Behavior data risk determination method and device, electronic equipment, and storage medium

By using federated learning and graph neural network technology, a unified device identifier and spatiotemporal behavioral characteristics are generated across platforms. The risk propagation subgraph is analyzed, which solves the shortcomings of traditional anti-fraud technology in identifying cross-platform cheating and gang fraud, and achieves efficient and accurate risk assessment.

CN121745948BActive Publication Date: 2026-06-26SHENZHEN MINGXIN DIGITAL TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
SHENZHEN MINGXIN DIGITAL TECH CO LTD
Filing Date
2026-02-27
Publication Date
2026-06-26

AI Technical Summary

Technical Problem

Traditional anti-fraud technologies cannot adapt to the dynamic changes in different business scenarios, resulting in a high false positive rate, difficulty in identifying cross-platform cheating and distributed group fraud, and a lack of in-depth analysis of the relationships between devices, IPs, and accounts.

Method used

The device identification data is aligned using a federated learning framework to generate a unified device identification across platforms, a spatiotemporal behavioral feature set is constructed, and a graph neural network is used to analyze the risk propagation subgraph for risk assessment.

Benefits of technology

It significantly improves the accuracy of abnormal behavior identification, reduces the false positive rate during peak business periods, effectively exposes hidden fraud networks, achieves precise crackdown on collaborative cheating, and improves the efficiency and accuracy of fraud detection.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN121745948B_ABST
    Figure CN121745948B_ABST
Patent Text Reader

Abstract

The application relates to the technical field of behavior data risk determination, and discloses a behavior data risk determination method and device, electronic equipment and a storage medium, wherein the method comprises the following steps: constructing user behavior features in the fusion of time and space dimensions, significantly improving the accuracy of abnormal behavior recognition and reducing the misjudgment rate during the business peak period; using a graph neural network to analyze the correlation between behavior features, generating a risk propagation subgraph and performing risk determination to obtain a risk determination result. The application has the beneficial effects that hidden syndicate fraud networks can be effectively revealed, accurate strikes against collaborative cheating can be realized, the efficiency and accuracy of fraud detection are greatly improved, strategies can be dynamically adjusted according to business scenarios, the normal operation of the business can be ensured while reducing the misjudgment, and a solution is provided for cross-border business anti-fraud.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of risk assessment technology for behavioral data, and in particular to a method, apparatus, electronic device, and storage medium for risk assessment of behavioral data. Background Technology

[0002] Traditional anti-fraud technologies are generally based on static threshold rules (such as fixed click frequency limits), which cannot adapt to the dynamic changes of different business scenarios, resulting in a high false positive rate. Specifically, cross-platform data fragmentation leads to the inability to share device identifiers, making it difficult to build a unified user behavior profile and making it impossible to identify cross-platform fraud. Furthermore, existing technologies focus more on the abnormal behavior of individual users and lack in-depth mining of the relationship between devices, IPs, and accounts, making it difficult to identify distributed collaborative group fraud. Summary of the Invention

[0003] Based on this, it is necessary to propose a method, device, electronic device and storage medium for risk assessment of behavioral data to address the existing problem of risk assessment of behavioral data.

[0004] A method for risk assessment of behavioral data, the method comprising:

[0005] Collect multiple behavioral data from different preset platforms; each behavioral data includes device identification data and user data, wherein the user data includes at least operation data and geographical location information;

[0006] Based on the federated learning framework, device identification data of the same user from different preset platforms are aligned to generate a unified device identification across preset platforms.

[0007] Collect user data from the same user to obtain a user dataset;

[0008] Based on the unified device identifier of each user and the user dataset, spatiotemporal behavioral features representing each user are constructed to obtain a spatiotemporal behavioral feature set;

[0009] The spatiotemporal behavioral feature set is analyzed using a pre-defined graph neural network to generate a risk propagation subgraph;

[0010] Risk assessment is performed on the risk propagation subgraph to obtain the risk assessment result.

[0011] Furthermore, the step of aligning device identifier data from the same user across different preset platforms based on a federated learning framework to generate a unified device identifier across preset platforms includes:

[0012] Acquire device identification data from multiple preset platforms;

[0013] By using a pre-defined global device identifier association model, each device identifier data is identified to classify device identifier data belonging to the same user, thereby obtaining a device identifier dataset for each user; wherein, the global device identifier association model is learned based on a federated learning framework;

[0014] Based on the device identifier dataset, the device identifier data used by the corresponding user is associated, and a corresponding unified device identifier is assigned to the user.

[0015] Furthermore, before the step of classifying device identifier data belonging to the same user by judging each device identifier data through a preset global device identifier association model to obtain the device identifier dataset for each user, the method further includes:

[0016] Obtain device identification data and corresponding user account data based on local storage from each preset platform, and train the model parameters of the device identification association sub-model;

[0017] The model parameters are aggregated using a preset security aggregation algorithm to form the global device identifier association model.

[0018] Further, the step of constructing spatiotemporal behavioral features representing each user based on the unified device identifier of each user and the user dataset to obtain a spatiotemporal behavioral feature set includes:

[0019] Extract the time series of operation data and the corresponding geographic location series from the user dataset for each user;

[0020] Feature extraction is performed on the time series to obtain temporal features; wherein, the temporal features include behavior frequency, behavior periodicity, behavior interval distribution, and activity level in a specific time period;

[0021] The temporal features are fused and encoded with the geographic location sequence to generate the user's spatiotemporal behavioral feature vector.

[0022] Furthermore, the step of analyzing the spatiotemporal behavioral feature set using a preset graph neural network to generate a risk propagation subgraph includes:

[0023] Using the unified device identifiers as nodes, an initial association graph is constructed based on the operation data in the user dataset;

[0024] The spatiotemporal behavior feature vectors corresponding to each user in the spatiotemporal behavior feature set are used as the attribute features of the corresponding nodes in the initial association graph to obtain the intermediate association graph.

[0025] The intermediate association graph is analyzed using a graph attention network to calculate the attention weights and association strengths between nodes;

[0026] Identify local substructures with anomalous connection patterns or anomalous association strength in the intermediate association graph based on the attention weights and association strengths between the nodes.

[0027] The local substructure is extracted from the intermediate association graph and used as the risk propagation subgraph.

[0028] Furthermore, the step of performing risk assessment on the risk propagation subgraph to obtain the risk assessment result includes:

[0029] The topological structure information of the risk propagation subgraph and the spatiotemporal behavioral feature vectors corresponding to each node in the risk propagation subgraph are input into the pre-trained large language model.

[0030] Obtain the risk assessment result output by the large language model for the risk propagation subgraph.

[0031] Furthermore, after the step of performing risk assessment on the risk propagation subgraph and obtaining the risk assessment result, the method further includes:

[0032] Based on the risk confidence score in the risk assessment results, the comprehensive risk level corresponding to the risk propagation subgraph is determined;

[0033] Obtain the target behavior data corresponding to the user based on the risk propagation subgraph;

[0034] The current business scenario is determined based on the target behavior data;

[0035] A risk management strategy is generated based on the overall risk level and the current business scenario.

