MLP telecom fraud intelligent identification system based on multi-dimensional feature fusion

The MLP-based intelligent identification system for telecommunications fraud, which integrates multi-dimensional feature fusion and combines edge computing and dynamic risk classification, solves the accuracy and privacy issues of traditional telecommunications anti-fraud systems when identifying new types of fraud, and achieves efficient and real-time fraud detection and identification.

CN122153592APending Publication Date: 2026-06-05WUHAN UNIV OF SCI & TECH

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
WUHAN UNIV OF SCI & TECH
Filing Date
2026-03-09
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

Traditional telecommunications anti-fraud systems rely on static rule bases or single-dimensional features, making it difficult to identify new and covert fraudulent activities, and posing a risk of privacy leaks.

Method used

The system employs a multi-dimensional feature fusion-based MLP-based intelligent identification system for telecommunications fraud. It integrates user static attributes, dynamic behaviors, and communication and social network features, and performs intelligent discrimination through a three-layer fully connected MLP model. It combines edge computing to achieve local data processing and real-time identification, dynamically registers fraudulent patterns, and performs risk-based classification and handling.

Benefits of technology

It improves the accuracy and real-time performance of fraud identification, reduces the false alarm rate, supports the detection of new fraud patterns, achieves long-term effectiveness and privacy compliance of the system, supports concurrent processing of millions of users per edge unit, and has low feature processing latency.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122153592A_ABST
    Figure CN122153592A_ABST
Patent Text Reader

Abstract

The application relates to the field of telecommunication anti-fraud and artificial intelligence, and discloses an MLP telecommunication fraud intelligent identification system based on multi-dimensional feature fusion, which comprises a multi-source data acquisition and preprocessing module, a multi-dimensional feature extraction module, a feature selection and fusion module, an MLP classification module, a model training and optimization module, a fraud mode registration module, an online fraud identification and risk alarm module, a risk grading alarm module, a system closed-loop data bus and a fraud feature database management module; the system fuses three core dimensional features of user static attributes, dynamic behavior and communication social topology. In the application, the single-dimensional and rule-based limitations of traditional telecommunication fraud detection are broken, multi-dimensional features are fused, and an optimized MLP model is combined to realize intelligent discrimination, the risk of privacy leakage is avoided, the identification accuracy and real-time performance are improved, dynamic registration of the fraud mode and closed-loop iterative optimization of the system are supported, and the application adapts to the detection requirements of new concealed fraud behaviors.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the fields of telecommunications fraud prevention and artificial intelligence, and in particular to an MLP-based intelligent identification system for telecommunications fraud based on multi-dimensional feature fusion. Background Technology

[0002] Traditional telecommunications anti-fraud systems typically rely on static rule bases or single-dimensional features for detection, which has limited effectiveness in identifying new and covert fraudulent activities. For example, existing multi-dimensional monitoring systems mainly rely on pre-set rule matching for risk quantification, but this method depends on fixed rules and limited features, making it difficult to capture complex anomalies in user behavior and social networks. Furthermore, methods relying on call content analysis pose privacy risks. Therefore, a novel intelligent identification system is needed that does not rely on sensitive call content, integrates user static attributes, dynamic behaviors, and multi-dimensional features from communication and social networks, and utilizes deep learning models for non-linear discrimination to improve the accuracy and real-time performance of fraud identification. To address these issues, an MLP-based intelligent identification system for telecommunications fraud based on multi-dimensional feature fusion is proposed. Summary of the Invention

[0003] To overcome the above shortcomings, this invention provides an MLP-based intelligent identification system for telecommunications fraud based on multi-dimensional feature fusion, aiming to improve the problems of poor fraud identification performance, insufficient privacy compliance, and difficulty in dealing with new fraud patterns.

[0004] To achieve the above objectives, the present invention adopts the following technical solution: an MLP-based intelligent identification system for telecommunications fraud based on multi-dimensional feature fusion, comprising a multi-source data acquisition and preprocessing module, a multi-dimensional feature extraction module, a feature selection and fusion module, an MLP classification module, a model training and optimization module, a fraud pattern registration module, an online fraud identification and risk alarm module, a risk classification alarm module, a system closed-loop data bus, and a fraud feature database management module; the system integrates three core dimensions of user static attributes, dynamic behavior, and communication and social topology, and uses a three-layer fully connected MLP (Multilayer Perceptron) model to achieve intelligent identification of telecommunications fraud behavior, completes local data processing and feature extraction through edge computing units, and achieves fraud pattern matching and risk handling based on the risk control center platform. Each module completes real-time data interaction and instruction transmission through the system closed-loop data bus to achieve iterative optimization of the model and the fraud pattern library.

