Team user identification method and apparatus, electronic device, medium, and program product
By constructing a network graph of account device location, network, and transaction information, the problem of low accuracy in identifying team users in existing technologies is solved, and accurate identification of risky team users is achieved.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- CHINA UNIONPAY
- Filing Date
- 2024-12-26
- Publication Date
- 2026-07-14
AI Technical Summary
In existing technologies, methods that rely solely on online information to identify arbitrage teams result in low accuracy in identifying team users.
By acquiring the device location, network information, and transaction information of the account, an initial network graph is constructed, and the attributes of nodes that meet the attribute change conditions are changed to form a target network graph, so as to identify accounts with the same attributes as risk team users.
It improves the accuracy of identifying risk team users by combining online and offline information to accurately identify risk team users.
Smart Images

Figure CN119850215B_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of data processing, and more particularly to a method, apparatus, electronic device, medium, and program product for identifying team users. Background Technology
[0002] Arbitrage by teams hinders the development of internet marketing, preventing merchants from achieving the expected profit results and causing them to suffer numerous losses, including financial and reputational damage. How to accurately identify the members of arbitrage teams is an urgent problem to be solved.
[0003] In the exemplary technology, each mobile phone number is constructed as a user entity, and users in the same risk team are identified through online information such as the peer number, the number of outgoing calls, and the number of incoming calls for each mobile phone number.
[0004] However, the above approach relies solely on online information while ignoring information beyond that, which can lead to lower accuracy in identifying team users. Summary of the Invention
[0005] This application provides a method, apparatus, electronic device, medium, and program product for identifying team users, which solves the problem of low accuracy in identifying team users.
[0006] Firstly, this application provides a method for identifying team users, including:
[0007] Obtain target information for multiple first accounts, including the location of the device where the first account is logged in, the network information corresponding to the network connected to the device, and the transaction information of the first account;
[0008] The risk relationships between each first account are determined based on the target information, and an initial network graph is constructed based on the risk relationships. The initial network graph includes first accounts as nodes, and the connecting lines between two nodes are used to indicate the risk relationships between the first accounts corresponding to the two nodes.
[0009] The target network graph is obtained by modifying the attributes of nodes in the initial network graph that meet the attribute modification conditions.
[0010] In response to the fact that the first accounts corresponding to each node with the same attribute in the target network graph contain risky accounts, the users associated with the first accounts corresponding to each node with the same attribute are identified as users of the same risk team.
[0011] In some embodiments, determining the risk relationship between the respective first accounts based on the target information includes:
[0012] Based on the target information of the second account, determine one or more association relationships between the second account and the third account, wherein the second account is any one of the first accounts, and the third account is a first account other than the second account;
[0013] Determine the target parameters for the association, the target parameters including the frequency of occurrence of each association and / or the type of the association;
[0014] The risk relationship between the second account and the third account is determined based on the target parameters.
[0015] In some embodiments, the target parameter includes the type of the association, and determining the risk relationship between the second account and the third account based on the target parameter includes:
[0016] In response to the fact that the type is a preset type, the risk relationship between the second account and the third account is determined to be a high-risk relationship;
[0017] In response to the fact that the type is not a preset type, the risk relationship between the second account and the third account is determined to be a low-risk relationship.
[0018] In some embodiments, the target parameter includes the frequency of occurrence of each of the associations, and determining the risk relationship between the second account and the third account based on the target parameter includes:
[0019] If the number of occurrences of any of the aforementioned associations exceeds a corresponding preset number, the risk relationship between the second account and the third account is determined to be a high-risk relationship.
[0020] In response to each of the aforementioned associations occurring less than or equal to a corresponding preset number of times, the risk relationship between the second account and the third account is determined to be a low-risk relationship.
[0021] In some embodiments, the risk relationships include high-risk relationships and low-risk relationships, and the step of constructing an initial network graph based on the risk relationships includes:
[0022] Configure the node corresponding to each of the first accounts in the configuration diagram;
[0023] Based on the risk relationship between the two first accounts, a connection line is configured between the nodes corresponding to the two first accounts in the configuration diagram to obtain a first intermediate network diagram.
[0024] In the first intermediate network graph, a ternary node group is determined, wherein the ternary node group includes three nodes and the connecting lines between the three nodes form a triangle;
[0025] In response to the fact that two connecting lines in the ternary node group represent high-risk relationships and one connecting line represents low-risk relationships, the connecting line representing the low-risk relationship is changed to the connecting line representing the high-risk relationship, thus obtaining the initial network graph.
[0026] In some embodiments, the step of changing the attributes of nodes in the initial network graph that meet the attribute change conditions to obtain the target network graph includes:
[0027] Among the nodes in the initial network graph, the target node that meets the attribute change conditions is identified;
[0028] In the initial network graph, the target node is modified by changing its target attribute to obtain a second intermediate network graph;
[0029] The nodes with the same attribute in the second intermediate network graph are merged into one node with the same attribute to obtain the third intermediate network graph.
[0030] In response to the absence of nodes in the third intermediate network graph that satisfy the attribute change conditions, the third intermediate network graph is determined as the target network graph.
[0031] In some embodiments, determining the target node that satisfies the attribute change conditions among the nodes in the initial network graph includes:
[0032] Determine the first attribute value of the node to be changed in the initial network graph on the first attribute, and determine the second attribute value of the node to be changed on the second attribute. The first attribute is the current attribute of the node to be changed, and the second attribute is the attribute of the node to be changed.
[0033] The attribute gain amount of the node to be changed is determined based on the first attribute value and the second attribute value;
[0034] In response to the attribute gain being greater than a preset threshold, it is determined that the node to be changed meets the attribute change conditions, and the node to be changed is identified as the target node.
[0035] In some embodiments, before determining the value of the second attribute on the second attribute of the node to be changed, the method further includes:
[0036] Identify neighboring nodes that have a connection line with the node to be changed;
[0037] The attribute corresponding to the neighbor node is determined as the second attribute.
[0038] In some embodiments, there are multiple neighbor nodes, and determining the attribute gain amount for changing the attribute of the node to be changed based on the first attribute value and the second attribute value includes:
[0039] Determine the attribute gain between the first attribute value and the second attribute value corresponding to each second attribute;
[0040] The step of changing the target attributes of the target node in the initial network graph includes:
[0041] The second attribute corresponding to the largest attribute gain is determined as the target attribute of the node to be changed, and the first attribute of each target node in the initial network graph is changed to the target attribute corresponding to the target node.
[0042] In some embodiments, determining the first attribute value of the node to be changed in the initial network graph on the first attribute, and determining the second attribute value of the node to be changed in the second attribute, includes:
[0043] Based on the risk relationship represented by the connection lines between the node to be changed and each neighboring node, a first weight is determined between the node to be changed and each of the neighboring nodes, and each of the neighboring nodes is used to indicate the node that has a connection line with the node to be changed.
[0044] Determine the second weight between the node to be changed and the node corresponding to the second attribute;
[0045] The first attribute value of the node to be changed on the corresponding first attribute is determined according to each of the first weights, and the second attribute value of the node to be changed on the second attribute is determined according to the second weight and each of the first weights.
[0046] In one embodiment, determining the first weight between the node to be changed and each of the neighboring nodes based on the risk relationship represented by the connection lines between the node to be changed and each neighboring node includes:
[0047] Based on the risk relationship represented by the connection lines between the node to be changed and each neighboring node, a target connection line is determined among the connection lines between the node to be changed and each neighboring node. The target connection line is the connection line that represents a high-risk relationship.
[0048] The weight of each of the target connecting lines is determined as the first weight.
[0049] In some embodiments, determining the first attribute value of the node to be changed in the initial network graph includes:
[0050] Add the node identifiers corresponding to some of the nodes in the initial network graph to the queue;
[0051] Extract the node identifier from the head of the queue as the target identifier, determine the node corresponding to the target identifier as the node to be changed, and determine the first attribute value of the node to be changed on the first attribute.
[0052] The step of changing the target attributes of the target node in the initial network graph includes:
[0053] Add the node identifier corresponding to the node connected to the target node in all the initial network graphs to the queue, configure the connection line between the target node and the node corresponding to the target attribute, and change the first attribute of the target node to the target attribute;
[0054] Return to the step of extracting the node identifier from the head of the queue as the target identifier, wherein the queue does not store node identifiers, and complete the attribute changes of all target nodes in the initial network graph to obtain the second intermediate network graph.
[0055] In some embodiments, after merging nodes with the same attribute in the second intermediate network graph into a single node with the same attribute, the method further includes:
[0056] In response to the existence of nodes in the third intermediate network graph that satisfy the attribute change conditions, the third intermediate network graph is updated to the initial network graph;
[0057] Return to the step of determining each target node that meets the attribute change conditions among the nodes in the initial network graph.