[0036] A risk assessment device for behavioral data, the device comprising:

[0037] The data acquisition module is used to collect multiple behavioral data from different preset platforms; each behavioral data includes device identification data and user data, wherein the user data includes at least operation data and geographic location information.

[0038] The alignment module is used to align device identifier data from the same user on different preset platforms based on the federated learning framework, and generate a unified device identifier across preset platforms.

[0039] The collection module is used to aggregate user data from the same user to obtain a user dataset.

[0040] The construction module is used to construct spatiotemporal behavioral features representing each user based on the unified device identifier of each user and the user dataset, so as to obtain a spatiotemporal behavioral feature set;

[0041] The analysis module is used to analyze the spatiotemporal behavioral feature set using a preset graph neural network to generate a risk propagation subgraph;

[0042] The judgment module is used to perform risk judgment on the risk propagation subgraph and obtain the risk judgment result.

[0043] An electronic device includes a memory and a processor, the memory storing a computer program that, when executed by the processor, causes the processor to perform the following steps:

[0044] Collect multiple behavioral data from different preset platforms; each behavioral data includes device identification data and user data, wherein the user data includes at least operation data and geographical location information;

[0045] Based on the federated learning framework, device identification data of the same user from different preset platforms are aligned to generate a unified device identification across preset platforms.

[0046] Collect user data from the same user to obtain a user dataset;

[0047] Based on the unified device identifier of each user and the user dataset, spatiotemporal behavioral features representing each user are constructed to obtain a spatiotemporal behavioral feature set;

[0048] The spatiotemporal behavioral feature set is analyzed using a pre-defined graph neural network to generate a risk propagation subgraph;

[0049] Risk assessment is performed on the risk propagation subgraph to obtain the risk assessment result.

[0050] A computer-readable storage medium storing a computer program, which, when executed by a processor, causes the processor to perform the following steps:

[0051] Collect multiple behavioral data from different preset platforms; each behavioral data includes device identification data and user data, wherein the user data includes at least operation data and geographical location information;

[0052] Based on the federated learning framework, device identification data of the same user from different preset platforms are aligned to generate a unified device identification across preset platforms.

[0053] Collect user data from the same user to obtain a user dataset;

[0054] Based on the unified device identifier of each user and the user dataset, spatiotemporal behavioral features representing each user are constructed to obtain a spatiotemporal behavioral feature set;

[0055] The spatiotemporal behavioral feature set is analyzed using a pre-defined graph neural network to generate a risk propagation subgraph;

[0056] Risk assessment is performed on the risk propagation subgraph to obtain the risk assessment result.

[0057] The beneficial effects of this invention are as follows: By constructing user behavior features that integrate spatiotemporal dimensions, the accuracy of abnormal behavior identification is significantly improved, and the false judgment rate during peak business periods is reduced; by using graph neural networks to analyze the correlation between behavioral features and generate risk propagation subgraphs, hidden fraud networks can be effectively revealed, enabling precise strikes against collaborative cheating. This not only greatly improves the efficiency and accuracy of fraud detection, but also allows for dynamic adjustment of strategies based on business scenarios, reducing false positives while ensuring normal business operations, thus providing a solution for anti-fraud in cross-border business. Attached Figure Description

[0058] To more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0059] in:

[0060] Figure 1 This is a diagram illustrating the application environment of a risk assessment method for behavioral data in one embodiment.

[0061] Figure 2 This is a flowchart of a method for determining the risk of behavioral data in one embodiment;

[0062] Figure 3 This is a structural block diagram of a risk assessment device for behavioral data in one embodiment;

[0063] Figure 4 This is a structural block diagram of an electronic device in one embodiment. Detailed Implementation

[0064] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0065] Figure 1 This is a diagram illustrating the application environment for risk assessment of behavioral data in one embodiment. (Refer to...) Figure 1The risk assessment method for behavioral data is applied to a risk assessment system for behavioral data. This system includes a terminal 110 and a server 120. The terminal 110 and server 120 are connected via a network. The terminal 110 can be a desktop terminal or a mobile terminal; a mobile terminal can be at least one of a mobile phone, tablet, or laptop. The server 120 can be a standalone server or a server cluster consisting of multiple servers. The terminal 110 is used to collect behavioral data, and the server 120 is used to generate risk assessment results.

[0066] like Figure 2 As shown, in one embodiment, a method for risk assessment of behavioral data is provided. This method can be applied to both terminals and servers; this embodiment uses terminal application as an example. The method for risk assessment of behavioral data specifically includes the following steps:

[0067] S1: Collect multiple behavioral data from different preset platforms; wherein each behavioral data includes device identification data and user data, and the user data includes at least operation data and geographical location information;

[0068] S2: Based on the federated learning framework, the device identification data of the same user from different preset platforms is aligned to generate a unified device identification across preset platforms;

[0069] S3: Collect user data from the same user to obtain a user dataset;

[0070] S4: Based on the unified device identifier of each user and the user dataset, construct spatiotemporal behavioral features representing each user to obtain a spatiotemporal behavioral feature set;

[0071] S5: Analyze the spatiotemporal behavioral feature set using a preset graph neural network to generate a risk propagation subgraph;

[0072] S6: Perform risk assessment on the risk propagation subgraph to obtain the risk assessment result.

[0073] As described in step S1 above, behavioral data is collected from multiple preset platforms (such as e-commerce platforms, social media, and the internet). Each behavioral data record includes device identification data and user data. Device identification data includes the unique identifier of each user's device, such as the Google Advertising ID (GAID) for Android devices, the Identifier for Advertisers (IDFA) for iOS devices, and cookies for web browsers. These identifiers enable the tracking of the same user's behavior across different platforms. User data includes at least operational data and geolocation information. Operational data records every interaction the user makes on the platform, such as browsing, clicking, and purchasing, and specifically includes operation timestamps for subsequent time-series analysis. Geolocation information can be obtained through GPS or IP addresses to help analyze user behavior patterns in different locations. This data collection process is achieved through API interfaces or real-time data push technology. Since the data structures may differ between different platforms, the data collection process needs to format the data uniformly to ensure the smooth progress of subsequent steps. Effective data collection lays a solid foundation for subsequent data processing and risk assessment.

[0074] As described in step S2 above, device identifier alignment based on the federated learning framework aims to securely align device identifier data from different preset platforms, thereby generating a unified device identifier across platforms. The core of this alignment process is to protect user privacy while effectively identifying user identities. In one embodiment, each preset platform trains a device identifier association model locally using machine learning algorithms. These models (sub-models) are trained based on historical data of device identifiers and user behavior, ensuring that the model captures the relationship between devices and user behavior without aggregating raw data. During the device identifier alignment process, a federated learning aggregation mechanism is adopted. Each platform periodically encrypts and uploads the parameters (such as gradients) of its local model to the central server. The central server is responsible for integrating these parameters to form a global device identifier association model. This model generates a global model capable of discerning the association between different device identifiers by splicing knowledge learned from multiple platforms. Based on this, the global model judges whether the device identifiers of each platform belong to the same user, and then outputs a unique unified device identifier. This process not only improves the accuracy of identification but also effectively prevents user privacy leakage and ensures the data security of all parties.