[0005] As a further description of the above technical solution:

[0006] The model training and optimization module constructs a training dataset containing 10 known types of fraud and normal communication scenarios, with 100,000 static-dynamic-social topology data pairs for each scenario. The training dataset is divided into training, validation, and test sets in chronological order. SMOTE oversampling is used on the training set to adjust the positive-to-negative sample ratio. A fixed random seed was used to ensure experimental repeatability; end-to-end supervised training was performed on the three-layer MLP model, employing... Cross-validation was used to verify the model's stability. The Adam optimizer was used for training, and an Early Stopping strategy was configured to prevent overfitting. The overall loss function for model training was a weighted sum of the triplet loss and the binary cross-entropy classification loss.

[0007] As a further description of the above technical solution:

[0008] The fraud-related pattern registration module collects multi-dimensional registration samples for fraud-related communication patterns, and the number of samples meets the following requirements. ,like The number of samples is then expanded to 10 using a label propagation algorithm; the samples undergo preprocessing, feature extraction, and fusion to generate a feature vector set, which is then... Outlier vectors with a cosine similarity to the main cluster center below 0.5 are removed through clustering. The remaining valid vectors are then aggregated using an arithmetic mean. Normalization generates a baseline feature vector; the number of effective samples is not less than 5. The baseline feature vector, the intra-class average similarity and variance of the corresponding pattern are all associated with the fraud-related pattern identifier and stored in the fraud-related feature database for dynamic threshold calculation.

[0009] As a further description of the above technical solution:

[0010] The online fraud identification and risk alert module collects multi-dimensional data of the user under test through an edge computing unit at a 5-second interval. A single edge computing unit supports concurrent processing of 1 million user data points per day, and the latency of feature extraction and fusion processing is less than [specified value]. Real-time fraud-related feature vectors are generated through preprocessing and feature fusion, based on the average intra-class similarity of fraud-related patterns. Average inter-class similarity between different fraud patterns According to the formula Calculate the dynamic judgment threshold ,and Based on the maximum cosine similarity between the real-time fraud-related feature vector and the baseline feature vector in the fraud-related feature database, a three-level risk classification and handling process is implemented, with the delay between the judgment result and the handling instruction being less than [a certain value]. .

[0011] As a further description of the above technical solution:

[0012] The multi-dimensional feature extraction module converts static attribute data, dynamic behavior data, and communication / social topology data into 64-dimensional, 128-dimensional, and 64-dimensional feature vectors, respectively. The feature selection and fusion module filters features based on the Gini importance of the ExtraTrees classifier, retaining features whose Gini importance is not less than the Gini importance of all extracted features. Percentile characteristics, Cross-validation is used to verify feature stability. If removing a feature causes the MLP model's validation set to degrade, the result is that the MLP model's validation set will be affected. The value decrease is greater than Then restore that feature; perform the following on the filtered feature vector: Norm normalization, sequentially spliced ​​and merged into The combined fraud-related representation vectors are then output to the MLP classification module.

[0013] As a further description of the above technical solution:

[0014] The MLP model is a three-layer fully connected neural network, with the input layer being... Dimension, first hidden layer The dimension uses the ReLU activation function, and the second hidden layer The dimension uses the ReLU activation function, and the output layer The dimension uses the Sigmoid activation function; the boundary value of the triplet loss is... , can Interval based on MLP model validation set Value optimization was performed, and a semi-hard negative example mining strategy was adopted for sampling; the weighting coefficients of the overall loss function were adjusted. , can Interval by validation set Value tuning; initial model learning rate is , can to Range optimization, batch size is The maximum number of training rounds is .

[0015] As a further description of the above technical solution:

[0016] The multi-source data acquisition and preprocessing module performs privacy-compliant processing locally on the edge computing unit, including user identifier hashing, sensitive field desensitization, and unnecessary data removal, and does not acquire user call content during the entire data acquisition and preprocessing process; after deduplication, missing value imputation, outlier filtering, standardization, and encoding, various types of data are converted into fixed-dimensional feature vectors, wherein static data is standardized using Z-score, dynamic data is normalized using RobustScaling, and social topology data is normalized using Min-Max, and all preprocessing operations comply with relevant telecommunications data security specifications.