[0058] In some embodiments, constructing the initial network graph based on the risk relationships includes:
[0059] Multiple fourth accounts are identified among the first accounts, the fourth accounts being used to indicate the accounts of known risk team users;
[0060] Based on the risk relationships, a sub-network graph corresponding to each of the fourth accounts is constructed, and the various sub-network graphs are merged to obtain an initial network graph.
[0061] Secondly, this application provides a team user identification method apparatus, comprising:
[0062] The acquisition module is used to acquire target information of multiple first accounts. The target information includes the location of the device where the first account is logged in, the network information corresponding to the network connected to the device, and the transaction information of the first account.
[0063] The first determining module is used to determine the risk relationship between each first account based on the target information, and to construct an initial network graph based on the risk relationship. The initial network graph includes first accounts as nodes, and the connecting line between two nodes is used to indicate the risk relationship between the first accounts corresponding to the two nodes.
[0064] The processing module is used to change the attributes of nodes in the initial network graph that meet the attribute change conditions to obtain the target network graph;
[0065] The second determining module is used to determine users of the same risk team in response to the fact that the first accounts corresponding to each node with the same attribute in the target network graph contain risk accounts.
[0066] Thirdly, this application provides an electronic device, including: a processor, and a memory and a communication interface communicatively connected to the processor;
[0067] The communication interface is used to communicate with other communication devices;
[0068] The memory is used to store computer-executed instructions;
[0069] The processor is used to execute computer execution instructions stored in the memory to implement the team user identification method provided in the first aspect.
[0070] Fourthly, this application provides a computer-readable storage medium storing computer-executable instructions, which, when executed by a processor, implement the team user identification method provided in the first aspect.
[0071] Fifthly, this application provides a computer program product, including a computer program that, when executed by a processor, implements the team user identification method as provided in the first aspect.
[0072] The team user identification method, device, electronic device, medium, and program products provided in this application acquire target information such as the location of multiple account login devices, the network connected to the devices, and the transaction information of the accounts. Based on the target information, the risk relationships between various accounts are determined to construct an initial network graph. Nodes in the initial network graph that meet the attribute change conditions are then modified to obtain a target network graph. When the accounts corresponding to nodes with the same attribute in the target network graph include risky accounts, the users associated with the accounts corresponding to the nodes with the same attribute are identified as users of the same risk team. In this application, online information such as account transaction information and the network connected to the account's device, as well as offline information such as the account's location, are used to construct a network graph representing the connections between users in the online and real worlds. This allows for the accurate identification of risky team users based on the network graph, improving the accuracy of risky team user identification. Attached Figure Description
[0073] The accompanying drawings, which are incorporated in and form part of this specification, illustrate embodiments consistent with this application and, together with the description, serve to explain the principles of this application.
[0074] Figure 1 This is a schematic diagram illustrating the scenarios involved in the user identification method used by the team in this application.
[0075] Figure 2 This is a flowchart illustrating the steps of the team user identification method in an embodiment of this application. Figure 1 ;
[0076] Figure 3 This is a flowchart illustrating the steps of the team user identification method in an embodiment of this application. Figure 2 ;
[0077] Figure 4 This is a schematic diagram illustrating the process for determining the risk relationship between accounts involved in an embodiment of this application;
[0078] Figure 5 This is a flowchart illustrating the steps of the team user identification method in an embodiment of this application. Figure 3 ;
[0079] Figure 6 This is a schematic diagram illustrating the conversion of a low-risk relationship to a high-risk relationship in an embodiment of this application;
[0080] Figure 7 This is a flowchart illustrating the steps of the team user identification method in an embodiment of this application. Figure 4 ;
[0081] Figure 8 This is a flowchart illustrating the steps of the team user identification method in an embodiment of this application. Figure 5 ;
[0082] Figure 9 This is a schematic diagram illustrating the process of determining the target network graph in an embodiment of this application;
[0083] Figure 10 This is a flowchart illustrating the steps of the team user identification method in an embodiment of this application. Figure 6 ;
[0084] Figure 11 This is a simplified flowchart illustrating the team user identification method involved in this application;
[0085] Figure 12 This is a schematic diagram of the program modules of a team user identification device provided in the embodiments of this application;
[0086] Figure 13 This is a schematic diagram of the hardware structure of an electronic device provided in an embodiment of this application.
[0087] The accompanying drawings illustrate specific embodiments of this application, which will be described in more detail below. These drawings and descriptions are not intended to limit the scope of the concept in any way, but rather to illustrate the concept of this application to those skilled in the art through reference to particular embodiments. Detailed Implementation
[0088] To make the objectives, technical solutions, and advantages of the embodiments of this application clearer, the technical solutions in the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this application. Furthermore, although the disclosure in this application is described according to one or several exemplary examples, it should be understood that each aspect of these disclosures can also constitute a complete implementation method on its own.
[0089] It should be noted that the brief descriptions of terms in this application are only for the convenience of understanding the embodiments described below, and are not intended to limit the embodiments of this application. Unless otherwise stated, these terms should be understood in their ordinary and common meaning.
[0090] Furthermore, the terms “comprising” and “having”, and any variations thereof, are intended to cover but not exclusively include, for example, a product or device that includes a series of components is not necessarily limited to those that are explicitly listed, but may include other components that are not explicitly listed or that are inherent to such product or device.
[0091] The term "module" as used in the embodiments of this application refers to any known or subsequently developed hardware, software, firmware, artificial intelligence, fuzzy logic, or combination of hardware and / or software code capable of performing the functions associated with that element.
[0092] It should be noted that the user information (including but not limited to user device information, user personal information, etc.) and data (including but not limited to data used for analysis, data stored, data displayed, etc.) involved in this application are all information and data authorized by the user or fully authorized by all parties. Furthermore, the collection, use and processing of the relevant data must comply with relevant laws, regulations and standards, and corresponding operation entry points are provided for users to choose to authorize or refuse.
[0093] Arbitrage by teams hinders the development of internet marketing, preventing merchants from achieving the expected profit results and causing them to suffer numerous losses, including financial and reputational damage. How to accurately identify the members of arbitrage teams is an urgent problem to be solved.
[0094] In the exemplary technology, each mobile phone number is constructed as a user entity, and users in the same risk team are identified through online information such as the peer number, the number of outgoing calls, and the number of incoming calls for each mobile phone number.
[0095] The inventors of this application have discovered that the method of identifying users of the aforementioned risk team relies solely on online information, ignoring information beyond online data, which leads to lower accuracy in identifying team users.
[0096] The inventors of this application therefore conceived of constructing a network graph representing the connection between a user in the online and real worlds by using online information such as account transaction information and the network connection of the device where the account is located, as well as offline information such as the location of the account. This allows for the accurate identification of risky team users based on the network graph, thereby improving the accuracy of identifying risky team users.
[0097] Reference Figure 1 , Figure 1This is a schematic diagram illustrating the scenario of the team user identification method of this application. The team user identification device 100 acquires target information for multiple accounts, including the location of the device where the account is logged in, the network the device is connected to, and the account's transaction information. The target information can be obtained from the database 200. Based on the target information, the team user identification device 100 determines the risk relationships between each first account and constructs an initial network graph based on each risk relationship. The initial network graph includes multiple nodes, each node representing a corresponding account, and the connecting lines between nodes represent the risk relationships between the accounts corresponding to the nodes. The team user identification device 100 performs attribute changes on the nodes in the initial network graph that meet the attribute change conditions to obtain a target network graph. When the accounts corresponding to the nodes with the same attribute in the target network graph include risky accounts, the users associated with the accounts corresponding to the nodes with the same attribute are identified as users of the same risk team. The team user identification device 100 then outputs a prompt message containing the identification information of users of the same risk team, such as the user's name, ID card number, mobile phone number, account nickname, etc.
[0098] The following combination Figure 1 The technical solutions shown in this application will be described in detail through embodiments. It should be noted that the following embodiments may exist independently or in combination with each other, and the same or similar content will not be described again in different embodiments.
[0099] Reference Figure 2 , Figure 2 This is a flowchart illustrating the team user identification method provided in the embodiments of this application. Figure 1 Team user identification methods include:
[0100] Step S201: Obtain target information for multiple first accounts. The target information includes the location of the device where the first account is logged in, the network information corresponding to the network connected to the device, and the transaction information of the first account.
[0101] In this embodiment, the executing entity is the team user identification device. For ease of description, the term "device" will be used to refer to the team user identification device below. The device can be a server or a terminal device with team user identification functionality.