[0075] As described in step S3 above, various user data of the same user are aggregated to form a complete user dataset. Combined with the user's unified device identifier, the system extracts consistent behavioral records from different preset platforms to form a multi-dimensional, three-dimensional user dataset. This dataset includes the user's operation data, geographical location information, and device identifier. During the aggregation process, data deduplication can be performed to ensure that each user's data is unique within the dataset, avoiding duplicate information from affecting the quality of analysis. Simultaneously, data recorded on different platforms can be aligned based on timestamps to ensure that the user's behavioral sequence is presented chronologically. The construction of this user dataset lays the foundation for the extraction of spatiotemporal behavioral features in subsequent steps, integrating the user's operating habits and preferences across multiple platforms, providing data material for subsequent risk behavior analysis.

[0076] As described in step S4 above, spatiotemporal behavioral features are extracted and constructed based on each user's unified device identifier and the constructed user dataset. First, important operational data and geographic location information are extracted from the user dataset. Operational data includes not only user behavior types (such as clicks, browsing, and purchases), but also the timestamps of each operation, forming a time series. Second, combined with geographic location information, the system associates user behavior with their location. For example, by analyzing user activity in specific geographic locations (such as high-frequency and low-frequency behaviors), the correlation between user behavior habits and regional cultural background can be identified. Then, the collected time series and geographic features are fused to form a rich spatiotemporal behavioral feature vector. Specifically, the spatiotemporal feature set considers not only single behaviors but also multi-dimensional characteristics such as time intervals, periodicity, and behavior frequency distribution, and can even be compared and analyzed with historical behaviors.

[0077] As described in step S5 above, a pre-defined graph neural network (GNN) is used to perform deep analysis on the obtained spatiotemporal behavioral feature set to generate a risk propagation subgraph. Through its unique aggregation mechanism, the graph neural network can not only analyze the attributes of individual nodes but also capture the connection patterns between nodes, thereby revealing potential fraudulent behavior patterns. The specific process is as follows: First, the nodes of the association graph are constructed. Nodes include unified device identifiers, user identities, and IP addresses, while edges represent certain behavioral relationships (such as device-user, user-IP, etc.). Then, the graph neural network calculates the strength and importance of relationships between nodes, dynamically adjusts information transmission paths, thereby highlighting nodes with more weighted connections and analyzing the connection patterns of these nodes. By analyzing the distribution and clustering of the network structure, the graph neural network can effectively identify potential abnormal clusters, forming a risk propagation subgraph containing highly correlated users and devices, revealing possible group fraudulent behavior. This analysis not only improves the data integration capabilities of traditional methods but also endows risk mining with the characteristics of deep learning, achieving more comprehensive risk prevention and control. Graph Neural Networks (GNNs) are a class of deep learning models specifically designed for processing graph-structured data. Unlike traditional neural networks that rely on rule-based gridded data (such as images or time series), Generative Neural Networks (GNNs) can operate directly in non-Euclidean spaces, i.e., graph structures. This approach constructs an initial association graph, using user device identifiers as nodes and information such as IP addresses and user behavior as edges. GNNs can capture the complex relationships between these entities. By learning information propagation between nodes, GNNs can identify potential connections between devices and group cheating behavior. By fusing spatiotemporal behavioral features with the basic node features in the association graph, this approach effectively enhances the expressiveness of user features using GNNs. As a result, user behavior data can be interpreted more effectively, helping the system identify which behavioral patterns are abnormal. GNN's attention mechanism can effectively identify abnormal connection patterns. For cases where multiple devices share an IP address, GNNs can discover close connections between these devices and identify potential cheating groups. By analyzing local substructures in the graph, GNNs can extract and highlight abnormal behavioral patterns, forming a risk propagation subgraph.

[0078] As described in step S6 above, the generated risk propagation subgraph is used for risk assessment to obtain a comprehensive risk assessment result. First, the structural information of the risk propagation subgraph, and the spatiotemporal behavioral feature vectors corresponding to each node in the graph, are passed as input data to the risk assessment model. The risk assessment model can be based on Large Language Model (LLM) or other advanced machine learning algorithms, capable of analyzing input information from multiple dimensions and quickly extracting potential risk points. During the risk assessment process, the risk assessment model compares and analyzes behavioral patterns within the subgraph and uses identified abnormal features to judge with known suspicious behavioral patterns, providing a confidence score for the risk event. Simultaneously, the assessment result will include a qualitative description and quantitative results of the potential risk. Finally, based on the risk assessment value output by the model, the system can determine corresponding risk management strategies, such as issuing alerts, automatically intercepting high-risk transactions, or executing higher-level verification procedures. This not only improves the accuracy of risk detection but also enables risk management to dynamically adapt to changes in user behavior patterns in real time, thereby comprehensively improving user experience and platform security.

[0079] In one embodiment, step S2, which aligns device identifier data from the same user across different preset platforms using a federated learning framework to generate a unified device identifier across preset platforms, includes:

[0080] S201: Obtain device identification data from multiple preset platforms;

[0081] S202: Using a preset global device identifier association model, each device identifier data is judged to classify device identifier data belonging to the same user, thereby obtaining a device identifier dataset for each user; wherein, the global device identifier association model is learned based on a federated learning framework;

[0082] S203: Based on the device identifier dataset, associate the device identifier data used by the corresponding user, and assign a corresponding unified device identifier to the user.

[0083] As described in step S201 above, user device identification data is obtained from multiple preset platforms (such as e-commerce websites, social networks, advertising services, etc.). Device identification data typically includes unique identifiers for the device, such as the Google Advertising ID (GAID) of a mobile device, Apple's Advertising Identifier (IDFA), and cookies from web browsers. This data can be collected through API calls, data transfer, or data push. Different platforms may use different data formats and structures; therefore, the system needs to standardize and format data of different formats to ensure the consistency and comparability of device identification data. Furthermore, due to user privacy concerns, relevant privacy protection regulations must be followed during the collection process to ensure that users' personal information is not leaked. Data collection should be conducted without affecting user experience and de-identification methods should be applied to ensure that only the minimum necessary data is used throughout the entire data processing flow.

[0084] As described in step S202 above, device identifier data is determined using a pre-set global device identifier association model. A pre-trained global device identifier association model is used to analyze and determine multiple acquired device identifier data. This global model is built on a federated learning framework and can iteratively improve through model parameter updates uploaded from various platforms without directly accessing the user's original data. The device identifier data input into this association model undergoes feature processing, including analyzing the correlation between these identifiers, user behavior habits, and contextual information. The model is trained using a labeled dataset to learn the implicit relationships between device identifiers. The determination process outputs a probability value indicating the likelihood that two device identifiers belong to the same user. Based on this output, device identifiers with probability values ​​exceeding a set threshold are classified under the same user, forming a device identifier dataset for each user.