[0017] As a further description of the above technical solution:

[0018] The system hardware architecture includes an operator edge computing unit and a risk control center platform. Each edge computing unit is configured with an 8-core CPU and 16GB of memory, responsible for data acquisition, privacy processing, preprocessing, and feature extraction and fusion. The risk control center platform runs a fraud-related feature database and a matching engine, responsible for pattern matching and risk management. Operator-compliant data sources connect to the system via encrypted interfaces, and data transmission uses the national standard SM4 encryption algorithm. All data interactions between system modules and between the edge computing unit and the risk control center platform are traceable and auditable. The system's closed-loop data bus has a transmission rate of no less than [missing information - likely a specific value] during data interaction between modules. It enables closed-loop feedback of manual review results and new samples, with the model incrementally updating weekly based on this closed-loop data. The fraud-related feature database adopts a distributed storage architecture, updating the average similarity within and between classes monthly. When the fluctuation of these two values ​​exceeds [a certain threshold], [further updates will be made]. The dynamic threshold is recalculated at any time.

[0019] The present invention has the following beneficial effects:

[0020] This invention breaks through the limitations of traditional single-dimensional and rule-based methods in telecommunications fraud detection. It integrates multi-dimensional features and combines them with an optimized MLP model to achieve intelligent discrimination. While avoiding privacy risks, it improves the accuracy and real-time performance of identification. It also supports dynamic registration of fraud patterns and closed-loop iterative optimization of the system, adapting to the detection needs of new and covert fraud behaviors. This invention constructs a multi-dimensional feature fusion system, combines SMOTE oversampling and hybrid loss function to optimize the MLP model, effectively solving the problem of positive and negative sample imbalance. The test set F1 score reaches 85.34% and the false alarm rate is less than 5%, which is a significant improvement in recognition performance compared with traditional models. It relies on edge computing to achieve local data processing without acquiring call content throughout the process, balancing privacy compliance and detection efficiency. A single edge unit supports millions of concurrent users with low processing latency. It also designs dynamic thresholds and a three-level risk handling mechanism to achieve accurate matching and hierarchical control of fraud behaviors. The system's closed-loop data bus can also continuously iterate the model and fraud pattern library to ensure the long-term effectiveness of the identification capability.

[0021] 1. In this invention, a three-dimensional feature extraction and fusion system of static, dynamic, and communication and social topology is constructed. Combined with SMOTE oversampling balanced training samples, and a hybrid loss function weighted by triplet loss and binary cross-entropy loss is used to train and optimize a three-layer MLP model, nonlinear intelligent discrimination of telecommunications fraud behavior is realized, which effectively improves the accuracy and stability of identification. The F1 score on the test set is ≥3.4% higher than that of the traditional baseline model, and the false alarm rate is controlled within 5%. It can effectively identify new and covert fraud patterns.

[0022] 2. In this invention, local privacy compliance processing and real-time data collection and calculation are completed through edge computing units. Feature extraction is achieved without obtaining user call content. Combined with the candidate expansion and clustering outlier elimination mechanism for fraud-related pattern registration, dynamic threshold matching and three-level risk classification strategy for online identification, high real-time performance, high adaptability and privacy security of fraud detection are achieved. A single edge unit supports concurrent processing of millions of users per day, with feature processing latency < 500ms. Moreover, the closed-loop data bus of the system can realize continuous iteration of the model and fraud-related pattern library, ensuring long-term updates of identification capabilities. Attached Figure Description

[0023] Figure 1 This is a structural block diagram of the MLP-based intelligent identification system for telecommunications fraud based on multi-dimensional feature fusion proposed in this invention. Detailed Implementation

[0024] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0025] Please see Figure 1 As shown, this invention provides a technical solution: an MLP-based intelligent identification system for telecommunications fraud based on multi-dimensional feature fusion, comprising the following modules:

[0026] Model training and optimization module: Constructs a training dataset containing 10 known fraud types and normal communication scenarios, with each scenario containing 100,000 pairs of static attribute data, dynamic behavioral data, and communication / social topology data. , among which tags (0 represents a normal user, 1 represents a user suspected of fraud). (0 represents normal scenarios, 1-10 represent 10 types of fraud-related scenarios); the training dataset is divided chronologically: data from January to August 2023 is the training set, data from September 2023 is the validation set, and data from October 2023 is the test set. The SMOTE oversampling strategy is used on the training set to adjust the positive-to-negative sample ratio from the original 1:100 to 1:1. Furthermore, the training process uses a fixed random seed of 42 to ensure experimental repeatability; the processed... An end-to-end supervised training was performed on a three-layer fully connected multilayer perceptron (MLP) model. The training was based on forward propagation and backpropagation algorithms, and the model parameters were updated by optimizing the loss function. The model stability was verified by 5-fold cross-validation during the training process.

