A user portrait-based account security monitoring method, device and electronic equipment

By using real-time assessment and comprehensive risk control mechanisms based on user profiles, the problem of traditional security technologies being unable to effectively deal with internal threats has been solved, achieving real-time and effective account security monitoring.

CN116305038BActive Publication Date: 2026-06-05BEIJING WISDOM TOOTH TECH CONSULTING CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
BEIJING WISDOM TOOTH TECH CONSULTING CO LTD
Filing Date
2023-03-08
Publication Date
2026-06-05

Smart Images

  • Figure CN116305038B_ABST
    Figure CN116305038B_ABST
Patent Text Reader

Abstract

The application relates to a user portrait-based account security monitoring method and device and electronic equipment, the method comprising: acquiring user behavior data; determining a clustering gang according to the user behavior data and a preset clustering model; determining a clustering gang score according to a preset clustering gang scoring rule and the clustering gang; determining a risk score according to the user behavior data and a real-time prediction model; acquiring user login data, a preset blacklist and a third-party risk control score; and determining whether to intercept according to the clustering gang score, the risk score, the third-party risk control score, the user login data, the preset blacklist and a preset risk control rule. The application has the effect of improving the real-time performance of an account security monitoring system.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of risk control account security, and in particular to an account security monitoring method, device and electronic device based on user profile. Background Technology

[0002] With the widespread application of technology, people's personal information is constantly being transmitted across networks. The widespread use of games, paid services, and financial apps has led to an increasing degree of virtualization of people's assets, making people pay more attention to the security of their personal account information. At the same time, with the continuous improvement of technology, the original account security monitoring systems are becoming increasingly easier to break.

[0003] Currently, approximately 70% of security threats originate from within an organization. Whether it's a departing employee stealing customer data or a resentful employee deliberately sabotaging the system, repeated security incidents demonstrate that the easiest way to breach a fortress often comes from internal threats. Internally, traditional threat defense measures are insufficient. For companies that have recognized the urgency of the problem, using traditional security technologies has not helped them effectively solve internal security issues. Traditional security technologies typically escalate account verification levels based on the user's login device or address, requiring login via SMS verification codes, but they offer no constraints or restrictions on abnormal user behavior after login. Summary of the Invention

[0004] To improve the real-time performance of account security monitoring, this application provides a method, apparatus, and electronic device for account security monitoring based on user profiles.

[0005] Firstly, this application provides an account security monitoring method based on user profiles, employing the following technical solution:

[0006] A user profile-based account security monitoring method includes:

[0007] Get the current user profile data;

[0008] Based on current user profile data and a pre-defined clustering model, identify clustered groups;

[0009] The user's clustering score is determined based on the preset clustering group scoring rules and clustering groups;

[0010] Determine the user's risk score based on current user profile data and real-time prediction models;

[0011] Obtain a preset blacklist and third-party risk control scores;

[0012] The decision to block is based on the cluster group score, risk score, third-party risk control score, current user profile data, preset blacklist, and preset risk control rules.

[0013] By adopting the above technical solution, after a user logs in, the current user profile data of the logged-in user is obtained in real time. Multiple logged-in users are grouped into clusters based on their respective current user profile data through a preset clustering module. Then, a clustering score is determined for each user according to preset clustering scoring rules. Next, a risk score is determined for each user based on the current user profile data and a real-time prediction model. Then, a preset blacklist formed by manual labeling by staff is obtained, and a third-party risk control score for the current user is obtained from a third-party system. Finally, based on the clustering score, risk score, third-party risk control score, current user profile data, preset blacklist, and preset risk control rules, it is determined whether to block the user. With the above solution, after a user logs in, the current user profile data can be obtained in real time. Based on the current user profile data, a score is calculated and combined with the score given to the user by the third-party risk control system, it is determined in real time whether the user needs to be blocked. When it is determined that the user needs to be blocked, the user is blocked, thus improving the real-time performance of account security monitoring.