[0085] As described in step S203 above, based on the generated device identifier dataset, the device identifier data for each user is associated, and a unified device identifier is assigned. The generation of this identifier signifies the effective integration of user identities across different platforms. This process mainly includes several key steps: First, the system retrieves the categorized device identifier dataset and analyzes the characteristics and user behaviors of each identifier. Next, the system applies a pattern matching algorithm to this device identifier data to identify and summarize user behavioral characteristics. These characteristics are not limited to operation frequency and usage scenarios but also include limited features such as time and geographical location. Then, for each user within the same type of device identifier dataset, the system assigns a unique unified device identifier as their unique identity across all platforms, facilitating cross-source identification and analysis. This assignment process helps ensure continuous data tracking and analysis across different platforms, thereby supporting user behavior monitoring and risk assessment.

[0086] In one embodiment, before step S202, which involves using a preset global device identifier association model to determine the various device identifier data to classify device identifier data belonging to the same user and obtain a device identifier dataset for each user, the method further includes:

[0087] S2011: Obtain device identification data and corresponding user account data based on local storage for each preset platform, and train the model parameters of the device identification association sub-model;

[0088] S2012: By using a preset security aggregation algorithm, aggregate the various model parameters to form the global device identifier association model.

[0089] As described in step S2011 above, device identifier data and user account data are acquired to train a sub-model. Device identifier data and corresponding user account data are collected from the local storage of each preset platform. Device identifier data is a unique identifier for user behavior on different devices, including GAID for mobile phones, IDFA for tablets, and cookies for web applications. These identifiers allow product teams to track user activity across different platforms. User account data is typically user registration information associated with the device identifier, including the user's login account, account creation time, usage habits, and historical operation records. The system constructs a device identifier association sub-model based on the device identifier data and corresponding user account data. During this process, each platform can use existing user behavior data locally (such as device login history and operation behavior) and train a sub-model suitable for its own environment based on this data. The purpose of this sub-model is to capture user usage patterns in the application to achieve accurate association of user identifiers. The output parameters of each platform's local sub-model will be used for subsequent global parameter aggregation, which improves the accuracy of device identifier recognition without leaking user privacy. After training, the system will prepare the device identifier association sub-model parameters for each platform for subsequent aggregation processing.

[0090] As described in step S2012 above, model parameters are aggregated using a preset secure aggregation algorithm. This algorithm aggregates the parameters of the device identifier association sub-models generated by various preset platforms to form a global device identifier association model. First, the system collects the model parameters trained locally on each platform, typically including model weights and gradient information. These parameters are uploaded to a centralized server in an encrypted manner to ensure that original user data is not leaked. Subsequently, the server performs secure aggregation, integrating and averaging the model parameters uploaded from different platforms using effective algorithms. Common secure aggregation algorithms include differential privacy and homomorphic encryption, which encrypt and process the parameters to ensure that the server cannot identify specific user identifiers. Through this aggregation process, the system forms a comprehensive global device identifier association model. This model integrates the learning results of various sub-platforms, fully utilizing the data features and behavioral patterns of multiple preset platforms to implement cross-platform user device identification. After generating the global device identifier association model, the system can more effectively perform subsequent device identifier data discrimination tasks, improving the accuracy of user identification while ensuring full protection of user privacy during data processing. The device identifier association sub-model employs a Transformer-based encoder structure, with the training objective being to maximize the similarity of the embedding vectors of different device identifiers for the same user (using cosine similarity loss). The secure aggregation algorithm uses the FedAvg algorithm with differential privacy, adding Gaussian noise conforming to (ε, δ)-differential privacy before aggregating gradients on the central server.

[0091] In one embodiment, step S4, which involves constructing spatiotemporal behavioral features representing each user based on the unified device identifier and the user dataset to obtain a spatiotemporal behavioral feature set, includes:

[0092] S401: Extract the time series of operation data and the corresponding geographic location series from the user dataset for each user;

[0093] S402: Extract features from the time series to obtain time series features; wherein, the time series features include behavior frequency, behavior periodicity, behavior interval distribution, and activity level in a specific time period;

[0094] S403: The temporal features and the geographic location sequence are fused and encoded to generate the user's spatiotemporal behavior feature vector.

[0095] As described in step S401 above, the time series and geographic location series of the operation data in each user's corresponding user dataset are extracted. Specific operation data is extracted from each user's user dataset, mainly including two important information dimensions: time series and geographic location series. Operation data typically records the user's specific behaviors on the platform, including the timestamp of each operation and the user's current location. For example, operation data may include the time a user browsed a product, the time a purchase was made, or the time node when certain interactive behaviors were completed. The time series refers to the timestamp records of all operations; this time information not only shows the user's active time periods but also reflects the changing trends of user behavior. The geographic location series records the user's geographic location information when performing operations, usually obtained through GPS positioning. Extracting and locating the user's time series and geographic location series into the same structure facilitates subsequent analysis and feature extraction, laying the foundation for constructing spatiotemporal behavioral features, forming a longitudinal time series graph of user behavior, and providing necessary data support for subsequent time series feature extraction and in-depth analysis of behavioral patterns.

[0096] As described in step S402 above, feature extraction is performed on the time series data to obtain temporal features. Further feature extraction is then conducted on the extracted time series data to better characterize user behavior patterns. This involves transforming the original time series data into a series of quantifiable temporal features, which can be used to analyze user behavior patterns across different time ranges. Specifically, firstly, the system calculates the user's behavior frequency, i.e., the number of times the user performs actions within a specific time period. This indicator helps identify the user's activity level. Furthermore, the system analyzes the user's behavioral cycle patterns, using periodic analysis techniques (such as Fourier transform) to identify peak and trough periods in user behavior, revealing whether there are relatively fixed behavioral patterns, such as differences in the frequency of weekend shopping or weekday usage. Next, the behavioral interval distribution is calculated. By analyzing the intervals between each user's actions, the system derives the user's operating habits, such as frequent short-term use or long periods of inactivity. Additionally, the activity level of each user in different time periods is evaluated to obtain activity levels for specific time periods, helping the system identify the user's active periods and providing a basis for subsequent decision-making.

[0097] As described in step S403 above, the temporal features and geographic location sequences are fused and encoded to generate a user's spatiotemporal behavior feature vector. First, the system performs size matching and format standardization on the temporal features and geographic location sequences to ensure effective fusion. Temporal features are generally numerical data, such as frequency and activity periods, while geographic location sequences may be latitude and longitude coordinates or geographic identifiers. To achieve fusion, various encoding methods can be used, such as converting geographic locations into numerical features through one-hot encoding, or using methods like coordinate embedding to ensure they are in the same dimension as the temporal features. Next, the system can choose methods such as concatenation to combine these two parts of data into a unified user spatiotemporal behavior feature vector. This feature vector integrates the characteristics of both the time and spatial dimensions, comprehensively reflecting the user's behavioral state at different times and locations. This spatiotemporal behavior feature vector will provide a rich data background for subsequent risk analysis and judgment.