[0027] Fraudulent Communication Pattern Registration Module: For newly identified or pre-defined typical fraudulent communication patterns k, multiple sets of static attribute data are obtained from compliant data sources of operators in a controlled or simulated fraudulent communication environment. Dynamic behavioral data Communication and social topology data Number of registered samples collected satisfy At that time, the system enters the waiting list registration mechanism, and expands the sample size to 10 using a label propagation algorithm combined with highly similar neighbors in the same group before further processing. After preprocessing, feature extraction, and feature fusion, each set of data generates a corresponding set of fraud-related feature vectors. ; Perform the following on the set first Clustering is performed to remove outlier vectors with a cosine similarity to the main cluster below 0.5. Then, aggregation is performed on the remaining vectors to generate a unique baseline feature vector for this fraudulent pattern. Simultaneously, the average similarity and variance within the pattern class are stored for subsequent dynamic threshold calculation, and the baseline feature vector is compared with the assigned fraud-related pattern identifier. Related data is stored in a database of fraud-related characteristics. In, that is If the number of valid samples after clustering is removed Then the alternate registration mechanism will be re-implemented until... ;

[0028] Online Fraud Identification and Risk Alert Module: When the operator's system conducts real-time fraud risk monitoring, the operator's edge computing unit collects static attribute data of the current user under test in real time with a collection cycle of 5 seconds. Dynamic behavioral data Communication and social topology data A single edge computing unit supports concurrent processing of 1 million user data points per day, with minimal latency in the entire feature extraction and fusion process. After undergoing the same preprocessing, feature extraction, and feature fusion process as the registration module, a real-time fraud-related feature vector is generated. ; using the cosine similarity calculation function to calculate and All The system compares data and identifies the user's fraudulent activity pattern based on preset matching rules. It then invokes a preset risk grading strategy corresponding to that pattern or generates dynamic risk assessment parameters to perform real-time fraud risk assessment and tiered handling. The assessment results and handling instructions are transmitted back to the operator's communication management system via a dedicated internal network line, with a transmission delay of [missing information]. .

[0029] Furthermore, feature extraction, feature fusion, model training loss function, and feature similarity calculation are defined as follows:

[0030] Three-dimensional deep feature extraction: Let the preprocessed static attribute data be... Dynamic behavioral data is Communication and social topology data is The three processes, through their respective preprocessing steps and feature encoding, output the original feature vectors before normalization:

[0031] ;

[0032] ;

[0033] ;

[0034] in, , , These are the sets of encoding parameters for three-dimensional features. , , These are the dimensions of static features, dynamic features, and social topology features, respectively. The static feature dimension is set to 64 dimensions, the dynamic feature dimension is set to 128 dimensions, and the social topology feature dimension is set to 64 dimensions.

[0035] Feature selection and normalization: Feature selection is performed based on a feature importance evaluation mechanism derived from model feedback. The specific process is as follows: Train the ExtraTrees classifier using the training set oversampled by SMOTE to obtain the Gini importance (feature_importance) for each feature; calculate the feature importance threshold. Take the 75th percentile of the importance distribution and retain... The features are defined; after embedding / normalizing the retained features, 5-fold cross-validation is used to fit the candidate features into the MLP validation set. If removing a feature causes a decrease in the F1 score of the validation set... Then restore it; the final feature set is sorted and truncated according to the frequency retained in the 5-fold selection, forming the final feature set after feature selection; the original feature vectors after selection are normalized by L2 norm to eliminate the influence of units and amplitudes and enhance their pattern discriminability. The normalization formula is:

[0036] , , ;

[0037] Feature fusion: The three-dimensional feature vectors after feature selection and L2 normalization are concatenated and fused to generate a joint fraud-related representation vector. :

[0038] ;

[0039] in, Describes the L2 norm of a vector. This indicates a vector concatenation operation, and the total dimension of the fused feature vector is 256.

