A transaction risk prediction method based on a graph neural network
By constructing a target behavior evolution graph and using graph neural networks for feature propagation calculation, abnormal behaviors in the trading process are identified, solving the problems of lag and misjudgment in the identification of complex dynamic trading behaviors in existing technologies, and realizing efficient identification and prediction of trading risks.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- ZHONGXING TECHNOLOGY (FUZHOU) CO LTD
- Filing Date
- 2026-05-09
- Publication Date
- 2026-07-14
AI Technical Summary
Existing technologies struggle to accurately represent the continuous changes in complex and dynamic transaction behaviors, such as device switching, sudden changes in network environment, modification of sensitive information, and rapid fund transfers. This results in delayed identification, high misjudgment rate, and insufficient predictive ability.
By constructing a target behavior evolution graph, a graph neural network is used to perform feature propagation calculations on the evolutionary transfer relationships between dynamic behavior segments, identify abnormal behavior jump nodes, and generate risk prediction results by combining abnormal evolution links and avoidance action sequences.
It improves the accuracy and foresight in identifying transaction risks, enabling early detection of evasive behaviors by abnormal entities and enhancing the proactive defense capabilities of the transaction risk control system.
Smart Images

Figure CN122155730B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of financial risk identification technology, and in particular to a method for predicting transaction risk based on graph neural networks. Background Technology
[0002] With the rapid development of internet payment, mobile payment, digital banking, and online financial services, the number of transaction requests continues to grow, and transaction scenarios are becoming increasingly complex. Transaction entities can initiate fund operations through various channels such as mobile terminals, web terminals, self-service devices, and third-party interfaces. While transaction convenience continues to improve, risk behaviors such as account theft, device spoofing, proxy network login, abnormal transfers, and automated attacks are also showing a trend towards concealment, continuity, and intelligence, posing higher requirements for transaction security management.
[0003] While some existing technologies incorporate graph models or correlation analysis techniques to identify relationship networks between accounts or transaction propagation chains, most still focus on account relationships and fund flow relationships, lacking fine-grained modeling of dynamic behavioral segments during transactions. They cannot accurately represent the continuous changes over time in behaviors such as device switching, sudden network environment changes, modification of sensitive information, test transactions, and rapid fund transfers. Therefore, for avoidance-oriented abnormal behaviors occurring consecutively within a short period, existing methods still suffer from identification lag, high false positive rates, and insufficient predictive ability. Summary of the Invention
[0004] Therefore, there is a need to provide a trading risk prediction method based on graph neural networks, which can improve the accuracy of identifying abnormal evolution processes and potential avoidance behaviors in complex dynamic trading behaviors and enhance risk prediction capabilities.
[0005] To achieve the above objectives, the inventors provide a transaction risk prediction method based on graph neural networks, comprising the following steps:
[0006] Obtain multiple dynamic behavior fragments corresponding to the target transaction request; construct a target behavior evolution graph based on the dynamic behavior fragments, where nodes in the target behavior evolution graph are used to represent the dynamic behavior fragments, and edges are used to represent the evolutionary transition relationships between adjacent dynamic behavior fragments;
[0007] The target behavior evolution graph is input into a graph neural network model, and feature propagation calculation is performed on each node to obtain the behavior embedding features corresponding to each dynamic behavior segment, and to generate the real-time risk representation result corresponding to the target transaction request.
[0008] Based on the real-time risk characterization results, identify the abnormal behavior transition nodes in the target behavior evolution graph and determine the abnormal evolution links associated with the abnormal behavior transition nodes.
[0009] The abnormal evolution chain is matched with a preset avoidance pattern library to predict the target subject's avoidance action sequence within a subsequent preset time window;
[0010] Based on the real-time risk characterization results, the abnormal evolution chain, and the avoidance action sequence, a risk prediction result corresponding to the target transaction request is generated.
[0011] Unlike existing technologies, the above technical solution has the following advantages: It provides a transaction risk prediction method based on graph neural networks. By constructing multiple dynamic behavioral segments corresponding to a target transaction request into a target behavior evolution graph, and using graph neural networks to perform feature propagation calculations on the evolutionary transfer relationships between dynamic behavioral segments, it can overcome the limitations of traditional risk identification based solely on single transaction parameters or static account attributes. It enables joint analysis of the contextual relationships of transaction behavior, the behavioral evolution process, and potential avoidance paths, thereby improving the accuracy and foresight of transaction risk identification. At the same time, by combining abnormal evolution links and avoidance action sequences to generate risk prediction results, it can identify the avoidance behaviors that abnormal entities may take in advance, enhancing the proactive defense capabilities of the transaction risk control system. Attached Figure Description
[0012] Figure 1 This is a flowchart of a transaction risk prediction method based on graph neural networks in this embodiment. Detailed Implementation
[0013] To illustrate the possible application scenarios, technical principles, implementable specific solutions, and achievable objectives and effects of this application in detail, the following description, in conjunction with the listed specific embodiments and accompanying drawings, provides a detailed explanation. The embodiments described herein are merely illustrative of the technical solutions of this application and are therefore intended to limit the scope of protection of this application.