[0102] The device acquires target information from multiple accounts, defined as the first account, which is the user's account with a financial institution, allowing the user to conduct online transactions using funds in that account. The target information includes the location of the device logged in with the first account, referring to the device's geographical location at the time of login. It also includes network information, such as a network identifier, corresponding to the network to which the device is connected. Furthermore, the target information includes transaction information for the first account.
[0103] Step S202: Determine the risk relationships between each first account based on the target information, and construct an initial network graph based on the risk relationships. The initial network graph contains the first accounts as nodes, and the connecting lines between two nodes are used to indicate the risk relationships between the first accounts corresponding to the two nodes.
[0104] After obtaining the target information for each first account, the device determines the risk relationship between the first accounts based on the target information.
[0105] In one example, the target information includes the location of the device where the first account is logged in. The device can determine the risk relationship between the various first accounts based on the location. Specifically, the device divides the electronic map into multiple areas. The device obtains the locations of the devices where two first accounts are logged in. If both locations are in the same area, it can be determined that the two devices are collinear in the same area, and the two first accounts have a risk relationship. Furthermore, the risk relationship includes high-risk and low-risk relationships. The aforementioned area is divided into multiple sub-areas. When two locations are in the same area, but one location is in one sub-area and the other is in another sub-area, the two first accounts have a low-risk relationship; if both locations are in the same sub-area, the two first accounts have a high-risk relationship. In addition, the relationship between two primary accounts can be determined by combining time and location. For example, if two primary accounts log in to the same device and appear in the same area within a short period of time, the two primary accounts can be identified as having a low-risk relationship. A short period of time is such as one month or one week. If two primary accounts log in to the same device and appear in the same sub-area within a short period of time, the two primary accounts have a high-risk relationship. If two primary accounts log in to the same device and appear in the same sub-area within a longer period of time, the two primary accounts have a low-risk relationship. A longer period of time is such as more than three months.
[0106] In another example, the target information includes network information corresponding to the network connected to the device logging in with the first account. Specifically, the network information can be a network identifier. If the network identifiers corresponding to the networks connected to by two devices logging in with the first account are the same, it can be determined that the two first accounts have a risky relationship.
[0107] In another example, the target information includes the transaction information of the first account. When the device determines based on the transaction information that two first accounts have had transfer records, it can determine that the two first accounts have a risk relationship; when it determines based on the transaction information that two first accounts have purchased goods in the same store, the two first accounts have a risk relationship; when the account on which one first account made a transaction is the same user account as the account on which the other first account made a transaction, the two first accounts have a risk relationship.
[0108] After determining the risk relationships between the various primary accounts, an initial network graph is constructed based on these risk relationships.
[0109] For example, multiple nodes are configured in the configuration graph, each node corresponding to a primary account. If two primary accounts have a risk relationship, a connecting line is directly configured between the nodes corresponding to the two primary accounts. For instance, if primary account A and primary account B have a risk relationship, and primary account A is represented by node a in the configuration graph, and primary account B is represented by node b, then a connecting line is configured between node a and node b. In this way, connecting lines are configured between nodes with risk relationships in the configuration graph. This method allows the construction of a network graph as the initial network graph.
[0110] Step S203: Modify the attributes of nodes in the initial network graph that meet the attribute change conditions to obtain the target network graph.
[0111] After constructing the initial network graph, the device identifies the nodes in the initial network graph that meet the attribute change conditions.
[0112] For example, each node in the initial network graph is considered an independent community, and the community is an attribute of the node. The nodes in the initial network graph are connected by lines. The modularity parameter of a node within its own community is determined through the nodes and the connections between that node and its neighbors. The modularity parameter of the community is the attribute value of the node in its own attribute, and this attribute value is defined as the first attribute value. Specifically, the connections between nodes can represent strong and weak ties. Strong ties refer to high-risk relationships, while weak ties refer to low-risk relationships. The device first determines the type of connection between a node and its neighbors. If the type is a strong tie, the weight of the connection is configured as 1; if the type is a weak tie, the weight of the connection is configured as 0.5. The first attribute value Q can be calculated using the weights represented by the connections between the node and each of its neighbors. The calculation method for the first attribute value Q is as follows:
[0113]
[0114] Among them, A ij k represents the weight of the connection line between node i and node j. i =∑ j A ij c represents the sum of the weights of all lines connecting node i to node j; i This indicates the community to which node i belongs; Let δ(c) represent the sum of the weights of all edges. If node i and node j belong to the same module, then δ(c) i ,c jIf m is a given value, and nodes i and j belong to the same module, then δ(c) = m. i ,c j Let n be a integer, and m be a integer greater than n. In the initial network graph, each node is an independent module, that is, each node belongs to a different module.
[0115] The device determines the community a node needs to migrate to, which means determining the attribute the node needs to change. For example, if node a's attribute needs to be changed to node b's attribute, then node a's community will be migrated to node b's community. The attribute to be changed is defined as the second attribute. The device determines the value of the second attribute for each node. Since node a changes its attribute to the second attribute, a connection needs to be configured between node a and node b. Therefore, node a will receive the second attribute value after the attribute change. If the difference between the second attribute value after migration and the first attribute value before migration is positive, then node a's attribute change has a gain, and node a can be considered to have met the attribute change condition.
[0116] After identifying all nodes in the initial network graph that meet the attribute change conditions, the attributes of these nodes are changed; that is, the first attribute of the node is changed to the second attribute specified in the aforementioned attribute change conditions. The first attribute of nodes that do not meet the attribute change conditions remains unchanged. It should be noted that a node's attribute change is represented by configuring a connection between that node and the node containing the second attribute.
[0117] It should be noted that after the first round of node attribute changes in the initial network graph, a second round of node attribute changes is performed, and the process for the second round is the same as that for the first round. In essence, the initial network graph undergoes multiple rounds of node attribute changes until all nodes in the network graph no longer meet the attribute change conditions, thus yielding the target network graph.
[0118] Step S204: In response to the fact that the first accounts corresponding to each node with the same attribute in the target network graph contain risk accounts, the users associated with the first accounts corresponding to each node with the same attribute are identified as users of the same risk team.
[0119] After obtaining the target network diagram, the device identifies risky accounts among the various first accounts. These risky accounts are those already identified as risky. Risky accounts include, for example, accounts that log into risky devices, accounts that transact with risky accounts, and accounts that transact with risky users. Risky devices include, for example, devices connected to risky networks. Additionally, devices appearing in the same area as risky devices are also considered risky devices.
[0120] In the target network graph, there are nodes with the same attribute. If each node's corresponding first account contains a risk account, then each first account corresponding to each node with the same attribute can be identified as an account in the same risk team. In other words, the users associated with each node with the same attribute are all users in the same risk team.
[0121] In this embodiment, target information such as the location of multiple account login devices, the network connected to the devices, and the transaction information of the accounts is obtained. Based on the target information, the risk relationships between the accounts are determined to construct an initial network graph. Nodes in the initial network graph that meet the attribute change conditions are then modified to obtain a target network graph. When accounts corresponding to nodes with the same attribute in the target network graph include risky accounts, the users associated with the accounts corresponding to nodes with the same attribute are identified as users of the same risk team. In this embodiment, by using online information such as account transaction information and the network connected to the account's device, as well as offline information such as the account's location, a network graph representing the connections between users in the online and real worlds is constructed. This allows for the accurate identification of users in risky teams based on the network graph, improving the accuracy of identifying users in risky teams.
[0122] Reference Figure 3 , Figure 3 Flowchart of the user identification method for this application team Figure 2 ,based on Figure 2 In the embodiment shown, step S202 includes:
[0123] Step S301: Based on the target information of the second account, determine one or more association relationships between the second account and the third account, where the second account is any first account and the third account is a first account other than the second account.
[0124] In this embodiment, taking two first accounts as an example, the determination of the risk relationship between the first accounts is explained in detail. The device first determines one or more association relationships between the second account and the third account based on the target information of the second account. The second account is any one of the first accounts, and the third account is any first account other than the second account.
[0125] Step S302: Determine the target parameters of the association, including the frequency of occurrence of each association and / or the type of association.
[0126] After determining the association, the device determines the target parameters for each association. The target parameters include at least one of the following: the number of times the second account and the third account are associated, and the type of association.
[0127] Step S303: Determine the risk relationship between the second account and the third account based on the target parameters.
[0128] After determining the target parameters for each type of association, the risk relationship between the second and third accounts is determined based on these target parameters. Risk relationships include high-risk relationships and low-risk relationships. It should be noted that a high-risk relationship refers to an association with a risk level higher than or equal to a threshold, while a low-risk relationship refers to an association with a risk level lower than a threshold.