[0040] Triple loss function (used for model training): In the training module, to enhance the inter-class separability of the feature space for different fraud-related patterns and the intra-class compactness of similar patterns, triple loss is used. For a triplet sample (anchor sample) Positive samples negative samples The loss is calculated as follows:

[0041] ;

[0042] in, For anchor sample feature vectors, To and same Positive sample feature vectors To and different The negative sample feature vector, To enforce the boundary value of the distance interval between positive and negative sample pairs, Performance can be tuned within the range of 0.1-0.5 based on the validation set; when generating triples, positive examples... Negative examples are sampled from a baseline sample or its nearest neighbors that share the same fraudulent pattern. Random sampling is performed from samples with different labels, with a semi-hard negative example mining strategy as the priority. Triple sampling and training are performed in batches, and the number of samples per batch is determined by the model training time. synchronous.

[0043] Cosine similarity calculation (for fraud pattern matching): Online identification module, real-time fraud feature vector. Compared with the benchmark fraud feature vector in the database similarity between The cosine of the angle between the two is calculated to obtain:

[0044] ;

[0045] in, This represents the vector dot product; its range is... The closer the value is to 1, the higher the similarity to the corresponding fraudulent pattern.

[0046] Benchmark Feature Aggregation (for Fraud Pattern Registration): In the registration module, to obtain stable and representative benchmark features for fraud pattern k, a set of effective feature vectors is obtained after candidate registration and outlier removal. By calculating the mean vector of this effective vector and performing L2 norm normalization, the final baseline feature vector stored in the database is obtained. :

[0047] ;

[0048] ;

[0049] in Fraudulent Model of The arithmetic mean vector of the registered feature vectors , This represents the L2 norm of a vector.

[0050] Furthermore, the MLP classification network uses a fully connected neural network structure pre-trained on structured data classification tasks as its backbone. Its top-level classifier is removed and replaced with a fully connected layer adapted for binary classification tasks to output the original prediction score. The backbone network is a three-layer fully connected structure, specifically configured as: input layer (256-dimensional, matching the dimension of the fused feature vector) → 256-dimensional hidden layer (ReLU activation) → 128-dimensional hidden layer (ReLU activation) → 1-dimensional output layer (Sigmoid activation). The network is trained using the Adam optimizer, with an initial learning rate set to... The learning rate can be to The model is optimized based on the performance of the validation set. The batch size is 256, the training epochs are 100, and the Early Stopping strategy is used to prevent overfitting. The monitoring metric is the validation set loss with patience=10. When the validation set loss does not decrease for 10 consecutive epochs, the model training is stopped and the optimal model parameters are saved.

[0051] Furthermore, the overall loss function used in the model training module For the triplet loss Compared with standard binary cross-entropy classification loss Weighted sum:

[0052] ;

[0053] in, To balance the weighting coefficients of the two losses, Optimize within the range based on the F1 score of the validation set; the binary cross-entropy loss The calculation formula is:

[0054]

[0055] in This refers to the number of samples within a batch. For the true labels of the samples, This represents the probability of fraud output by the model. After training, this model achieved an F1 score of 85.34%, precision of 82.17%, recall of 88.79%, and a false positive rate of [missing value] on the test set. The recognition performance, compared to the traditional Extra Trees baseline model (Extra Trees model with 100 trees, max_depth=20, and an F1 score of 81.94% on the test set), shows an improvement in F1 score. .

[0056] Furthermore, the fraud pattern matching and decision-making rules of the online fraud identification and risk alert module are as follows: calculate the real-time fraud feature vector. Compared with all benchmark fraud feature vectors in the database cosine similarity Set dynamic judgment threshold ,make The specific risk classification rules are as follows: Level 1 Risk Directly triggers communication rate limiting, level 2 risk. Push to risk control personnel for manual review, level three risk Marked as a priority and continuously monitored.

[0057] Furthermore, the determination threshold This is a dynamic threshold, the value of which is based on the fraud-related feature database. The intra-class average similarity and inter-class average similarity between all pairwise baseline feature vectors are dynamically calculated to eliminate the contradiction in the description of the default basic threshold. The specific calculation method is as follows: the calculation is updated periodically according to the natural month. The average intra-class similarity of feature vectors of all registered samples for each pattern And the average inter-class similarity between baseline feature vectors of different patterns. ; Calculate dynamic threshold ,in The average similarity within the category of fraud-related patterns. Average similarity between different fraud-related patterns; calculated and updated regularly on a calendar month basis. The average intra-class similarity of feature vectors of all registered samples for each pattern And the average inter-class similarity between baseline feature vectors of different patterns. When the number of fraudulent patterns in the database is updated or the intra-class / inter-class similarity fluctuates by more than ±0.05, the database will be recalculated and updated. The value, the result of dynamic threshold calculation is always limited to the value. Within a reasonable range.