[0014] Optionally, obtaining the current user profile data includes:

[0015] Obtain raw data, which is data generated during account access;

[0016] The raw data is collected into a Hive table using Flume and statistically analyzed according to business categories to determine basic account data, user access data, user behavior data, and account association data.

[0017] The basic account data, user access data, user behavior data, and account association data form the current user profile data.

[0018] Optionally, determining clustered groups based on current user profile data and a preset clustering model includes:

[0019] Based on user behavior data and a pre-defined dbscan model for clustering, multiple groups are obtained, each group being a collection of multiple users.

[0020] Optionally, determining the clustering group score based on the preset clustering group scoring rules and clustering groups includes:

[0021] Obtain the core object of the gang, and determine the spatial distance of each user in the gang from the core object;

[0022] Divide the data into different scoring intervals, with each interval corresponding to a different cluster group score.

[0023] Determine the scoring range for each user's distance from the core members of the gang;

[0024] The user's cluster score is determined based on the cluster score corresponding to the score range they fall within.

[0025] Optionally, before determining the risk score based on current user profile data and a real-time prediction model, the method further includes:

[0026] Retrieve historical user profile data within a preset time period;

[0027] The historical user profile data is divided into a training set and a test set based on time.

[0028] Based on the training set, a real-time prediction model is trained using the xgboost machine learning model.

[0029] The test set is input into the real-time prediction to verify whether the real-time prediction model meets the standard.

[0030] If so, the risk score is determined based on the current user profile data and the real-time prediction model.

[0031] Optionally, determining whether to block based on cluster group scores, risk scores, third-party risk control scores, user login data, preset blacklists, and preset risk control rules includes:

[0032] Determine the user ID based on the user's basic data and determine whether the user ID is in a preset blacklist;

[0033] If so, intercept;

[0034] If not:

[0035] When both the cluster group score and risk score are outside their respective threshold ranges, the operation is blocked.

[0036] or,

[0037] Based on the user's basic data, determine the number of complaints against the user ID;

[0038] When both the number of complaints and the third-party risk control score are outside their respective threshold ranges, the system will block the operation.

[0039] Secondly, this application provides an account security monitoring device based on user profiles, which adopts the following technical solution:

[0040] An account security monitoring device based on user profiles, comprising:

[0041] The first acquisition module is used to acquire the current user profile data;

[0042] The clustering module is used to identify clustered groups based on the current user profile data and the preset clustering model.

[0043] The first scoring module is used to determine the cluster score based on the preset cluster scoring rules and clusters.

[0044] The second scoring module is used to determine the risk score based on the current user profile data and the real-time prediction model;

[0045] The second acquisition module is used to acquire a preset blacklist and third-party risk control scores;

[0046] The interception module is used to determine whether to intercept based on the clustering group score, risk score, third-party risk control score, current user profile data, preset blacklist and preset risk control rules.

[0047] Thirdly, this application provides an electronic device that adopts the following technical solution:

[0048] An electronic device includes a memory and a processor, wherein the memory stores a computer program that can be loaded by the processor and executed as a user profile-based account security monitoring method.

[0049] Fourthly, this application provides a computer-readable storage medium, which adopts the following technical solution:

[0050] A computer-readable storage medium storing a computer program capable of being loaded by a processor and executed as a user profile-based account security monitoring method.

[0051] In summary, this application includes the following beneficial technical effects:

[0052] After a user logs in, the system can obtain the user's current user profile data in real time. Based on the current user profile data, a score is assigned and combined with the score given to the user by the third-party scoring system. The system can then determine in real time whether the user needs to be blocked. If it is determined that the user needs to be blocked, the user will be blocked, thus improving the real-time performance of account security monitoring. Attached Figure Description

[0053] Figure 1 This is a flowchart of the account security monitoring method based on user profiles provided in this application.

[0054] Figure 2 This is a system block diagram of the account security monitoring device based on user profiles provided in this application.

[0055] Figure 3 This is a schematic diagram of the structure of the electronic device provided in this application.