[0129] In one example, the target parameter includes the type of association, which can be used to determine the risk level of the association between the second and third accounts. Specifically, when the association type is a preset type, the risk level of the association between the second and third accounts can be determined to be higher than or equal to a threshold, thus classifying the association between the second and third accounts as a high-risk relationship. The preset type could be, for example:
[0130] 1. The first device used for the second account login and the second device used for the third account login are the same device, and both the first and second devices are risky devices, meaning that the third account and the second account use the same risky device.
[0131] 2. The third account has transaction records with the second account, and at least one of the second and third accounts has transaction records with the risky account;
[0132] 3. The first piece of equipment, the second piece of equipment, and the hazardous equipment are all located in the same area;
[0133] 4. The network to which the first and second devices are connected is a risky network;
[0134] 5. The same products purchased by the second and third accounts were products sold by the risky account.
[0135] If the type of association is not a preset type, then the risk level of the association between the second account and the third account can be determined to be below a threshold, and the risk relationship between the second account and the third account can be classified as a low-risk relationship. Non-preset types of association include:
[0136] 1. There are transaction records between the second account and the third account;
[0137] 2. The first device logged in with the second account and the second device logged in with the third account are in the same region;
[0138] 3. The network to which the first device is connected is the same network as the network to which the second device is connected;
[0139] 4. The first device and the second device are the same device;
[0140] 5. The second account and the third account purchase the same product.
[0141] In another example, the device obtains the number of times the second account and the third account appear in each type of association. If the number of times any type of association appears is greater than the corresponding preset number, the risk relationship between the second account and the third account is determined to be a high-risk relationship; if the number of times each type of association appears is less than or equal to the corresponding preset number, the risk relationship between the second account and the third account is determined to be a low-risk relationship.
[0142] In one sub-example, if the number of times the third account and the second account are in the same area reaches two or more, then the risk relationship between the third account and the second account can be determined to be a high-risk relationship. (See reference...) Figure 4 If the electronic map is divided into 12 areas, and device 1 logged in with the second account and device 2 logged in with the third account both appear in area 1, and device 2 and device 1 both appear in area 12, then the risk relationship between the third account and the second account is a high-risk relationship.
[0143] In another sub-example, if the number of transfers between the third account and the second account exceeds two, and either the second or third account is a risky account, the risk relationship between the third and second accounts can be determined to be high-risk; if the number of transfers between the third and second accounts is only one, the risk relationship between the third and second accounts is low-risk. Furthermore, if the number of transfers between the third and second accounts exceeds three, and either the second or third account is an account that has engaged in transactions with a risky account, the risk relationship between the third and second accounts can be determined to be high-risk; if the number of transfers between the third and second accounts is two or one, the risk relationship between the third and second accounts is low-risk.
[0144] In another sub-example, if the device logged in by the third account and the device logged in by the second account are in the same area more than twice, the risk relationship between the third account and the second account can be determined as high-risk; if the device logged in by the third account and the device logged in by the second account are in the same area only once, the risk relationship between the third account and the second account can be determined as low-risk. Furthermore, different areas within the same region also indicate different risk relationships. For example, if the device logged in by the second account and the device logged in by the third account are in the same area, and the area of that area is greater than or equal to a preset area, the risk relationship between the third account and the second account is low-risk; if the area of that area is smaller than the preset area, the risk relationship between the third account and the second account is high-risk.
[0145] In this embodiment, the association between accounts is determined by the target information of the accounts, and the risk relationship between accounts is accurately determined by the frequency of occurrence and type of each association.
[0146] Reference Figure 5 , Figure 5 Flowchart of the user identification method for this application team Figure 3 ,based on Figure 3 In the embodiment shown, step S202 includes:
[0147] Step S501: Set the node corresponding to each first account in the configuration diagram.
[0148] In this embodiment, the device first sets up a configuration diagram, which is a blank image. The device configures the nodes corresponding to each first account in the configuration diagram, and each node is regarded as an independent community, which is used as an attribute of the node.
[0149] Step S502: Based on the risk relationship between the two first accounts, configure the connection lines between the nodes corresponding to the two first accounts in the configuration diagram to obtain the first intermediate network diagram.
[0150] Each primary account has a risk relationship. Once nodes are configured in the diagram, nodes corresponding to two primary accounts with a risk relationship are connected, i.e., a connecting line is configured between the two nodes. Risk relationships include high-risk and low-risk relationships. A high-risk relationship indicates a high level of confidence in the risk between the two primary accounts, and thus can be considered a high-confidence relationship. Conversely, a low-risk relationship indicates a low level of confidence in the risk between the two primary accounts, and thus can be considered a low-confidence relationship. When the risk relationship between two primary accounts is a high-confidence relationship, a solid line is configured between the two nodes corresponding to the two primary accounts; when the risk relationship between two primary accounts is a low-confidence relationship, a dashed line is configured between the two nodes corresponding to the two primary accounts. It is understood that different types of connecting lines between nodes represent different risk relationships. This embodiment is not limited to using solid and dashed lines to distinguish the risk relationship between two primary accounts.
[0151] After configuring the connections between all nodes, the device can obtain an intermediate network diagram, which is defined as the first intermediate network diagram.
[0152] Step S503: Determine a ternary node group in the first intermediate network graph, wherein the ternary node group includes three nodes and the connecting lines between the three nodes form a triangle.
[0153] In the first intermediate network graph, there exists a triple node group, which consists of three nodes connected by three lines. For example, there is a line connecting node a and node b, a line connecting node b and node c, and a line connecting node c and node a. Therefore, nodes a, b, and c constitute a triple node group. It can be understood that a triple node group consists of three nodes, and the lines connecting the three nodes form a triangle.
[0154] Step S504: In response to the fact that two connection lines in the ternary node group represent high-risk relationships and one connection line represents low-risk relationships, the connection line representing the low-risk relationship is changed to the connection line representing the high-risk relationship, and the initial network graph is obtained.
[0155] If two connecting lines in a ternary node group represent high-risk relationships and one connecting line represents a low-risk relationship, then changing the connecting line representing the low-risk relationship to the connecting line representing the high-risk relationship will yield the initial network graph.
[0156] It should be noted that, as the connecting lines representing low-risk relationships are changed to connecting lines representing high-risk relationships, new triplet nodes that meet the transformation conditions may appear in the network graph. A triplet node group that meets the transformation conditions refers to a triplet node group in which two connecting lines represent high-risk relationships and one connecting line represents a low-risk relationship.
[0157] Specifically, refer to Figure 6 The first intermediate network diagram includes four nodes: a, b, c, and d. The connection lines between nodes a and b, b and d, and a and c represent high-risk relationships, respectively. The connection lines between nodes a and d represent low-risk relationships, and the connection lines between nodes c and d also represent low-risk relationships. A tripartite node group consisting of nodes a, b, and d has two high-risk connection lines (ab and bd) and one low-risk connection line (ad). Therefore, ad can be converted from a dashed line to a solid line, meaning the connection line between nodes a and d represents a high-risk relationship. Since ad is converted to a solid line, a tripartite node group consisting of nodes a, c, and d has two high-risk connection lines (ac and ad) and one low-risk connection line (cd). Therefore, cd can be converted from a dashed line to a solid line, meaning the connection line between nodes c and d represents a high-risk relationship. It is understandable that after converting low-risk relationships to high-risk relationships in the current round, the conversion continues in the next round until there are no more tripartite node groups in the network graph that meet the conversion conditions. This network graph can then be used as the initial network graph.
[0158] In this embodiment, the corresponding high-risk relationship is defined as a high-confidence relationship. Essentially, it uses a custom relationship to perform convolution on the network graph to identify the user relationships of risky groups on the entire network graph. At the same time, by using "triangular diffusion" (ternary node group), it maximizes the use of limited information, reduces "false positives", and supplements and expands the high-confidence relationship, so as to discover all users of risky groups as much as possible, which significantly improves the recall rate of the discovery.
[0159] In this embodiment, the transformation and diffusion of low-risk relationships to high-risk relationships in the solid lines of the ternary node groups in the intermediate network graph simplifies the complex network and enriches and supplements the risk relationships between the nodes in the network graph, thereby improving the accuracy of identifying risk team users.
[0160] Reference Figure 7 , Figure 7 Flowchart of the user identification method for this application team Figure 4 ,based on Figure 2 , Figure 3 or Figure 5 In the embodiment shown, step S203 includes:
[0161] Step S701: Among the nodes in the initial network graph, determine the target node that meets the attribute change conditions.
[0162] Step S702: Change the target attributes of the target nodes in the initial network graph to obtain the second intermediate network graph.
[0163] In this embodiment, the device first identifies target nodes that meet the attribute change conditions among the nodes in the initial network graph, and then changes the target attributes of these target nodes in the initial network graph to obtain the second intermediate network graph. The method for determining nodes that meet the attribute change conditions can be... Figure 2 The description of the illustrated embodiment will not be repeated here. The target attribute refers to the second attribute involved in the attribute change condition, as described above.