[0058] Furthermore, in the data preprocessing steps shared by the fraud-related pattern registration module and the online fraud identification and risk alert module, all data undergoes privacy compliance processing by the operator's edge computing unit, including user identifier hashing, sensitive field desensitization, and unnecessary data removal. Feature extraction is completed without accessing user call content, and all preprocessing operations comply with relevant telecommunications data security regulations. Various types of data are processed according to a fixed chain, specifically:

[0059] Static attribute data (age, network duration, monthly spending, location, etc.): Deduplication → Missing value imputation (median for numerical data, mode for categorical data) → Outlier removal (0.5% truncation) → Z-score standardization → Frequency truncation of high-cardinality categorical features (location, phone model) (low-frequency) After merging into "other", learnable embedding encoding is performed. Binary features are encoded with 0 / 1, then L2 normalized (if used for triplet / metric calculation), and converted into a 64-dimensional fixed-length feature vector.

[0060] Dynamic behavioral data (daily average number of calls, number of roaming cities, call duration distribution, etc.): Deduplication → Missing value imputation (sliding window mean) → RobustScaling normalization (based on median and IQR, reducing the impact of outliers) → Sliding window statistics (window size is 24 hours, step size is 1 hour) → Embedding encoding after truncation of high cardinality category features → Min-Max normalization (mapped to [0,1]) → L2 normalization (if vector distance is compared) → Converted to 128-dimensional fixed-length feature vector;

[0061] Communication and social topology data (number of call nodes, degree centrality, clustering coefficient, etc.): Deduplication → Constructing a directed communication graph based on call details → Calculating topology indicators → Missing value imputation (global mean of the graph) → Min-Max normalization (mapping to [0,1]) → L2 normalization → Converting to a 64-dimensional fixed-length feature vector.

[0062] All preprocessed data are uniformly scaled to the fixed input size required by the feature extraction network, and all preprocessing operations are performed locally on the operator's edge computing unit without transmitting the original sensitive data to the risk control center platform.

[0063] Furthermore, the operator compliance data sources include the operator's real-name registration system, CRM database, core network communication detail logs, and terminal security logs. All data sources are connected through encrypted interfaces, and data transmission uses the national cryptographic SM4 encryption algorithm. The system also includes an operator edge computing unit and a risk control center platform. The operator edge computing unit is configured with an 8-core CPU and 16GB of memory to meet the hardware requirements for real-time data processing. The operator edge computing unit is responsible for real-time data collection, privacy compliance processing, preprocessing, and performing feature extraction and fusion calculations to obtain... Then, it is sent to the risk control center platform via an internal network dedicated line; the risk control center platform runs the fraud-related feature database. The matching engine performs matching calculations and identifies fraudulent patterns. The corresponding handling instructions are sent back to the operator's communication control system, and all data interactions are traceable.

[0064] Furthermore, it also includes:

[0065] Multi-source data acquisition and preprocessing module: includes operator encrypted data interface, data deduplication unit, missing value processing unit, outlier filtering unit, and privacy compliance processing sub-unit. It is used to simultaneously collect users' static attribute data, dynamic behavior data, and communication and social topology data, complete data cleaning, privacy desensitization and standardization processing, and output preprocessed data that meets the requirements of feature extraction.

[0066] Multi-dimensional feature extraction module: It has built-in static feature extraction unit, dynamic feature extraction unit, and communication and social topology feature extraction unit, which respectively perform the extraction and encoding operations of three-dimensional features and output the normalized feature vectors of each dimension. Each unit supports parallel computing to improve processing efficiency.

[0067] Feature selection and fusion module: Based on the feature importance evaluation mechanism fed back by the ExtraTrees model, supervised screening is performed on the initial high-dimensional feature space. After removing low-contribution features, the three-dimensional feature vectors are concatenated into a fused feature vector and output to the MLP classification module. The module has a built-in feature stability verification subunit to ensure the reliability of the feature selection results.