[0056] Explanation of reference numerals in the attached figures: 200, Account security monitoring device based on user profile; 201, First acquisition module; 202, Clustering module; 203, First scoring module; 204, Second scoring module; 205, Second acquisition module; 206, Interception module; 301, CPU; 302, ROM; 303, RAM; 304, I / O interface; 305, Input section; 306, Output section; 307, Storage section; 308, Communication section; 309, Driver; 310, Removable medium. Detailed Implementation

[0057] The following is in conjunction with the appendix Figure 1-3 This application will be described in further detail.

[0058] This application discloses an account security monitoring method based on user profiles. (Refer to...) Figure 1 User profile-based account security monitoring methods include:

[0059] S101: Get the current user profile data.

[0060] Specifically, the process involves acquiring raw data, which is the data generated after a user logs into the system and performs related operations. This includes user login IP, login device information, recharge and consumption records, knowledge base settings, message sending data, whether risky keywords were matched, chat messages from other users, recorded phone calls, and user complaint data. After acquiring the raw data, it is collected into a Hive table using Flume and statistically analyzed according to business categories to determine basic user data, user access data, user behavior data, and account association data.

[0061] Basic user data includes whether the service is charged, industry affiliation, registration duration, purchased products, spending level, company group tags, the company that made the payment, and the number of complaints received.

[0062] User access data includes account name, frequently used IP address, city, frequently used browser, frequently used software client, login frequency, activity level, access protocol, and frequently used access time period.

[0063] User behavior data includes: login duration, online time period, number of knowledge bases maintained, number of risky words in knowledge base entries, number of risky words in reply messages, number of risky words in call recordings, number of times session records are viewed, number of times recordings are listened to, frequency of system settings modifications, whether phone numbers are imported in batches, recharge records, consumption records, and the time period and frequency of product usage.

[0064] Account association data includes accounts that use the same function at the same time, accounts that log in from the same IP address, accounts that log in from the same device ID, and accounts that log in from multiple addresses.

[0065] After determining the user's basic data, user access data, user behavior data, and account association data, these data together constitute the current user profile data.

[0066] S102: Based on the current user profile data and the preset clustering model, determine the clustered groups.

[0067] Specifically, a group is a collection of multiple users. Based on the analysis of user behavior data, the similarity of users is analyzed, and the determined accounts are clustered into different groups using the dbscan model. Specifically, when clustering users using the dbscan model, the current user profile data, radius, and minimum number are input into the dbscan model. The dbscan model outputs all clustered groups that meet the density requirements. In this embodiment, the radius and minimum number can be set by the staff according to the actual situation. At the same time, clustering using the dbscan model is a well-known technical means for those skilled in the art, so the specific clustering process will not be described in detail here.

[0068] S103: Determine the cluster score based on the preset cluster scoring rules and clusters.

[0069] Specifically, after identifying the clustered groups, each account is scored according to the preset clustering group scoring rules. For example, it is assumed that all users in each group should be evenly and dispersedly distributed in an N-dimensional space, but some high-risk accounts are controlled by one person, so there is a certain degree of similarity between them, and they will be relatively close in terms of spatial distance.

[0070] The core objects of the clusters are identified; different scoring intervals are defined. For example, accounts with a spatial distance of 0-A from the core object correspond to cluster score 1, accounts with a spatial distance of AB correspond to cluster score 2, and accounts with a spatial distance of BC correspond to cluster score 3, where A < B < C, and cluster score 1 > cluster score 2 > cluster score 3. The cluster score for each account can be determined based on the scoring interval corresponding to the spatial distance. In this embodiment, the values ​​of A, B, and C, as well as the number of scoring intervals, can be determined by staff according to the actual situation and are not restricted here. The spatial distance is the cosine similarity distance from the machine learning field, and its determination method is not detailed here.

[0071] S104: Determine the risk score based on the user's current profile data and the real-time prediction model.

