities, the known accounts including normal accounts and abnormal accounts; based on the target business data, determine the graph nodes directly associated with the graph vertices from each graph node to be connected, and establish the edges between the graph vertices and the graph nodes to be connected; when there are abnormal accounts directly or indirectly associated with the target account, and the minimum number of edges between the graph node containing the associated abnormal account and the graph vertex containing the target account is less than or equal to a preset threshold, perform an anomaly judgment on the target account based on the minimum number of edges, and obtain the anomaly judgment result of the target account.
[0130] In one embodiment, when the computer program is executed by a processor, it further performs the following steps:
[0131] Obtain the propagation weight data of graph nodes and the baseline weight of the associated abnormal account; calculate the propagation weight of the target account based on the baseline weight, the propagation weight data of graph nodes and the minimum number of edges; when the propagation weight of the target account is greater than the preset weight data, determine that the target account is an abnormal account.
[0132] In one embodiment, when the computer program is executed by a processor, it further performs the following steps:
[0133] Starting from the vertex of the graph where the target account is located, traverse the graph nodes whose number of edges connected to the graph vertex is less than or equal to a preset threshold; when there is a target graph node representing an abnormal account among the traversed graph nodes, determine the minimum number of edges between the target graph node and the vertex of the graph where the target account is located; perform an anomaly judgment on the target account based on the minimum number of edges, and obtain the anomaly judgment result of the target account.
[0134] In one embodiment, when the computer program is executed by a processor, it further performs the following steps:
[0135] When a target graph node representing an abnormal account exists among the traversed graph nodes, the graph node link between the target graph node and the graph vertex where the target account is located is determined; the number of edges in the graph node link with the fewest graph nodes is taken as the minimum number of edges between the target graph node and the graph vertex where the target account is located.
[0136] In one embodiment, when the computer program is executed by a processor, it further performs the following steps:
[0137] When the anomaly assessment result of the target account is that the account is abnormal, the graph vertex where the target account is located in the graph database is marked as an abnormal account.
[0138] In one embodiment, when the computer program is executed by a processor, it further performs the following steps:
[0139] Obtain offline business data containing account information and entity information; based on the offline business data, determine the direct association between each known account and each known entity according to the known accounts represented by the account information and the known entities represented by the entity information; construct a graph database with each known account and each known entity as graph nodes and the association as the edges between graph nodes.
[0140] In one embodiment, a computer program product is provided, including a computer program that, when executed by a processor, performs the following steps:
[0141] Extract target accounts and target entities from target business data; insert the target accounts and target entities as graph vertices into a graph database, the graph database including multiple graph nodes connected by edges, the graph nodes including known accounts and known entities, the known accounts including normal accounts and abnormal accounts; based on the target business data, determine the graph nodes directly associated with the graph vertices from each graph node to be connected, and establish the edges between the graph vertices and the graph nodes to be connected; when there are abnormal accounts directly or indirectly associated with the target account, and the minimum number of edges between the graph node containing the associated abnormal account and the graph vertex containing the target account is less than or equal to a preset threshold, perform an anomaly judgment on the target account based on the minimum number of edges, and obtain the anomaly judgment result of the target account.
[0142] In one embodiment, when the computer program is executed by a processor, it further performs the following steps:
[0143] Obtain the propagation weight data of graph nodes and the baseline weight of the associated abnormal account; calculate the propagation weight of the target account based on the baseline weight, the propagation weight data of graph nodes and the minimum number of edges; when the propagation weight of the target account is greater than the preset weight data, determine that the target account is an abnormal account.
[0144] In one embodiment, when the computer program is executed by a processor, it further performs the following steps:
[0145] Starting from the vertex of the graph where the target account is located, traverse the graph nodes whose number of edges connected to the graph vertex is less than or equal to a preset threshold; when there is a target graph node representing an abnormal account among the traversed graph nodes, determine the minimum number of edges between the target graph node and the vertex of the graph where the target account is located; perform an anomaly judgment on the target account based on the minimum number of edges, and obtain the anomaly judgment result of the target account.
[0146] In one embodiment, when the computer program is executed by a processor, it further performs the following steps:
[0147] When a target graph node representing an abnormal account exists among the traversed graph nodes, the graph node link between the target graph node and the graph vertex where the target account is located is determined; the number of edges in the graph node link with the fewest graph nodes is taken as the minimum number of edges between the target graph node and the graph vertex where the target account is located.
[0148] In one embodiment, when the computer program is executed by a processor, it further performs the following steps:
[0149] When the anomaly assessment result of the target account is that the account is abnormal, the graph vertex where the target account is located in the graph database is marked as an abnormal account.
[0150] In one embodiment, when the computer program is executed by a processor, it further performs the following steps:
[0151] Obtain offline business data containing account information and entity information; based on the offline business data, determine the direct association between each known account and each known entity according to the known accounts represented by the account information and the known entities represented by the entity information; construct a graph database with each known account and each known entity as graph nodes and the association as the edges between graph nodes.
[0152] It should be noted that the account information and entity information (including but not limited to user device information, user personal information, etc.) and data (including but not limited to data used for analysis, stored data, displayed data, etc.) involved in this application are all information and data authorized by the user or fully authorized by all parties.