[0068] MLP classification module: Equipped with a trained and optimized three-layer fully connected neural network model, it receives fused feature vectors and outputs fraud probability values, while feeding back feature importance data to the feature selection and fusion module to achieve closed-loop optimization of the model and feature selection;

[0069] Risk classification and alarm module: Based on the fraud probability value output by the MLP classification module and the pattern matching result, it performs a three-level risk assessment, generates corresponding alarm information and handling instructions, and pushes them to the operator's risk control personnel's workbench and communication management system respectively. It also supports manual review of alarm results.

[0070] System closed-loop data bus: responsible for real-time data exchange, instruction transmission and status synchronization between the above modules, with a data transmission rate of ≥100Mbps. It also realizes the closed-loop feedback of manual review results and new samples of fraud-related patterns, used for incremental model updates and iteration of the fraud-related pattern library. The incremental model update cycle is once a week.

[0071] The fraud-related feature database management module is responsible for storing, updating, querying, and maintaining the baseline feature vectors of fraud-related patterns. It supports the addition, deletion, and modification of fraud-related patterns, and periodically calculates intra-class / inter-class similarity to support dynamic threshold updates. The database adopts a distributed storage architecture, which supports efficient retrieval of massive feature vectors.

[0072] It should be noted that, in this document, relational terms such as "first" and "second" are used merely to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. The terms "connection," "linked," etc., should be interpreted broadly, and may refer to a fixed connection, a detachable connection, or an integral connection; they may refer to a mechanical connection or an electrical connection; they may refer to a direct connection or an indirect connection through an intermediate medium. Those skilled in the art can understand the specific meaning of the above terms in this invention according to the specific circumstances.

[0073] Although embodiments of the invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made to these embodiments without departing from the principles and spirit of the invention, the scope of which is defined by the appended claims and their equivalents.

[0074] Finally, it should be noted that the above description is only a preferred embodiment of the present invention and is not intended to limit the present invention. Although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art can still modify the technical solutions described in the foregoing embodiments or make equivalent substitutions for some of the technical features. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of the present invention should be included within the protection scope of the present invention.

Claims

1. A multi-dimensional feature fusion-based MLP-based intelligent identification system for telecommunications fraud, characterized in that: The system includes modules for multi-source data acquisition and preprocessing, multi-dimensional feature extraction, feature selection and fusion, MLP classification, model training and optimization, fraud-related pattern registration, online fraud identification and risk alerting, risk classification alerting, a system closed-loop data bus, and a fraud-related feature database management module. The system integrates three core dimensions of user static attributes, dynamic behavior, and communication / social topology. It employs a three-layer fully connected MLP (Multilayer Perceptron) model to intelligently identify telecommunications fraud-related behaviors. Local data processing and feature extraction are performed through edge computing units, and fraud-related pattern matching and risk management are achieved through a risk control center platform. All modules interact and transmit commands in real-time through the system closed-loop data bus, enabling iterative optimization of the model and the fraud-related pattern database.

2. The MLP-based intelligent identification system for telecommunications fraud based on multi-dimensional feature fusion as described in claim 1, characterized in that, The model training and optimization module constructs a training dataset containing 10 known types of fraud and normal communication scenarios, with 100,000 static-dynamic-social topology data pairs for each scenario. The training dataset is divided into training, validation, and test sets in chronological order. SMOTE oversampling is used on the training set to adjust the positive-to-negative sample ratio. And fix the random seed to ensure the reproducibility of the experiment; End-to-end supervised training is performed on a three-layer MLP model, using... Cross-validation was used to verify the model's stability. The Adam optimizer was used for training, and an Early Stopping strategy was configured to prevent overfitting. The overall loss function for model training was a weighted sum of the triplet loss and the binary cross-entropy classification loss.

3. The MLP-based intelligent identification system for telecommunications fraud based on multi-dimensional feature fusion as described in claim 1, characterized in that, The fraud-related pattern registration module collects multi-dimensional registration samples for fraud-related communication patterns, and the number of samples meets the following requirements. ,like The number of samples is then expanded to 10 using a label propagation algorithm; the samples undergo preprocessing, feature extraction, and fusion to generate a feature vector set, which is then... Outlier vectors with a cosine similarity to the main cluster center below 0.5 are removed through clustering. The remaining valid vectors are then aggregated using an arithmetic mean. Normalization generates a baseline feature vector; the number of effective samples is not less than 5. The baseline feature vector, the intra-class average similarity and variance of the corresponding pattern are all associated with the fraud-related pattern identifier and stored in the fraud-related feature database for dynamic threshold calculation.