[0098] In one embodiment, step S5, which involves analyzing the spatiotemporal behavioral feature set using a preset graph neural network to generate a risk propagation subgraph, includes:

[0099] S501: Using each of the unified device identifiers as nodes, construct an initial association graph based on the operation data in the user dataset;

[0100] S502: Use the spatiotemporal behavior feature vectors corresponding to each user in the spatiotemporal behavior feature set as the attribute features of the corresponding nodes in the initial association graph to obtain the intermediate association graph;

[0101] S503: Analyze the intermediate association graph using a graph attention network to calculate the attention weights and association strengths between nodes;

[0102] S504: Identify local substructures in the intermediate association graph that have abnormal connection patterns or abnormal association strengths based on the attention weights and association strengths between the nodes;

[0103] S505: Extract the local substructure from the intermediate association graph and use it as the risk propagation subgraph.

[0104] As described in step S501 above, an initial association graph is constructed using each unified device identifier as a node. The key to constructing this graph lies in effectively associating the user's device identifier with their operational behavior on the platform. The nodes in the initial association graph represent different users' device identifiers (i.e., unified device identifiers), such as the GAID of a mobile device or a cookie from a web browser. Multiple dimensions of operational data (such as login information, click records, and purchase history) will provide edges connecting these device identifiers. Specifically, if a user uses multiple devices under the same account, these device identifiers are interconnected. In the association graph, the edge weights can be set to represent the frequency of shared or alternating use in user operations; thus, connections between frequently used devices will have higher weights. By constructing the initial association graph, the system can depict the user's cross-device usage behavior and the relationships between devices, laying the foundation for subsequent analysis. This initial graph provides a good foundation for subsequent feature extraction and anomaly analysis. Through these graph structures, the system can gradually identify potential risk patterns.

[0105] As described in step S502 above, the spatiotemporal behavior feature vectors of each user in the extracted spatiotemporal behavior feature set are used as attribute features of the corresponding nodes in the initial association graph to generate an intermediate association graph. Specifically, each user's spatiotemporal behavior feature vector contains multiple indicators of the user, such as behavior frequency, active time period, and geographical location information. These feature vectors can provide background information for the user's device identification, enabling the system to consider not only their connection status but also their behavior patterns under specific conditions when analyzing the relationships between devices. Therefore, these feature vectors are attached to the nodes of the association graph to form the intermediate association graph. The construction of the intermediate association graph can provide more detailed background information between nodes, ensuring that any analysis is not merely based on a static connection structure but is supported by actual user behavior data.

[0106] As described in step S503 above, attention weights and association strengths are calculated. A Graph Attention Network (GAT) is used to analyze the generated intermediate association graph, calculating the attention weights and association strengths between nodes. A Graph Attention Network is a variant of a Graph Neural Network, possessing powerful capabilities for processing graphical data and handling node features, assigning different weights to nodes based on specific attention mechanisms. In practice, for each node in the intermediate association graph, GAT calculates its "attention weights" with neighboring nodes. These weights reflect the relative importance of each node during information propagation. In other words, the attention mechanism automatically adjusts the dynamics of information transmission, encouraging the system to pay more attention to other nodes that are closely connected to or significantly associated with the input node. Simultaneously, the system also calculates the "association strength" of the edges connected to each node, reflecting the strength and stability of the relationships between nodes. This analysis helps identify potentially anomalous connection patterns, such as abnormally increased association strength caused by devices connecting to each other at abnormal frequencies.

[0107] As described in step S504 above, abnormal local substructures in the intermediate association graph are identified based on the attention weights and association strengths calculated between nodes. Specifically, the system first sets certain standards to determine the difference between "normal" and "abnormal" connections. For example, if the attention weight of a node is significantly higher than the preset standard, it indicates that the relationship between that node and other nodes is outside the normal range. In addition, based on the association strength data, the system can calculate the connection density of a node and its neighborhood. Simultaneously, dynamic changes in nodes (such as a sudden increase in activity frequency) can also be used as a basis for anomaly detection. By combining the comprehensive analysis of attention weights and connection strengths, the system can identify some local substructures with abnormal connection patterns from the intermediate association graph. These abnormal structures may reflect a pattern of collusion or coordination; for example, a user using multiple devices through different accounts to engage in fraudulent transactions may form a cluster with abnormal connection strengths among these devices.

[0108] As described in step S505 above, local substructures are extracted as risk propagation subgraphs. The identified abnormal local substructures are extracted from the intermediate association graph to form the risk propagation subgraph. This establishes an understanding of potential anomalies. These abnormal local substructures not only represent the connections between device identifiers, but more importantly, they reveal potentially hidden fraudulent behaviors. For example, when multiple device identifiers are interconnected through abnormal connection patterns (such as frequently sharing the same IP address or frequently swapping devices within a short period), it indicates that this behavioral data carries significant risk. These subgraphs will include nodes and edges whose correlation and connection patterns exceed normal ranges, thus providing strong evidence for subsequent risk assessment. By using the risk propagation subgraph as an important input for the next step, the system can further analyze its potential effects and impacts, and combine this with user behavior characteristics to support decision-making. This not only improves risk identification capabilities but also enhances the overall effectiveness of the anti-fraud system, enabling it to monitor and combat more complex and covert fraudulent activities.

[0109] In one embodiment, step S6, which involves performing risk assessment on the risk propagation subgraph to obtain a risk assessment result, includes:

[0110] S601: Input the topological structure information of the risk propagation subgraph and the spatiotemporal behavioral feature vectors corresponding to each node in the risk propagation subgraph into the pre-trained large language model;

[0111] S602: Obtain the risk assessment result output by the large language model for the risk propagation subgraph.

[0112] As described in step S601 above, the topological structure information and feature vectors of the risk propagation subgraph are input into a pre-trained large language model (LLM). The system's goal is to input detailed information and relevant features of the risk propagation subgraph into a pre-trained LLM to provide strong support for subsequent risk assessment. This process is crucial because it combines the structural information of the graph with the attribute features of the nodes, meaning the system will utilize two information sources to enhance the accuracy and reliability of risk assessment. First, the topological structure information of the risk propagation subgraph includes the connection relationships between nodes, edge weights, and the relative position of each node in the graph. This information constitutes the overall architecture of the network, helping the system understand how different devices, users, and their activities interact and influence each other. Simultaneously, the spatiotemporal behavioral feature vectors corresponding to each node in risk propagation carry specific details of each user's behavioral pattern, including behavioral frequency, active time, and geographical location information. After integrating these two parts of information, the system will format them into an input format suitable for the LLM. Specifically, structured graph information and vector features can be converted into text descriptions or embeddings in a specific format. This involves describing the topology of the risk propagation subgraph using an adjacency list or edge list format, and appending the spatiotemporal behavioral feature vectors corresponding to each node as key-value pairs to the node description, thus concatenating them into a structured text. This text is then combined with a pre-defined risk analysis prompt template to form the complete input for the large language model. This allows the LLM to effectively understand the input content. Through this complex information integration, the system can rely on the in-depth analysis and comprehensive risk assessment results generated by the LLM in subsequent steps.