[0072] Specifically, historical user profile data within a preset time period is obtained. In this embodiment, the preset time period is 1 year and 2 months. The XGBoost machine learning model is used for training and prediction. The training set is the latest data from the past 2 months, and the test set is the data from the past 2 months. First, a real-time prediction model is trained using the XGBoost machine learning model based on the training set. After the real-time prediction model is trained, its accuracy is tested using the test set. When the accuracy reaches a preset value, the real-time prediction model is judged to meet the standard. When the accuracy is less than the preset value, the real-time prediction model is judged to not meet the standard. If it does not meet the standard, training continues based on the XGBoost machine learning model and the data in the training set until the real-time preset model meets the standard.

[0073] Once the real-time prediction model meets the standards, the acquired real-time user data is input into the model to derive the risk score for the corresponding account. Training the real-time prediction model and predicting risk scores using the XGBoost machine learning model is a well-known technique among technical personnel; the specific training process and prediction methods will not be detailed here.

[0074] S105: Obtain the preset blacklist and third-party risk control scores.

[0075] Specifically, the preset blacklist stores multiple accounts that need to be blocked. When the system determines that an account needs to be blocked, staff manually tag the account and add its ID to the blacklist, storing the blacklist in the database. The blacklist can be retrieved directly from the database when needed. Third-party risk control scores are input from third-party systems. For example, for sales platform A corresponding to this system, the third-party risk control score could be the risk score given by sales platform B for a specific account.

[0076] S106: Determine whether to block based on the cluster group score, risk score, third-party risk control score, current user profile data, preset blacklist and preset risk control rules.

[0077] Specifically, thresholds are set for clustered group scores, risk scores, third-party risk control scoring, and the number of complaints received. These thresholds can be set by staff based on actual circumstances. Once the thresholds are set, the decision to block an activity will be made as follows:

[0078] First, based on the user's basic data in the current user profile data, determine the user ID and check if the user ID exists in the blacklist. If it does, block the account and do not allow access; otherwise, do not block and allow the account to access. During the access process, determine the clustering group score and risk score in real time based on the user's behavior data, and combine the number of complaints determined from the user's basic data and the third-party risk control score obtained from the third-party risk control system to determine whether to block in real time.

[0079] Specifically, the system determines the relative values ​​of the cluster group score and the cluster group score threshold, the relative values ​​of the risk score and the risk score threshold, the relative values ​​of the third-party risk control score and the third-party risk control score threshold, and the relative values ​​of the number of complaints and the number of complaints threshold. When the cluster group score exceeds the cluster group score threshold, the risk score exceeds the risk score threshold, or the third-party risk control score exceeds the third-party risk control score threshold and the number of complaints exceeds the number of complaints threshold, the system blocks the account from further access. When any one of the cluster group score, risk score, third-party risk control score, or number of complaints exceeds its corresponding threshold, an alarm message is output to remind staff to monitor the account's behavior in real time.

[0080] By using the above method, not only can risky accounts be blocked before access, but also the risk of accounts accessing the system can be assessed in real time. When the risk value meets certain conditions, the account can be blocked, thus improving the real-time nature of account security monitoring.

[0081] This application discloses an account security monitoring device 200 based on user profiles. (Refer to...) Figure 2 The user profile-based account security monitoring device 200 includes:

[0082] The first acquisition module 201 is used to acquire the current user profile data;

[0083] Clustering module 202 is used to determine clustered groups based on the current user profile data and the preset clustering model;

[0084] The first scoring module 203 is used to determine the cluster score based on the preset cluster scoring rules and clusters.

[0085] The second scoring module 204 is used to determine the risk score based on the current user profile data and the real-time prediction model;

[0086] The second acquisition module 205 is used to acquire a preset blacklist and a third-party risk control score.

[0087] The interception module 206 is used to determine whether to intercept based on the clustering group score, risk score, third-party risk control score, current user profile data, preset blacklist and preset risk control rules.

[0088] Those skilled in the art will understand that, for the sake of convenience and brevity, the specific working process of the described module can be referred to the corresponding process in the foregoing method embodiments, and will not be repeated here.