[0164] Step S703: Merge all nodes with the same attribute in the second intermediate network graph into a single node with the same attribute to obtain the third intermediate network graph.
[0165] After obtaining the second intermediate network graph, nodes with the same attribute in the second intermediate network graph are merged and compressed into a single node corresponding to the same attribute, thus obtaining a new node with the same attribute. The weights of the edges (connections) between nodes with the same attribute are transformed into the weights of the cycles in the new node, and the weights of the edges with different attributes are transformed into the weights of the edges between the new nodes, thus obtaining the third intermediate network graph. Compared to the second intermediate network graph, the third intermediate network graph has fewer nodes.
[0166] Step S704: In response to the fact that there are no nodes in the third intermediate network graph that meet the attribute change conditions, the third intermediate network graph is determined as the target network graph.
[0167] The nodes in the third intermediate network graph are new nodes. The device determines whether there are new nodes in the third intermediate network graph that meet the attribute change conditions. If there are no new nodes in the third intermediate network graph that meet the attribute change conditions, then the attributes of each node in the network graph are changed, and the third intermediate network graph can be determined as the target network graph.
[0168] When there are nodes in the third intermediate network graph that satisfy the attribute change conditions, the third intermediate network graph is updated to the initial network graph, and the process of determining each target node that satisfies the attribute change conditions in each node of the initial network graph is returned. That is, steps S701 to S703 are repeated until there are no nodes in the network graph that satisfy the attribute change conditions.
[0169] In this embodiment, after changing the attributes of nodes that meet the attribute change conditions in the network graph, nodes with the same attributes are merged into new nodes in the network graph, thereby simplifying the network graph, reducing the amount of computation, and improving the efficiency of identifying risk team users.
[0170] Reference Figure 8 , Figure 8 Flowchart of the user identification method for this application team Figure 5 ,based on Figure 7 In the embodiment shown, step S701 includes:
[0171] Step S801: Determine the first attribute value of the node to be changed in the initial network graph on the first attribute, and determine the second attribute value of the node to be changed on the second attribute. The first attribute is the current attribute of the node to be changed, and the second attribute is the attribute of the node to be changed.
[0172] In this embodiment, after constructing the initial network graph, the device determines the nodes that satisfy the attribute change conditions among the nodes in the initial network graph.
[0173] For example, each node in the initial network graph is considered an independent community, and the community is an attribute of the node. The nodes in the initial network graph are connected by lines. The modularity parameter of a node within its own community is determined by the nodes and the connections between that node and its neighbors. The modularity parameter of the community is the attribute value of the node on its own attribute, and this attribute value is defined as the first attribute value. Specifically, the connections between nodes can represent strong and weak ties; strong ties refer to high-risk relationships, while weak ties refer to low-risk relationships.
[0174] The device first identifies the node whose attribute needs to be changed, defining this node as the node to be changed. Then, it determines the first attribute value of the node to be changed based on the first attribute. Specifically, the device determines the first weight between the node to be changed and each neighbor node based on the risk relationship represented by the connection lines between the node to be changed and each neighbor node. Neighbor nodes are nodes that have connections with the node to be changed. For example, if the risk relationship represented by the connection line is high-risk, the first weight of the connection line is configured as 1; if the risk relationship represented by the connection line is low-risk, the first weight of the connection line is configured as 0.5. The device then determines the second weight between the node to be changed and the node corresponding to the second attribute. For example, assuming the node to be changed changes its attribute to the second attribute, a hypothetical connection line is configured between the node to be changed and the node corresponding to the second attribute. Compared to the node to be changed without changing its attribute, the node to be changed with the changed attribute has one more connection line. A second weight is configured for this additional connection line, and the second weight can be any composite number. The device determines the first attribute value Q based on each first weight. The calculation method for the first attribute value Q is as follows:
[0175]
[0176] Among them, A ij k represents the weight of the connection line between node i and node j. i =∑ j A ij c represents the sum of the first weights of all lines connecting node i to node j. i This indicates the community to which node i belongs; Let δ(c) represent the sum of the first weights of all edges. If node i and node j belong to the same module, then δ(c) i ,c j If m is a given value, and nodes i and j belong to the same module, then δ(c) = m. i ,c j Let n be a integer, and m be a integer greater than n. In the initial network graph, each node is an independent module, meaning each node belongs to a different module. The device then calculates the second attribute value based on the second weight and each of the first weights. That is, the second attribute value is calculated using the formula described above.
[0177] For example, the device determines the community that the node to be changed needs to migrate to, that is, it determines the attribute that the node to be changed needs to change. For example, the attribute of node a needs to be changed to the attribute of node b, which means that node a's community is migrated to node b's community. The attribute to be changed is defined as the second attribute, and the device determines the value of the second attribute of the node to be changed. Specifically, assuming that the node to be changed a changes its attribute to the second attribute, a hypothetical connection line is configured between node a and node b. Compared to node a without the attribute change, node a with the changed attribute has an additional connection line. The value of the second attribute calculated using the above formula is different from the value of the first attribute. Furthermore, before determining the value of the second attribute of the node to be changed, the device determines the neighboring nodes that have a connection line with the node to be changed, and thus determines the attribute corresponding to the neighboring node as the second attribute. That is, the attribute that the node to be changed needs to change is the attribute of the node adjacent to the node to be changed.
[0178] Furthermore, when the initial network graph is obtained through triangular diffusion, low-risk relationships are not used as input to reduce the computational workload of calculating attribute values before and after node migration in the initial network graph. For example, based on the risk relationships represented by the connections between the node to be changed and each neighboring node, the device determines target connections among these connections. These target connections represent high-risk relationships. For instance, connection 1 between node a and node b represents a low-risk relationship, connection 2 between node a and node c represents a low-risk relationship, and connection 3 between node a and node d represents a high-risk relationship; therefore, connection 3 is the target connection. After determining each target connection, the device assigns the weight of each target connection as a first weight. It is understood that the first weights involved in calculating the first and second attribute values are all the weights of the target connections. The weights configured for low-risk relationships do not participate in the calculation of the first and second attribute values, thus reducing the computational workload of the first and second attribute values for each node in the network graph and improving the efficiency of the device in determining risky user groups.
[0179] Step S802: Determine the attribute gain amount of the node to be changed based on the first attribute value and the second attribute value.
[0180] After determining the first and second attribute values, the device determines the attribute gain resulting from the attribute change of the node to be modified. Specifically, the attribute gain is obtained by subtracting the first attribute value from the second attribute value.
[0181] Step S803: In response to the attribute gain being greater than a preset threshold, determine that the node to be changed meets the attribute change conditions, and determine the node to be changed as the target node.
[0182] If the attribute gain is greater than a preset threshold, the node to be changed meets the attribute change condition and is identified as the target node. If the attribute gain is less than or equal to the preset threshold, the node to be changed does not meet the attribute change condition, meaning the node will not undergo attribute change.
[0183] Furthermore, when the node to be changed has multiple neighboring nodes, the device determines the attribute gain between the first attribute value and each second attribute value. When any attribute gain exceeds a preset threshold, the second attribute corresponding to the largest attribute gain is determined as the target attribute for the node to be changed, thereby changing the target node's attribute to the target attribute in the initial network graph. In essence, the target node changes its own attribute to the attribute of the neighboring node with the largest attribute gain.
[0184] In this embodiment, the device accurately determines the nodes that meet the attribute change conditions based on the attribute values of the nodes before and after the attribute change.
[0185] In one embodiment, a queue can be used to change the attribute of a node. When it is necessary to determine the first attribute value of the node to be changed in the initial network graph, the device adds the node identifiers corresponding to some nodes in the initial network graph to the queue. The node identifiers can be randomly added to the queue from some nodes in the initial network. The node identifiers in the queue have a corresponding order. The device extracts the node corresponding to the node identifier from the head of the queue as the node to be changed, and determines the first attribute value of the node to be changed in the first attribute.
[0186] When a node to be changed meets the attribute change conditions, it becomes the target node. In the initial network graph, when changing the attribute of the target node, the device adds the node identifier corresponding to the node connected to the target node in the initial network graph to a queue, configures the connection line between the target node and the node corresponding to the target attribute, and changes the first attribute of the target node to the target attribute. Because new node identifiers are added to the queue, the number of node identifiers in the queue increases. The device needs to determine whether the node corresponding to each node identifier in the queue meets the attribute change conditions. That is, the device returns to extract the node identifier from the head of the queue as the target identifier. This process of determining the attribute change conditions for the nodes corresponding to the node identifiers in the queue and changing the attribute of the target node is repeated until there are no more node identifiers in the queue. This completes the attribute changes for all target nodes in the initial network graph, resulting in the second intermediate network graph.