[0113] As described in step S602 above, to obtain the risk assessment results output by the Large Language Model (LLM), firstly, after receiving input, the LLM utilizes its powerful language understanding and generation capabilities to extract the meaning of potential risk patterns. Based on rich knowledge background and training data, the LLM can determine whether the relationships between nodes shown in the risk propagation subgraph conform to known fraud behavior characteristics. This may include identifying high-risk user groups, handling atypical behavior patterns, and abnormal distribution of correlation. Through multi-level analysis of the input data, the LLM can output a series of information, including but not limited to risk assessment scores, descriptions of potential risks, explanations of abnormal behavior, and suggested risk handling strategies. For example, the LLM may output a result similar to "This user has abnormal interactions with X devices, the risk score reaches 85%, and manual review is recommended." Ultimately, the authoritative risk assessment results will provide a basis for business parties to respond to risk status, such as triggering anti-fraud strategies, implementing early warning measures, or conducting additional verification. Through this analysis result, business parties can respond to complex fraud risks more dynamically and accurately, significantly improving the overall effectiveness of the anti-fraud system.

[0114] In one embodiment, after step S6 of performing risk assessment on the risk propagation subgraph to obtain the risk assessment result, the method further includes:

[0115] S701: Determine the comprehensive risk level corresponding to the risk propagation subgraph based on the risk confidence score in the risk assessment results;

[0116] S702: Obtain the target behavior data corresponding to the user based on the risk propagation subgraph;

[0117] S703: Determine the current business scenario based on the target behavior data;

[0118] S704: Generate a risk management strategy based on the comprehensive risk level and the current business scenario.

[0119] As described in step S701 above, the corresponding comprehensive risk level is determined based on the risk confidence score in the risk assessment results. Firstly, during the risk assessment process, the risk confidence score output by the Large Language Model (LLM) is the core indicator for quantifying the degree of risk. It is typically a value between 0 and 1, representing the model's confidence level in the current risk state. This score is obtained by analyzing the characteristics and connection patterns of each node in the risk propagation subgraph. The score reflects not only the risk level of a single user behavior but also the complexity of the overall risk environment. When the score exceeds a certain preset threshold, it may indicate a high risk of fraud for the user behavior, requiring timely control measures to prevent losses. The determination of the comprehensive risk level is based on certain rules, such as dividing the risk confidence score range into multiple levels (e.g., low, medium, high, very high), and processing each range accordingly according to a predetermined strategy. The system may set boundaries for the comprehensive risk level, for example: 0.0-0.3 for low risk, 0.3-0.7 for medium risk, 0.7-0.9 for high risk, and greater than 0.9 for very high risk. Through such comprehensive analysis, the system can integrate a comprehensive and actionable risk level, providing a scientific basis for subsequent risk management and response measures.

[0120] As described in step S702 above, the system acquires target behavior data corresponding to the user. Based on the generated risk propagation sub-graph and risk assessment results, the system obtains target behavior data associated with a specific user. This process is crucial for clarifying the user's behavioral motivations and background. Target behavior data provides information closely related to the user's current state and behavior, enabling a better understanding of potential risks. Target behavior data typically refers to the user's specific operation records within a specific time period. These records include transactions, interactions, and behavioral sequences performed by the user while using the platform. This data is not merely isolated click and purchase records, but should be considered a comprehensive collection of behavioral patterns exhibited by the user during interaction with the platform. The acquisition process may include querying the database and extracting all corresponding behavioral records from the user dataset based on the user's unified device identifier or user account. The integration of this behavioral data helps the system identify whether the user has engaged in abnormal operations and analyze whether these behaviors are consistent with the high-risk characteristics in the risk assessment results. Through this step, the system can provide more accurate information support for the subsequent development of targeted risk management strategies, ensuring the effectiveness of risk management.

[0121] As described in step S703 above, the current business scenario is determined based on the user's target behavior data. The goal of this step is to comprehensively consider the user's current behavioral context, identify the actual environment in which their actions occur, and dynamically adjust risk management strategies. Determining the current business scenario typically encompasses several levels: First, based on timestamp data, the system can analyze the time period in which the user's behavior occurs. For example, user transactions occurring during promotional seasons, weekends, or holidays usually influence user behavior patterns and expected reactions. Second, geographic location information is also extremely important; users may exhibit different purchasing or consumption behaviors in specific areas (such as holiday tourist hotspots, business districts, etc.), which may reflect the market demand characteristics in that scenario. Third, platform activity types (such as new product launches, promotional offers, etc.) can also serve as entry points for analysis. Combining this scenario information helps the system understand whether the risk characteristics of user behavior will differ due to changes in the scenario. By analyzing this information, the system can place user behavior in a more comprehensive and dynamic context, making risk assessment and management more forward-looking. Given that different business scenarios may have different risk characteristics, this step ensures the rationality and targeting of subsequent risk handling strategies, thereby improving the overall effectiveness of the anti-fraud system.

[0122] As described in step S704 above, based on the determined comprehensive risk level and the analysis results of the current business scenario, a corresponding risk management strategy is generated. First, determining the comprehensive risk level provides a basic direction for strategy formulation. For users with high or extremely high risk levels, the system may need to take stricter measures, such as real-time interception, manual review, and restrictions on account transaction functions; while for low-risk users, only routine monitoring and necessary reminders may be required. Second, combined with the current business scenario (e.g., promotional activities, peak shopping periods), the system can dynamically adjust the intensity and type of strategy execution. During promotions, normal user behavior is allowed more flexibly, rather than strictly monitoring all activities. The strategy generation process may include matching corresponding risk management rules from a predefined strategy library or using machine learning algorithms to generate highly targeted adaptive strategies. Combining the comprehensive risk level and business scenario information, the system can provide customized risk management for different users, ultimately achieving effective control over fraudulent behavior while minimizing interference with normal user behavior and ensuring a good user experience. Through this process, the system can not only respond promptly to the current risk situation, but also flexibly adjust its handling methods when potential risks arise in the future, thereby improving the level of anti-fraud management.

[0123] Reference Figure 3 The present invention also provides a risk assessment device for behavioral data, the device comprising:

[0124] The data acquisition module 902 is used to acquire multiple behavioral data from different preset platforms; wherein each behavioral data includes device identification data and user data, and the user data includes at least operation data and geographical location information;

[0125] Alignment module 904 is used to align device identifier data from the same user on different preset platforms based on the federated learning framework, and generate a unified device identifier across preset platforms.

[0126] The collection module 906 is used to collect user data of the same user to obtain a user dataset.

[0127] The construction module 908 is used to construct spatiotemporal behavioral features representing each user based on the unified device identifier of each user and the user dataset, so as to obtain a spatiotemporal behavioral feature set;

[0128] Analysis module 910 is used to analyze the spatiotemporal behavioral feature set using a preset graph neural network to generate a risk propagation subgraph;

[0129] The determination module 912 is used to determine the risk of the risk propagation subgraph and obtain the risk determination result.