4. The MLP-based intelligent identification system for telecommunications fraud based on multi-dimensional feature fusion as described in claim 1, characterized in that, The online fraud identification and risk alert module collects multi-dimensional data of the user under test through an edge computing unit at a 5-second interval. A single edge computing unit supports concurrent processing of 1 million user data points per day, and the latency of feature extraction and fusion processing is less than [specified value]. ; Real-time fraud-related feature vectors are generated through preprocessing and feature fusion, based on the average intra-class similarity of fraud-related patterns. Average inter-class similarity between different fraud patterns According to the formula Calculate the dynamic judgment threshold ,and Based on the maximum cosine similarity between the real-time fraud-related feature vector and the baseline feature vector in the fraud-related feature database, a three-level risk classification and handling process is implemented, with the delay between the judgment result and the handling instruction being less than [a certain value]. .

5. The MLP-based intelligent identification system for telecommunications fraud based on multi-dimensional feature fusion as described in claim 1, characterized in that, The multi-dimensional feature extraction module converts static attribute data, dynamic behavior data, and communication / social topology data into 64-dimensional, 128-dimensional, and 64-dimensional feature vectors, respectively. The feature selection and fusion module filters features based on the Gini importance of the ExtraTrees classifier, retaining features whose Gini importance is not less than the Gini importance of all extracted features. Percentile characteristics, Cross-validation is used to verify feature stability. If removing a feature causes the MLP model's validation set to degrade, the result is that the MLP model's validation set will be affected. The value decrease is greater than Then restore that feature; Perform the following steps on the filtered feature vectors: Norm normalization, sequentially spliced ​​and merged into The combined fraud-related representation vectors are then output to the MLP classification module.

6. The MLP-based intelligent identification system for telecommunications fraud based on multi-dimensional feature fusion according to claim 2, characterized in that, The MLP model is a three-layer fully connected neural network, with the input layer being... Dimension, first hidden layer The dimension uses the ReLU activation function, and the second hidden layer The dimension uses the ReLU activation function, and the output layer The dimension uses the Sigmoid activation function; the boundary value of the triplet loss is... , can Interval based on MLP model validation set Value optimization was performed, and a semi-hard negative example mining strategy was adopted for sampling; the weighting coefficients of the overall loss function were adjusted. , can Interval by validation set Value tuning; initial model learning rate is , can to Range optimization, batch size is The maximum number of training rounds is .

7. The MLP-based intelligent identification system for telecommunications fraud based on multi-dimensional feature fusion according to claim 1, characterized in that, The multi-source data acquisition and preprocessing module performs privacy-compliant processing locally on the edge computing unit, including user identifier hashing, sensitive field desensitization, and unnecessary data removal, and does not acquire user call content during the entire data acquisition and preprocessing process; after deduplication, missing value imputation, outlier filtering, standardization, and encoding, various types of data are converted into fixed-dimensional feature vectors, wherein static data is standardized using Z-score, dynamic data is normalized using RobustScaling, and social topology data is normalized using Min-Max, and all preprocessing operations comply with relevant telecommunications data security specifications.

8. The MLP-based intelligent identification system for telecommunications fraud based on multi-dimensional feature fusion according to claim 1, characterized in that, The system hardware architecture includes an operator edge computing unit and a risk control center platform. A single edge computing unit is configured with an 8-core CPU and 16GB of memory, and is responsible for data collection, privacy processing, preprocessing, and feature extraction and fusion. The risk control center platform operates a fraud-related feature database and matching engine, responsible for pattern matching and risk management. Operator-compliant data sources connect to the system via encrypted interfaces, and data transmission uses the national standard SM4 encryption algorithm. All data interactions between system modules and between the edge computing unit and the risk control center platform are traceable and auditable. The system's closed-loop data bus maintains a transmission rate of at least [missing information] during data interactions between modules. It enables closed-loop feedback of manual review results and new samples, with the model incrementally updating weekly based on this closed-loop data. The fraud-related feature database adopts a distributed storage architecture, updating the average similarity within and between classes monthly. When the fluctuation of these two values ​​exceeds [a certain threshold], [further updates will be made]. The dynamic threshold is recalculated at any time.