[0187] Reference Figure 9 , Figure 9 The color of a node in the network represents its community. The device modifies the attributes of a target node in the initial network graph in three steps, as follows:
[0188] Step 1: Locally move the node, corresponding to Figure 9 From step a to step b, this step is further divided into several smaller steps;
[0189] 1.1 Randomly add nodes (node identifiers) from the network graph to the queue, and remove one node from the front of the queue;
[0190] 1.2. Assign the removed node to a community (attribute) that can obtain the maximum modularity gain (the modularity gain corresponds to the attribute gain). If the node cannot obtain a gain greater than 0 in any community it is assigned to, then the node is retained in the original community, that is, the node's attribute remains unchanged.
[0191] 1.3 If the node is moved to another community (changes attributes), add the neighboring nodes of the node that does not belong to the new community and is not in the queue to the end of the queue. That is, add the nodes that the node was connected to before it was moved to the end of the queue.
[0192] Step 2: Optimize the communities obtained in Step 1 to ensure good connectivity for all communities. Community optimization can be viewed as identifying nodes with the same attributes, such as... Figure 9 From b to c, optimization yields multiple communities, for example... Figure 9 c in the middle;
[0193] Step 3, for Figure 9 Nodes belonging to the same community are compressed to obtain multiple new nodes. Since there may be few nodes with a certain attribute during community optimization, these nodes are considered as one community. For example, the lower region in Figure c consists of nodes with multiple attributes. Therefore, when compressing nodes in the lower region of Figure c, multiple new nodes will appear; that is, nodes with the same attribute are compressed into a new node. After completing node compression, the process is repeated... Figure 9 The steps from a to c in the network graph are repeated until the maximum modularity is reached, meaning there are no nodes in the network graph that satisfy the attribute change conditions.
[0194] In this embodiment, potential risk team users are discovered through changes in node attributes. Based on the characteristics of risk team users, hidden risk team users are comprehensively discovered in the network graph, thereby accurately identifying all risk team users.
[0195] In this embodiment, the use of a queue allows for the rapid and orderly identification of target nodes that meet the attribute change conditions, thereby improving the efficiency of identifying risk team users.
[0196] Reference Figure 10 , Figure 10 Flowchart of the user identification method for this application team Figure 6 ,based on Figures 2 to 9In any of the embodiments shown, step S201 includes:
[0197] Step S1001: Identify multiple fourth accounts among the first accounts. The fourth accounts are used to indicate the accounts of known risk team users.
[0198] In this embodiment, the device identifies multiple fourth accounts among the various first accounts. These fourth accounts are accounts of known risk team users. For example, the fourth account may be an account associated with a black sample device, an account associated with a black SIM card, an account associated with a black sample Wi-Fi, or an account associated with a black sample LBS.
[0199] Blacklisted devices refer to risky devices. If a fourth account logs into a risky device, it can be determined that the fourth account is associated with a blacklisted device. Blacklisted cards represent risky financial cards. If a fourth account has made transactions with a risky financial card, it can be determined that the fourth account is associated with a blacklisted card. Blacklisted Wi-Fi (mobile hotspots) refer to risky mobile hotspots. If the device associated with the fourth account has connected to a risky mobile hotspot, then the fourth account is associated with a blacklisted Wi-Fi. Blacklisted LBS (Location Based Services) refers to locations where blacklisted devices have appeared. If the device logged into by the fourth account uses the location provided by a blacklisted LBS, it can be determined that the fourth account is associated with a blacklisted LBS.
[0200] Step S1002: Construct a sub-network graph corresponding to each fourth account based on the risk relationship, and merge the sub-network graphs to obtain the initial network graph.
[0201] After identifying each fourth account, a sub-network graph is constructed based on risk relationships, using the fourth account as the source. These sub-network graphs are then merged to obtain the initial network graph. Furthermore, during the merging of sub-networks, cross-validation of relationships is required. For example, if node F in the sub-network graph associated with the black card has a risk relationship with node G in the sub-network graph associated with the black sample LBS, then it is necessary to confirm whether a genuine risk relationship exists between node F and node G. If so, a connection line is configured between node F and node G.
[0202] In this embodiment, a risky fourth account is identified among the first accounts, and a sub-network graph corresponding to each fourth account is constructed based on the risk relationship. Then, the sub-networks are merged to quickly obtain the initial network graph.
[0203] In one embodiment, mining global risk team users from massive datasets is costly and difficult. Considering that a single risk team user represents a local structure on the network, users in the same circle are not too far apart; generally, the diameter of the circle (the maximum value of the shortest distance between any two nodes in the circle) is considered to be no more than 2. The mining of global circles is transformed into mining the circles to which each node belongs within its local subgraph. When constructing the entire network graph, a single user is treated as a single node (primary key: account), and the connecting edges between nodes are classified into risk levels according to different risk relationships. In this embodiment, combined with known accounts associated with black samples, and taking a black sample account as the center, initial edges are first defined to discover user connections in the real world. Further, high and low risk relationships are defined to construct an account relationship network graph, distinguishing the tightness of the relationship edges and mining accounts commonly held by risk team users.
[0204] Combination Figure 11 The steps of the user identification method used by the team in this application are briefly described below:
[0205] Step 1: Using black sample accounts as the source, construct local subnets based on the defined high and low risk relationships through subnet merging and relationship cross-validation;
[0206] Step 2: Enrich and supplement the network graph through triangular diffusion, that is, transform low-confidence relationships (low-risk relationships) into high-confidence relationships (high-confidence relationships);
[0207] Step 3: Utilize community mining methods and algorithms to further mine all risky users from the network graph constructed in Step 2. Specific parameters... Figure 9 The example shown.
[0208] Based on the content described in the above embodiments, this application also provides a team user identification device, referring to... Figure 12 , Figure 12 This is a schematic diagram of the program modules of a team user identification device provided in the embodiments of this application. In some embodiments, the team user identification device 1200 includes:
[0209] The acquisition module 1210 is used to acquire target information of multiple first accounts. The target information includes the location of the device where the first account is logged in, the network information corresponding to the network connected to the device, and the transaction information of the first account.
[0210] The first determining module 1220 is used to determine the risk relationship between each first account based on the target information, and to construct an initial network graph based on the risk relationship. The initial network graph contains the first accounts as nodes, and the connecting line between two nodes is used to indicate the risk relationship between the first accounts corresponding to the two nodes.
[0211] Processing module 1230 is used to change the attributes of nodes in the initial network graph that meet the attribute change conditions to obtain the target network graph;
[0212] The second determining module 1240 is used to determine users of the same risk team in response to the fact that the first accounts corresponding to each node with the same attribute in the target network graph contain risk accounts.
[0213] In some embodiments, the team user identification device 1200 is specifically used for:
[0214] Based on the target information of the second account, determine one or more association relationships between the second account and the third account, where the second account is any first account and the third account is a first account other than the second account.
[0215] Determine the target parameters for the association relationships, including the frequency of occurrence of each association relationship and / or the type of association relationship;
[0216] The risk relationship between the second and third accounts is determined based on the target parameters.
[0217] In some embodiments, the team user identification device 1200 is specifically used for:
[0218] In response to the default type, the risk relationship between the second account and the third account is determined to be a high-risk relationship.
[0219] In response to the fact that the type is not the default type, the risk relationship between the second account and the third account is determined to be a low-risk relationship.
[0220] In some embodiments, the team user identification device 1200 is specifically used for:
[0221] If the number of occurrences of any association relationship exceeds the corresponding preset number, the risk relationship between the second account and the third account is determined to be a high-risk relationship.
[0222] If the number of occurrences of each association is less than or equal to the corresponding preset number, the risk relationship between the second account and the third account is determined to be a low-risk relationship.
[0223] In some embodiments, the team user identification device 1200 is specifically used for:
[0224] Configure the node corresponding to each first account in the configuration diagram;
[0225] Based on the risk relationship between the two primary accounts, the connection lines between the nodes corresponding to the two primary accounts are configured in the configuration diagram to obtain the first intermediate network diagram.
[0226] In the first intermediate network graph, a triple node group is determined, wherein the triple node group consists of three nodes and the connecting lines between the three nodes form a triangle;
[0227] In response to the fact that two connecting lines in a ternary node group represent high-risk relationships and one connecting line represents low-risk relationships, the connecting line representing the low-risk relationship is changed to the connecting line representing the high-risk relationship, thus obtaining the initial network graph.
[0228] In some embodiments, the team user identification device 1200 is specifically used for:
[0229] In the initial network graph, identify the target node that meets the attribute change conditions.