[0089] This application discloses an electronic device. (Refer to...) Figure 3The electronic device includes a central processing unit (CPU) 301, which can perform various appropriate actions and processes based on a program stored in a read-only memory (ROM) 302 or a program loaded from a storage section 307 into a random access memory (RAM) 303. The RAM 303 also stores various programs and data required for system operation. The CPU 301, ROM 302, and RAM 303 are interconnected via a bus. An input / output (I / O) interface 304 is also connected to the bus.

[0090] The following components are connected to I / O interface 304: an input section 305 including a keyboard, mouse, etc.; an output section 306 including a cathode ray tube (CRT), liquid crystal display (LCD), etc., and speakers, etc.; a storage section 307 including a hard disk, etc.; and a communication section 308 including a network interface card such as a LAN card, modem, etc. The communication section 308 performs communication processing via a network such as the Internet. A drive 309 is also connected to I / O interface 304 as needed. A removable medium 310, such as a disk, optical disk, magneto-optical disk, semiconductor memory, etc., is installed on drive 309 as needed so that computer programs read from it can be installed into storage section 307 as needed.

[0091] Specifically, according to embodiments of this application, the flowchart above refers to... Figure 1 The described process can be implemented as a computer software program. For example, embodiments of this application include a computer program product comprising a computer program carried on a machine-readable medium, the computer program containing program code for performing the methods shown in the flowchart. In such embodiments, the computer program can be downloaded and installed from a network via communication section 308, and / or installed from removable medium 310. When the computer program is executed by central processing unit (CPU) 301, it performs the functions defined in the apparatus of this application.

[0092] It should be noted that the computer-readable medium shown in this application can be a computer-readable signal medium or a computer-readable storage medium, or any combination of the two. A computer-readable storage medium can be, for example,—but not limited to—an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples of a computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer disk, a hard disk, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination thereof. In this application, a computer-readable storage medium can be any tangible medium containing or storing a program that can be used by or in conjunction with an instruction execution system, apparatus, or device. In this application, a computer-readable signal medium can include a data signal propagated in baseband or as part of a carrier wave, carrying computer-readable program code. Such propagated data signals can take various forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination thereof. Computer-readable signal media can also be any computer-readable medium other than computer-readable storage media, which can send, propagate, or transmit a program for use by or in connection with an instruction execution system, apparatus, or device. The program code contained on the computer-readable medium can be transmitted using any suitable medium, including but not limited to: wireless, wire, optical fiber, RF, etc., or any suitable combination thereof.

[0093] The above description is merely a preferred embodiment of this application and an explanation of the technical principles employed. Those skilled in the art should understand that the scope of this application is not limited to technical solutions formed by specific combinations of the above-described technical features, but should also cover other technical solutions formed by arbitrary combinations of the above-described technical features or their equivalents without departing from the foregoing application concept. For example, technical solutions formed by substituting the above features with (but not limited to) technical features with similar functions claimed in this application.

Claims

1. A method for account security monitoring based on user profiles, characterized in that: include: Get the current user profile data; Based on current user profile data and a pre-defined clustering model, identify clustered groups; The user's clustering score is determined based on the preset clustering group scoring rules and clustering groups; Risk scores are determined based on current user profile data and real-time prediction models; Obtain a preset blacklist and third-party risk control scores; Based on the clustering group score, risk score, third-party risk control score, current user profile data, preset blacklist, and preset risk control rules, a determination is made as to whether to block the activity. This determination includes: Based on the user's basic data in the current user profile data, determine the user ID and check if the user ID is in the blacklist. If it is, block the account and do not allow access. If not, do not block and allow the account to access. During the access process, determine the clustering group score and risk score in real time based on user behavior data, and combine the number of complaints determined from the user's basic data and the third-party risk control score obtained from the third-party risk control system to determine whether to block in real time. The system determines the relative values ​​of the cluster group score and the cluster group score threshold, the relative values ​​of the risk score and the risk score threshold, the relative values ​​of the third-party risk control score and the third-party risk control score threshold, and the relative values ​​of the number of complaints and the number of complaints threshold. If the cluster group score is greater than the cluster group score threshold, the risk score is greater than the risk score threshold, or the third-party risk control score is greater than the third-party risk control score threshold and the number of complaints is greater than the number of complaints threshold, the system blocks the account from further access. If any one of the cluster group score, risk score, third-party risk control score, or number of complaints exceeds its corresponding threshold, an alarm message is output to remind staff to monitor the account's behavior in real time.