[0153] Those skilled in the art will understand that all or part of the processes in the methods of the above embodiments can be implemented by a computer program instructing related hardware. The computer program can be stored in a non-volatile computer-readable storage medium, and when executed, it can include the processes of the embodiments of the above methods. Any references to memory, databases, or other media used in the embodiments provided in this application can include at least one of non-volatile and volatile memory. Non-volatile memory can include read-only memory (ROM), magnetic tape, floppy disk, flash memory, optical memory, high-density embedded non-volatile memory, resistive random access memory (ReRAM), magnetic random access memory (MRAM), ferroelectric random access memory (FRAM), phase change memory (PCM), graphene memory, etc. Volatile memory can include random access memory (RAM) or external cache memory, etc. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM). The databases involved in the embodiments provided in this application may include at least one type of relational database and non-relational database. Non-relational databases may include, but are not limited to, blockchain-based distributed databases. The processors involved in the embodiments provided in this application may be general-purpose processors, central processing units, graphics processing units, digital signal processors, programmable logic devices, quantum computing-based data processing logic devices, etc., and are not limited to these.
[0154] The technical features of the above embodiments can be combined in any way. For the sake of brevity, not all possible combinations of the technical features in the above embodiments are described. However, as long as there is no contradiction in the combination of these technical features, they should be considered to be within the scope of this specification.
[0155] The embodiments described above are merely illustrative of several implementation methods of this application, and while the descriptions are specific and detailed, they should not be construed as limiting the scope of this patent application. It should be noted that those skilled in the art can make various modifications and improvements without departing from the concept of this application, and these all fall within the protection scope of this application. Therefore, the protection scope of this application should be determined by the appended claims.
Claims
1. A method for anomaly detection of a target account, characterized in that, The method includes: Extract target accounts and target entities from target business data; The target account and the target entity are inserted as graph vertices into the graph database. The graph database includes multiple graph nodes connected by edges. The graph nodes include known accounts and known entities. The known accounts include normal accounts and abnormal accounts. Based on the target business data, determine the graph nodes to be connected that are directly associated with the graph vertices from each graph node, and establish the connection between the graph vertices and the graph nodes to be connected; When there is an abnormal account that is directly or indirectly associated with the target account, and the minimum number of edges between the graph node containing the associated abnormal account and the graph vertex containing the target account is less than or equal to a preset threshold, Obtain the propagation weight data of graph nodes and the baseline weight of the associated abnormal accounts; When the propagation weight data of graph nodes is the same across all graph nodes, based on the baseline weight r, the propagation weight data a, and the minimum number of edges n, the result is calculated according to x = r * a. n Calculate the propagation weight x of the target account; When the propagation weight x of the target account is greater than the preset weight data m, the target account is marked as an abnormal account in order to expand the data of the graph database.
2. The method according to claim 1, characterized in that, The method for determining the minimum number of connected edges includes: Starting from the vertex of the graph where the target account is located, traverse the graph nodes whose number of edges connected to the graph vertex is less than or equal to a preset threshold. When there is a target graph node representing an abnormal account among the traversed graph nodes, determine the minimum number of edges between the target graph node and the graph vertex where the target account is located.
3. The method according to claim 2, characterized in that, When a target graph node representing an abnormal account exists among the traversed graph nodes, determining the minimum number of edges between the target graph node and the vertex of the graph containing the target account includes: When there is a target graph node representing an abnormal account among the traversed graph nodes, determine the graph node links between the target graph node and the graph vertex where the target account is located; The minimum number of edges between the target graph node and the vertex of the graph containing the fewest graph nodes is taken as the minimum number of edges between the target graph node and the vertex of the graph containing the target account.
4. The method according to claim 1, characterized in that, The abnormal accounts in the graph nodes carry abnormal account markers; the method further includes: When the anomaly assessment result of the target account is that the account is abnormal, the graph vertex where the target account is located in the graph database is marked as an abnormal account.
5. The method according to any one of claims 1 to 4, characterized in that, The method further includes: Obtain offline business data containing account and entity information; Based on the known accounts represented by the account information and the known entities represented by the entity information, and using the offline business data, determine the direct association between each known account and each known entity; A graph database is constructed using the known accounts and known entities as graph nodes and the relationships as edges connecting the graph nodes.
6. An anomaly detection device for a target account, characterized in that, The device includes: The information extraction module is used to extract target accounts and target entities from target business data; The graph vertex insertion module is used to insert the target account and the target entity as graph vertices into the graph database. The graph database includes multiple graph nodes connected by edges. The graph nodes include known accounts and known entities. The known accounts include normal accounts and abnormal accounts. The edge establishment module is used to determine, based on the target business data, the graph nodes to be connected that are directly associated with the graph vertices from each graph node, and to establish the edges between the graph vertices and the graph nodes to be connected. The anomaly detection module is used to obtain graph node propagation weight data and the baseline weight of the associated abnormal account when there is an abnormal account directly or indirectly associated with the target account, and the minimum number of edges between the graph node containing the associated abnormal account and the graph vertex containing the target account is less than or equal to a preset threshold. When the graph node propagation weight data is the same between graph nodes, based on the baseline weight r, the graph node propagation weight data a, and the minimum number of edges n, according to x=r*a... n Calculate the propagation weight x of the target account; when the propagation weight x of the target account is greater than the preset weight data m, mark the target account as an abnormal account to realize the data augmentation of the graph database.
7. The apparatus according to claim 6, characterized in that, The anomaly detection device for the target account is also used to acquire offline business data containing account information and entity information; and based on the offline business data, determine the direct association between each known account and each known entity according to the known accounts represented by the account information and the known entities represented by the entity information. A graph database is constructed using the known accounts and known entities as graph nodes and the relationships as edges connecting the graph nodes.
8. A computer device comprising a memory and a processor, wherein the memory stores a computer program, characterized in that, When the processor executes the computer program, it implements the steps of the method according to any one of claims 1 to 5.
9. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by a processor, it implements the steps of the method according to any one of claims 1 to 5.
10. A computer program product, comprising a computer program, characterized in that, When the computer program is executed by a processor, it implements the steps of the method according to any one of claims 1 to 5.