[0230] In the initial network graph, the target node is modified by changing its target attribute to obtain the second intermediate network graph;
[0231] The nodes with the same attribute in the second intermediate network graph are merged into a single node with the same attribute to obtain the third intermediate network graph.
[0232] If no node in the third intermediate network graph meets the attribute change conditions, the third intermediate network graph is determined as the target network graph.
[0233] In some embodiments, the team user identification device 1200 is specifically used for:
[0234] Determine the first attribute value of the node to be changed in the initial network graph on the first attribute, and determine the second attribute value of the node to be changed on the second attribute. The first attribute is the current attribute of the node to be changed, and the second attribute is the attribute of the node to be changed.
[0235] The attribute gain amount of the node to be modified is determined based on the first attribute value and the second attribute value.
[0236] In response to an attribute gain exceeding a preset threshold, the node to be changed is determined to meet the attribute change conditions, and the node to be changed is identified as the target node.
[0237] In some embodiments, the team user identification device 1200 is specifically used for:
[0238] Identify neighboring nodes that have connections to the node to be changed;
[0239] The attribute corresponding to the neighbor node is determined as the second attribute.
[0240] In some embodiments, the team user identification device 1200 is specifically used for:
[0241] Determine the attribute gain between the first attribute value and the corresponding second attribute value for each second attribute;
[0242] In the initial network graph, the target node's target attributes are changed, including:
[0243] The second attribute corresponding to the largest attribute gain is determined as the target attribute of the node to be changed, and the first attribute of each target node is changed to the target attribute of the target node in the initial network graph.
[0244] In some embodiments, the team user identification device 1200 is specifically used for:
[0245] Based on the risk relationship represented by the connection lines between the node to be changed and each neighboring node, the first weight between the node to be changed and each neighboring node is determined, and each neighboring node is used to indicate the node that has a connection line with the node to be changed.
[0246] Determine the second weight between the node to be changed and the node corresponding to the second attribute;
[0247] The first attribute value of the node to be changed on the corresponding first attribute is determined according to each first weight, and the second attribute value of the node to be changed on the second attribute is determined according to the second weight and each first weight.
[0248] In some embodiments, the team user identification device 1200 is specifically used for:
[0249] Based on the risk relationships represented by the connection lines between the node to be changed and each neighboring node, the first weight between the node to be changed and each neighboring node is determined, including:
[0250] Based on the risk relationship represented by the connection lines between the node to be changed and each neighboring node, a target connection line is determined among the connection lines between the node to be changed and each neighboring node. The target connection line is the connection line that represents a high-risk relationship.
[0251] The weight of each target connection line is determined as the first weight.
[0252] In some embodiments, the team user identification device 1200 is specifically used for:
[0253] Add the node identifiers corresponding to some nodes in the initial network graph to the queue;
[0254] Extract the node identifier from the head of the queue as the target identifier, determine the node corresponding to the target identifier as the node to be changed, and determine the first attribute value of the node to be changed in the first attribute.
[0255] In the initial network graph, the target node's target attributes are changed, including:
[0256] Add the node identifiers corresponding to the nodes connected to the target node in all the initial network graphs to the queue, configure the connection lines between the target node and the nodes corresponding to the target attribute, and change the first attribute of the target node to the target attribute;
[0257] Return to the execution and extract the node identifier from the head of the queue as the target identifier. The queue does not store node identifiers. Complete the attribute changes of all target nodes in the initial network graph to obtain the second intermediate network graph.
[0258] In some embodiments, the team user identification device 1200 is specifically used for:
[0259] In response to the existence of nodes in the third intermediate network graph that meet the attribute change conditions, the third intermediate network graph is updated to the initial network graph;
[0260] Return to the steps in the initial network graph to determine the target nodes that meet the attribute change conditions.
[0261] In some embodiments, the team user identification device 1200 is specifically used for:
[0262] Multiple fourth accounts are identified within each primary account; these fourth accounts are used to indicate the accounts of known risk team users.
[0263] Based on the risk relationships, construct a sub-network graph corresponding to each fourth account, and merge the various sub-network graphs to obtain the initial network graph.
[0264] It should be noted that the specific steps of the team user identification method executed by the team user identification device are as described in the above embodiments, and will not be repeated here.
[0265] Furthermore, based on the content described in the above embodiments, this application also provides an electronic device, which includes at least one processor, a communication interface and a memory communicatively connected to the processor; wherein the communication interface is used to communicate with other communication devices, and the memory stores computer execution instructions; the at least one processor executes the computer execution instructions stored in the memory to implement the various steps in the team user identification method described in the above embodiments.
[0266] To better understand the embodiments of this application, please refer to... Figure 13 , Figure 13 This is a schematic diagram of the hardware structure of an electronic device provided in an embodiment of this application.
[0267] like Figure 13 As shown, the electronic device 1300 of this embodiment includes: a processor 1301, a memory 1302, and a communication interface 1304; wherein:
[0268] Memory 1302 is used to store computer-executed instructions;
[0269] Communication interface 1304 is used to communicate with other communication devices;
[0270] The processor 1301 is configured to execute computer execution instructions stored in memory to implement the various steps in the query optimization method described in the above embodiments.
[0271] Alternatively, the memory 1302 can be either standalone or integrated with the processor 1301.
[0272] When the memory 1302 is set up independently, the device also includes a bus 1303 for connecting the memory 1302, the communication interface 1304 and the processor 1301.
[0273] This application provides a computer-readable storage medium storing computer-executable instructions. When a processor executes the computer-executable instructions, it implements the various steps of the team user identification method described in the above embodiments.
[0274] This application provides a computer program product, including a computer program that, when executed by a processor, implements the various steps of the team user identification method described in the above embodiments.
[0275] In the several embodiments provided in this application, it should be understood that the disclosed devices and methods can be implemented in other ways. For example, the device embodiments described above are merely illustrative; for instance, the division of modules is only a logical functional division, and in actual implementation, there may be other division methods. For example, multiple modules may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the coupling or direct coupling or communication connection shown or discussed may be indirect coupling or communication connection through some interfaces, devices, or modules, and may be electrical, mechanical, or other forms.
[0276] The modules described as separate components may or may not be physically separate. The components shown as modules may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the modules can be selected to achieve the purpose of this embodiment according to actual needs.
[0277] Furthermore, the functional modules in the various embodiments of this application can be integrated into one processing unit, or each module can exist physically separately, or two or more modules can be integrated into one unit. The unit composed of the above modules can be implemented in hardware or in the form of hardware plus software functional units.
[0278] The integrated modules described above, implemented as software functional modules, can be stored in a computer-readable storage medium. These software functional modules, stored in a storage medium, include several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) or processor to execute some steps of the methods of the various embodiments of this application.
[0279] It should be understood that the aforementioned processor can be a Central Processing Unit (CPU), or other general-purpose processors, digital signal processors (DSPs), application-specific integrated circuits (ASICs), etc. A general-purpose processor can be a microprocessor or any conventional processor. The steps of the method disclosed in the application can be directly manifested as being executed by a hardware processor, or executed by a combination of hardware and software modules within the processor.
[0280] The memory may include high-speed memory, and may also include non-volatile memory, such as at least one disk storage device, and may also be a USB flash drive, portable hard drive, read-only memory, disk or optical disc, etc.
[0281] The bus can be an Industry Standard Architecture (ISA) bus, a Peripheral Component Interconnect (PCI) bus, or an Extended Industry Standard Architecture (EISA) bus, etc. Buses can be categorized as address buses, data buses, control buses, etc. For ease of illustration, the buses shown in the accompanying drawings are not limited to a single bus or a single type of bus.
[0282] The aforementioned storage medium can be implemented by any type of volatile or non-volatile storage device or a combination thereof, such as static random access memory, electrically erasable programmable read-only memory, erasable programmable read-only memory, programmable read-only memory, read-only memory, magnetic storage, flash memory, magnetic disk, or optical disk. The storage medium can be any available medium that can be accessed by a general-purpose or special-purpose computer.
[0283] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of this application, and are not intended to limit them. Although this application has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some or all of the technical features therein. Such modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the scope of the technical solutions of the embodiments of this application.