2. The account security monitoring method based on user profiles according to claim 1, characterized in that: The process of obtaining the current user profile data includes: Obtain raw data, which is data generated during account access; The raw data is collected into a Hive table using Flume and statistically analyzed according to business categories to determine basic account data, user access data, user behavior data, and account association data. The basic account data, user access data, user behavior data, and account association data form the current user profile data.

3. The account security monitoring method based on user profiles according to claim 2, characterized in that: The step of determining clustered groups based on current user profile data and a preset clustering model includes: Based on user behavior data and a preset dbscan model for clustering, multiple groups are obtained. Each group is a set of users whose behavior similarity reaches a preset value.

4. The account security monitoring method based on user profiles according to claim 3, characterized in that: The step of determining the cluster group score based on the preset cluster group scoring rules and cluster groups includes: Obtain the core object of the gang, and determine the spatial distance of each user in the gang from the core object; Divide the score into different intervals, and each interval corresponds to a different cluster group score; Determine the scoring range for each user's distance from the core members of the gang; The user's cluster score is determined based on the cluster score corresponding to the score range they fall within.

5. The account security monitoring method based on user profiles according to claim 1, characterized in that: Prior to the method of determining the risk score based on current user profile data and real-time prediction model, this method also includes: Retrieve historical user profile data within a preset time period; The historical user profile data is divided into a training set and a test set based on time. Based on the training set, a real-time prediction model is trained using the xgboost machine learning model. The test set is input into the real-time prediction to verify whether the real-time prediction model meets the standard. If so, the risk score is determined based on the current user profile data and the real-time prediction model.

6. An account security monitoring device based on user profiles, characterized in that: include: The first acquisition module (201) is used to acquire the current user profile data; The clustering module (202) is used to determine clustered groups based on the current user profile data and the preset clustering model; The first scoring module (203) is used to determine the cluster score based on the preset cluster scoring rules and clusters. The second scoring module (204) is used to determine the risk score based on the current user profile data and the real-time prediction model; The second acquisition module (205) is used to acquire a preset blacklist and a third-party risk control score; The interception module (206) is used to determine whether to intercept based on the clustering group score, risk score, third-party risk control score, current user profile data, preset blacklist, and preset risk control rules. The determination of whether to intercept includes: Based on the user's basic data in the current user profile data, determine the user ID and check if the user ID is in the blacklist. If it is, block the account and do not allow access. If not, do not block and allow the account to access. During the access process, determine the clustering group score and risk score in real time based on user behavior data, and combine the number of complaints determined from the user's basic data and the third-party risk control score obtained from the third-party risk control system to determine whether to block in real time. The system determines the relative values ​​of the cluster group score and the cluster group score threshold, the relative values ​​of the risk score and the risk score threshold, the relative values ​​of the third-party risk control score and the third-party risk control score threshold, and the relative values ​​of the number of complaints and the number of complaints threshold. If the cluster group score is greater than the cluster group score threshold, the risk score is greater than the risk score threshold, or the third-party risk control score is greater than the third-party risk control score threshold and the number of complaints is greater than the number of complaints threshold, the system blocks the account from further access. If any one of the cluster group score, risk score, third-party risk control score, or number of complaints exceeds its corresponding threshold, an alarm message is output to remind staff to monitor the account's behavior in real time.

7. An electronic device, characterized in that: It includes a memory and a processor, wherein the memory stores a computer program that can be loaded by the processor and executed according to any one of claims 1 to 5.

8. A computer-readable storage medium, characterized in that, The computer program is stored that can be loaded by a processor and executed according to any one of claims 1 to 5.