[0130] In one embodiment, the alignment module 904 includes:

[0131] The device identification data acquisition submodule is used to acquire multiple device identification data from different preset platforms;

[0132] The device identifier data discrimination submodule is used to discriminate each device identifier data through a preset global device identifier association model, so as to classify the device identifier data belonging to the same user and obtain the device identifier dataset for each user; wherein, the global device identifier association model is learned based on a federated learning framework;

[0133] The device identifier data association submodule is used to associate the device identifier data used by the corresponding user with the device identifier dataset, and to assign the corresponding unified device identifier to the user.

[0134] In one embodiment, the alignment module 904 further includes:

[0135] The user account data acquisition submodule is used to acquire device identification data and corresponding user account data based on local storage of various preset platforms, and to train the model parameters of the device identification association sub-model.

[0136] The model parameter aggregation submodule is used to aggregate the various model parameters through a preset secure aggregation algorithm to form the global device identifier association model.

[0137] In one embodiment, the building module 908 includes:

[0138] The sequence extraction submodule is used to extract the time series of operation data and the corresponding geographical location series of each user's data set.

[0139] The feature extraction submodule is used to extract features from the time series to obtain temporal features; wherein, the temporal features include behavior frequency, behavior periodicity, behavior interval distribution, and activity level in a specific time period;

[0140] The fusion encoding submodule is used to fuse and encode the temporal features with the geographic location sequence to generate the user's spatiotemporal behavioral feature vector.

[0141] In one embodiment, the analysis module 910 includes:

[0142] The initial association graph construction submodule is used to construct an initial association graph based on the operation data in the user dataset, with each of the unified device identifiers as nodes.

[0143] The tagging submodule is used to take the spatiotemporal behavior feature vectors corresponding to each user in the spatiotemporal behavior feature set as the attribute features of the corresponding nodes in the initial association graph to obtain the intermediate association graph.

[0144] The intermediate association graph analysis submodule is used to analyze the intermediate association graph using a graph attention network and calculate the attention weights and association strengths between nodes.

[0145] The intermediate association graph identification submodule is used to identify local substructures in the intermediate association graph that have abnormal connection patterns or abnormal association strengths based on the attention weights and association strengths between the nodes.

[0146] The local substructure extraction submodule is used to extract the local substructure from the intermediate association graph and use it as the risk propagation subgraph.

[0147] In one embodiment, the determination module 912 includes:

[0148] The spatiotemporal behavior feature vector input submodule is used to input the topological structure information of the risk propagation subgraph and the spatiotemporal behavior feature vectors corresponding to each node in the risk propagation subgraph into the pre-trained large language model.

[0149] The risk assessment result acquisition submodule is used to acquire the risk assessment result output by the large language model for the risk propagation subgraph.

[0150] In one embodiment, the risk assessment device for the behavioral data further includes:

[0151] The comprehensive risk level determination module is used to determine the comprehensive risk level corresponding to the risk propagation subgraph based on the risk confidence score in the risk assessment result.

[0152] The target behavior data acquisition module is used to acquire target behavior data corresponding to users based on the risk propagation subgraph.

[0153] The current business scenario determination module is used to determine the current business scenario based on the target behavior data;

[0154] The risk management strategy generation module is used to generate risk management strategies based on the comprehensive risk level and the current business scenario.

[0155] Figure 4 An internal structural diagram of an electronic device in one embodiment is shown. This electronic device can specifically be a terminal or a server, and more specifically, a computer device. Figure 4As shown, the electronic device includes a processor, a memory, and a network interface connected via a system bus. The memory includes a non-volatile storage medium and internal memory. The non-volatile storage medium stores an operating system and may also store a computer program. When executed by the processor, this computer program enables the processor to implement a risk assessment method for behavioral data. The internal memory may also store a computer program, which, when executed by the processor, enables the processor to implement the risk assessment method for behavioral data. Those skilled in the art will understand that... Figure 4 The structure shown is merely a block diagram of a portion of the structure related to the present application and does not constitute a limitation on the electronic device to which the present application is applied. The specific electronic device may include more or fewer components than shown in the figure, or combine certain components, or have different component arrangements.

[0156] In one embodiment, an electronic device is provided, including a memory and a processor, the memory storing a computer program that, when executed by the processor, causes the processor to perform the following steps:

[0157] Collect multiple behavioral data from different preset platforms; each behavioral data includes device identification data and user data, wherein the user data includes at least operation data and geographical location information;

[0158] Based on the federated learning framework, device identification data of the same user from different preset platforms are aligned to generate a unified device identification across preset platforms.

[0159] Collect user data from the same user to obtain a user dataset;

[0160] Based on the unified device identifier of each user and the user dataset, spatiotemporal behavioral features representing each user are constructed to obtain a spatiotemporal behavioral feature set;

[0161] The spatiotemporal behavioral feature set is analyzed using a pre-defined graph neural network to generate a risk propagation subgraph;

[0162] Risk assessment is performed on the risk propagation subgraph to obtain the risk assessment result.

[0163] By constructing user behavior features that integrate spatiotemporal dimensions, the accuracy of abnormal behavior identification has been significantly improved, and the false positive rate during peak business periods has been reduced. By using graph neural networks to analyze the correlation between behavioral features and generate risk propagation subgraphs, hidden fraud networks can be effectively revealed, enabling precise strikes against collaborative cheating. This not only greatly improves the efficiency and accuracy of fraud detection, but also allows for dynamic adjustment of strategies based on business scenarios, reducing false positives while ensuring normal business operations, thus providing a solution for anti-fraud in cross-border business.

[0164] In one embodiment, a computer-readable storage medium is provided storing a computer program that, when executed by a processor, causes the processor to perform the following steps:

[0165] Collect multiple behavioral data from different preset platforms; each behavioral data includes device identification data and user data, wherein the user data includes at least operation data and geographical location information;

[0166] Based on the federated learning framework, device identification data of the same user from different preset platforms are aligned to generate a unified device identification across preset platforms.

[0167] Collect user data from the same user to obtain a user dataset;

[0168] Based on the unified device identifier of each user and the user dataset, spatiotemporal behavioral features representing each user are constructed to obtain a spatiotemporal behavioral feature set;

[0169] The spatiotemporal behavioral feature set is analyzed using a pre-defined graph neural network to generate a risk propagation subgraph;

[0170] Risk assessment is performed on the risk propagation subgraph to obtain the risk assessment result.

[0171] By constructing user behavior features that integrate spatiotemporal dimensions, the accuracy of abnormal behavior identification has been significantly improved, and the false positive rate during peak business periods has been reduced. By using graph neural networks to analyze the correlation between behavioral features and generate risk propagation subgraphs, hidden fraud networks can be effectively revealed, enabling precise strikes against collaborative cheating. This not only greatly improves the efficiency and accuracy of fraud detection, but also allows for dynamic adjustment of strategies based on business scenarios, reducing false positives while ensuring normal business operations, thus providing a solution for anti-fraud in cross-border business.