Claims
1. A method for identifying team users, characterized in that, include: Obtain target information for multiple first accounts, including the location of the device where the first account is logged in, the network information corresponding to the network connected to the device, and the transaction information of the first account; Based on the target information of the second account, determine one or more association relationships between the second account and the third account, wherein the second account is any one of the first accounts, and the third account is a first account other than the second account; Determine the target parameters for the association, the target parameters including the frequency of occurrence of each association and / or the type of the association; The risk relationship between the second account and the third account is determined based on the target parameters, and an initial network graph is constructed based on the risk relationship. The initial network graph includes the first account as a node, and the connecting line between two nodes is used to indicate the risk relationship between the first accounts corresponding to the two nodes. The target network graph is obtained by modifying the attributes of nodes in the initial network graph that meet the attribute modification conditions. In response to the fact that the first accounts corresponding to each node with the same attribute in the target network graph contain risk accounts, the users associated with the first accounts corresponding to each node with the same attribute are identified as users of the same risk team. The step of constructing the initial network graph based on the risk relationships includes: Multiple fourth accounts are identified among the first accounts. The fourth accounts are used to indicate the accounts of known risk team users. The fourth accounts are at least one of the following: accounts associated with black sample devices, accounts associated with risky financial cards, accounts associated with black sample WIFI, and accounts associated with black sample LBS. Based on the risk relationships, a sub-network graph corresponding to each of the fourth accounts is constructed, and the various sub-network graphs are merged to obtain an initial network graph.
2. The method according to claim 1, characterized in that, The target parameters include the type of the association, and determining the risk relationship between the second account and the third account based on the target parameters includes: In response to the fact that the type is a preset type, the risk relationship between the second account and the third account is determined to be a high-risk relationship; In response to the fact that the type is not a preset type, the risk relationship between the second account and the third account is determined to be a low-risk relationship.
3. The method according to claim 1, characterized in that, The target parameter includes the frequency of occurrence of each of the associations, and determining the risk relationship between the second account and the third account based on the target parameter includes: If the number of occurrences of any of the aforementioned associations exceeds a corresponding preset number, the risk relationship between the second account and the third account is determined to be a high-risk relationship. In response to each of the aforementioned associations occurring less than or equal to a corresponding preset number of times, the risk relationship between the second account and the third account is determined to be a low-risk relationship.
4. The method according to claim 1, characterized in that, The risk relationships include high-risk relationships and low-risk relationships. The step of constructing an initial network graph based on the risk relationships includes: Configure the node corresponding to each of the first accounts in the configuration diagram; Based on the risk relationship between the two first accounts, a connection line is configured between the nodes corresponding to the two first accounts in the configuration diagram to obtain a first intermediate network diagram. In the first intermediate network graph, a ternary node group is determined, wherein the ternary node group includes three nodes and the connecting lines between the three nodes form a triangle; In response to the fact that two connecting lines in the ternary node group represent high-risk relationships and one connecting line represents low-risk relationships, the connecting line representing the low-risk relationship is changed to the connecting line representing the high-risk relationship, thus obtaining the initial network graph.
5. The method according to any one of claims 1-4, characterized in that, The step of changing the attributes of nodes in the initial network graph that meet the attribute change conditions to obtain the target network graph includes: Among the nodes in the initial network graph, the target node that meets the attribute change conditions is identified; In the initial network graph, the target node is modified by changing its target attribute to obtain a second intermediate network graph; The nodes with the same attribute in the second intermediate network graph are merged into one node with the same attribute to obtain the third intermediate network graph. In response to the absence of nodes in the third intermediate network graph that satisfy the attribute change conditions, the third intermediate network graph is determined as the target network graph.
6. The method according to claim 5, characterized in that, The step of determining the target node that satisfies the attribute change conditions among the nodes in the initial network graph includes: Determine the first attribute value of the node to be changed in the initial network graph on the first attribute, and determine the second attribute value of the node to be changed on the second attribute. The first attribute is the current attribute of the node to be changed, and the second attribute is the attribute of the node to be changed. The attribute gain amount of the node to be changed is determined based on the first attribute value and the second attribute value; In response to the attribute gain being greater than a preset threshold, it is determined that the node to be changed meets the attribute change conditions, and the node to be changed is identified as the target node.
7. The method according to claim 6, characterized in that, Before determining the value of the second attribute on the second attribute of the node to be changed, the method further includes: Identify neighboring nodes that have a connection line with the node to be changed; The attribute corresponding to the neighbor node is determined as the second attribute.
8. The method according to claim 7, characterized in that, The neighbor nodes are multiple, and the step of determining the attribute gain amount for changing the attribute of the node to be changed based on the first attribute value and the second attribute value includes: Determine the attribute gain between the first attribute value and the second attribute value corresponding to each second attribute; The step of changing the target attributes of the target node in the initial network graph includes: The second attribute corresponding to the largest attribute gain is determined as the target attribute of the node to be changed, and the first attribute of each target node in the initial network graph is changed to the target attribute corresponding to the target node.
9. The method according to claim 6, characterized in that, The process of determining the first attribute value of the node to be changed in the initial network graph on the first attribute, and determining the second attribute value of the node to be changed in the second attribute, includes: Based on the risk relationship represented by the connection lines between the node to be changed and each neighboring node, a first weight is determined between the node to be changed and each of the neighboring nodes, and each of the neighboring nodes is used to indicate the node that has a connection line with the node to be changed. Determine the second weight between the node to be changed and the node corresponding to the second attribute; The first attribute value of the node to be changed on the corresponding first attribute is determined according to each of the first weights, and the second attribute value of the node to be changed on the second attribute is determined according to the second weight and each of the first weights.
10. The method according to claim 9, characterized in that, The determination of the first weight between the node to be changed and each of the neighboring nodes, based on the risk relationship represented by the connection lines between the node to be changed and each neighboring node, includes: Based on the risk relationship represented by the connection lines between the node to be changed and each neighboring node, a target connection line is determined among the connection lines between the node to be changed and each neighboring node. The target connection line is the connection line that represents a high-risk relationship. The weight of each of the target connecting lines is determined as the first weight.
11. The method according to claim 6, characterized in that, Determining the first attribute value of the node to be changed in the initial network graph includes: Add the node identifiers corresponding to some of the nodes in the initial network graph to the queue; Extract the node identifier from the head of the queue as the target identifier, determine the node corresponding to the target identifier as the node to be changed, and determine the first attribute value of the node to be changed on the first attribute. The step of changing the target attributes of the target node in the initial network graph includes: Add the node identifier corresponding to the node connected to the target node in all the initial network graphs to the queue, configure the connection line between the target node and the node corresponding to the target attribute, and change the first attribute of the target node to the target attribute; Return to the step of extracting the node identifier from the head of the queue as the target identifier, wherein the queue does not store node identifiers, and complete the attribute changes of all target nodes in the initial network graph to obtain the second intermediate network graph.
12. The method according to claim 5, characterized in that, After merging nodes with the same attribute in the second intermediate network graph into a single node with the same attribute, the method further includes: In response to the existence of nodes in the third intermediate network graph that satisfy the attribute change conditions, the third intermediate network graph is updated to the initial network graph; Return to the step of determining each target node that meets the attribute change conditions among the nodes in the initial network graph.
13. A method and apparatus for identifying team users, characterized in that, include: The acquisition module is used to acquire target information of multiple first accounts. The target information includes the location of the device where the first account is logged in, the network information corresponding to the network connected to the device, and the transaction information of the first account. The first determining module is used to determine one or more association relationships between the second account and the third account based on the target information of the second account, wherein the second account is any one of the first accounts, and the third account is a first account other than the second account; Determine the target parameters for the association, the target parameters including the frequency of occurrence of each association and / or the type of the association; The risk relationship between the second account and the third account is determined based on the target parameters, and an initial network graph is constructed based on the risk relationship. The initial network graph includes the first account as a node, and the connecting line between two nodes is used to indicate the risk relationship between the first accounts corresponding to the two nodes. The processing module is used to change the attributes of nodes in the initial network graph that meet the attribute change conditions to obtain the target network graph; The second determining module is used to determine users of the same risk team in response to the fact that the first accounts corresponding to each node with the same attribute in the target network graph contain risk accounts. The first determining module is further configured to: Multiple fourth accounts are identified among the first accounts. The fourth accounts are used to indicate the accounts of known risk team users. The fourth accounts are at least one of the following: accounts associated with black sample devices, accounts associated with risky financial cards, accounts associated with black sample WIFI, and accounts associated with black sample LBS. Based on the risk relationships, a sub-network graph corresponding to each of the fourth accounts is constructed, and the various sub-network graphs are merged to obtain an initial network graph.
14. An electronic device, characterized in that, include: A processor, and a memory and a communication interface communicatively connected to the processor; The communication interface is used to communicate with other communication devices; The memory is used to store computer-executed instructions; The processor is configured to execute computer execution instructions stored in the memory to implement the team user identification method as described in any one of claims 1-12.
15. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores computer-executable instructions, which, when executed by a processor, implement the team user identification method as described in any one of claims 1-12.
16. A computer program product, comprising a computer program, characterized in that, When the computer program is executed by a processor, it implements the team user identification method as described in any one of claims 1-12.