[0172] Those skilled in the art will understand that all or part of the processes in the above embodiments can be implemented by a computer program instructing related hardware. The program can be stored in a non-volatile computer-readable storage medium, and when executed, it can include the processes of the embodiments described above. Any references to memory, storage, databases, or other media used in the embodiments provided in this application can include non-volatile and / or volatile memory. Non-volatile memory can include read-only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), or flash memory. Volatile memory can include random access memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in various forms, such as static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), dual data rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous link DRAM (SLDRAM), RAMbus direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and RAMbus dynamic RAM (RDRAM), etc.

[0173] The technical features of the above embodiments can be combined in any way. For the sake of brevity, not all possible combinations of the technical features in the above embodiments are described. However, as long as there is no contradiction in the combination of these technical features, they should be considered to be within the scope of this specification.

[0174] The embodiments described above are merely illustrative of several implementation methods of this application, and while the descriptions are specific and detailed, they should not be construed as limiting the scope of this patent application. It should be noted that those skilled in the art can make various modifications and improvements without departing from the concept of this application, and these all fall within the protection scope of this application. Therefore, the protection scope of this patent application should be determined by the appended claims.

Claims

1. A method for risk assessment of behavioral data, characterized in that, The method includes: Collect multiple behavioral data from different preset platforms; each behavioral data includes device identification data and user data, wherein the user data includes at least operation data and geographical location information; Based on the federated learning framework, device identification data of the same user from different preset platforms are aligned to generate a unified device identification across preset platforms. Collect user data from the same user to obtain a user dataset; Based on the unified device identifier of each user and the user dataset, spatiotemporal behavioral features representing each user are constructed to obtain a spatiotemporal behavioral feature set; The spatiotemporal behavioral feature set is analyzed using a pre-defined graph neural network to generate a risk propagation subgraph; Risk assessment is performed on the risk propagation subgraph to obtain the risk assessment result; The step of analyzing the spatiotemporal behavioral feature set using a preset graph neural network to generate a risk propagation subgraph includes: Using the unified device identifiers as nodes, an initial association graph is constructed based on the operation data in the user dataset; The spatiotemporal behavior feature vectors corresponding to each user in the spatiotemporal behavior feature set are used as the attribute features of the corresponding nodes in the initial association graph to obtain the intermediate association graph. The intermediate association graph is analyzed using a graph attention network to calculate the attention weights and association strengths between nodes; Identify local substructures with anomalous connection patterns or anomalous association strength in the intermediate association graph based on the attention weights and association strengths between the nodes. The local substructure is extracted from the intermediate association graph and used as the risk propagation subgraph.

2. The method for risk assessment of behavioral data according to claim 1, characterized in that, The step of aligning device identifier data from the same user across different preset platforms using a federated learning framework to generate a unified device identifier across preset platforms includes: Acquire device identification data from multiple preset platforms; By using a pre-defined global device identifier association model, each device identifier data is identified to classify device identifier data belonging to the same user, thereby obtaining a device identifier dataset for each user; wherein, the global device identifier association model is learned based on a federated learning framework; Based on the device identifier dataset, the device identifier data used by the corresponding user is associated, and a corresponding unified device identifier is assigned to the user.

3. The method for risk assessment of behavioral data according to claim 2, characterized in that, Before the step of classifying device identifier data belonging to the same user by judging each device identifier data through a preset global device identifier association model to obtain the device identifier dataset for each user, the method further includes: Obtain device identification data and corresponding user account data based on local storage from each preset platform, and train the model parameters of the device identification association sub-model; The model parameters are aggregated using a preset security aggregation algorithm to form the global device identifier association model.

4. The risk assessment method for behavioral data according to claim 1, characterized in that, The step of constructing spatiotemporal behavioral features representing each user based on the unified device identifier of each user and the user dataset to obtain a spatiotemporal behavioral feature set includes: Extract the time series of operation data and the corresponding geographic location series from the user dataset for each user; Feature extraction is performed on the time series to obtain temporal features; wherein, the temporal features include behavior frequency, behavior periodicity, behavior interval distribution, and activity level in a specific time period; The temporal features are fused and encoded with the geographic location sequence to generate the user's spatiotemporal behavioral feature vector.

5. The method for risk assessment of behavioral data according to claim 1, characterized in that, The step of performing risk assessment on the risk propagation subgraph to obtain the risk assessment result includes: The topological structure information of the risk propagation subgraph and the spatiotemporal behavioral feature vectors corresponding to each node in the risk propagation subgraph are input into the pre-trained large language model. Obtain the risk assessment result output by the large language model for the risk propagation subgraph.

6. The method for risk assessment of behavioral data according to claim 5, characterized in that, After the step of performing risk assessment on the risk propagation subgraph and obtaining the risk assessment result, the method further includes: Based on the risk confidence score in the risk assessment results, the comprehensive risk level corresponding to the risk propagation subgraph is determined; Obtain the target behavior data corresponding to the user based on the risk propagation subgraph; The current business scenario is determined based on the target behavior data; A risk management strategy is generated based on the overall risk level and the current business scenario.

7. A risk assessment device for behavioral data, characterized in that, The device includes: The data acquisition module is used to collect multiple behavioral data from different preset platforms; each behavioral data includes device identification data and user data, wherein the user data includes at least operation data and geographic location information. The alignment module is used to align device identifier data from the same user on different preset platforms based on the federated learning framework, and generate a unified device identifier across preset platforms. The collection module is used to aggregate user data from the same user to obtain a user dataset. The construction module is used to construct spatiotemporal behavioral features representing each user based on the unified device identifier of each user and the user dataset, so as to obtain a spatiotemporal behavioral feature set; The analysis module is used to analyze the spatiotemporal behavioral feature set using a preset graph neural network to generate a risk propagation subgraph; The judgment module is used to perform risk judgment on the risk propagation subgraph and obtain the risk judgment result; The analysis module includes: The initial association graph construction submodule is used to construct an initial association graph based on the operation data in the user dataset, with each of the unified device identifiers as nodes. The tagging submodule is used to take the spatiotemporal behavior feature vectors corresponding to each user in the spatiotemporal behavior feature set as the attribute features of the corresponding nodes in the initial association graph to obtain the intermediate association graph. The intermediate association graph analysis submodule is used to analyze the intermediate association graph using a graph attention network and calculate the attention weights and association strengths between nodes. The intermediate association graph identification submodule is used to identify local substructures in the intermediate association graph that have abnormal connection patterns or abnormal association strengths based on the attention weights and association strengths between the nodes. The local substructure extraction submodule is used to extract the local substructure from the intermediate association graph and use it as the risk propagation subgraph.

8. A computer-readable storage medium, characterized in that, The system contains a computer program that, when executed by a processor, causes the processor to perform the steps of the risk assessment method for behavioral data as described in any one of claims 1 to 6.

9. An electronic device, characterized in that, The device includes a memory and a processor, the memory storing a computer program that, when executed by the processor, causes the processor to perform the steps of the risk assessment method for behavioral data as described in any one of claims 1 to 6.