[0014] In this document, the term "embodiment" means that a specific feature, structure, or characteristic described in connection with an embodiment may be included in at least one embodiment of this application. The term "embodiment" appearing in various places throughout the specification does not necessarily refer to the same embodiment, nor does it specifically limit its independence or connection with other embodiments. In principle, in this application, as long as there are no technical contradictions or conflicts, the technical features mentioned in each embodiment can be combined in any way to form corresponding implementable technical solutions.
[0015] Unless otherwise defined, the technical terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application pertains; the use of related terms herein is merely for the purpose of describing particular embodiments and is not intended to limit this application.
[0016] In the description of this application, the term "and / or" is used to describe the logical relationship between objects, indicating that three relationships can exist. For example, A and / or B means: A exists, B exists, and A and B exist simultaneously. Additionally, the character " / " in this document generally indicates that the preceding and following objects have an "or" logical relationship.
[0017] In this application, terms such as “first” and “second” are used only to distinguish one entity or operation from another, and do not necessarily require or imply any actual quantity, hierarchy or order relationship between these entities or operations.
[0018] Without further limitations, the use of terms such as “comprising,” “including,” “having,” or other similar open-ended expressions in this application is intended to cover non-exclusive inclusion, which does not exclude the presence of additional elements in a process, method, or product that includes the stated elements, such that a process, method, or product that includes a list of elements may include not only those defined elements but also other elements not expressly listed, or elements inherent to such a process, method, or product.
[0019] In this application, expressions such as "greater than", "less than", and "exceeding" are understood to exclude the stated number; expressions such as "above", "below", and "within" are understood to include the stated number. Furthermore, in the description of the embodiments of this application, "multiple" means two or more (including two), and similar expressions related to "multiple" are also understood in this way, such as "multiple groups" and "multiple times", unless otherwise explicitly specified.
[0020] Please refer to Figure 1 A transaction risk prediction method based on graph neural networks includes the following steps:
[0021] S1. Obtain multiple dynamic behavior segments corresponding to the target transaction request; construct a target behavior evolution graph based on the dynamic behavior segments, wherein the nodes in the target behavior evolution graph are used to represent the dynamic behavior segments, and the edges are used to represent the evolutionary transition relationship between adjacent dynamic behavior segments;
[0022] S2. Input the target behavior evolution graph into a graph neural network model, perform feature propagation calculation on each node, obtain the behavior embedding features corresponding to each dynamic behavior segment, and generate the real-time risk representation result corresponding to the target transaction request.
[0023] S3. Identify the abnormal behavior jump nodes in the target behavior evolution graph based on the real-time risk characterization results, and determine the abnormal evolution links associated with the abnormal behavior jump nodes.
[0024] S4. Match the abnormal evolution link with the preset avoidance pattern library to predict the target subject's avoidance action sequence in the subsequent preset time window.
[0025] S5. Based on the real-time risk characterization results, the abnormal evolution chain, and the avoidance action sequence, generate the risk prediction results corresponding to the target transaction request.
[0026] As described above, by constructing multiple dynamic behavioral fragments corresponding to a target transaction request into a target behavior evolution graph, and using graph neural networks to perform feature propagation calculations on the evolutionary transfer relationships between dynamic behavioral fragments, it is possible to overcome the limitations of traditional risk identification based solely on single transaction parameters or static account attributes. This enables joint analysis of the contextual relationships of transaction behavior, the behavioral evolution process, and potential avoidance paths, thereby improving the accuracy and foresight of transaction risk identification. Simultaneously, by combining abnormal evolutionary links and avoidance action sequences to generate risk prediction results, it is possible to identify the avoidance behaviors that abnormal entities may subsequently take in advance, enhancing the proactive defense capabilities of the transaction risk control system.
[0027] In some implementations, constructing the target behavior evolution graph based on the dynamic behavior fragments includes:
[0028] Extract the device state switching relationship and network environment change relationship between each dynamic behavior segment, and establish the edge based on the device state switching relationship and network environment change relationship between adjacent dynamic behavior segments.
[0029] As described above, by extracting the device state switching relationship and network environment change relationship between each dynamic behavior segment to establish the edges in the behavior evolution graph, the behavior evolution graph can not only reflect the transaction operation sequence, but also reflect high-risk environmental change factors such as device replacement and network switching. This enhances the ability to identify abnormal behaviors such as remote login, device spoofing, and proxy network switching, and improves the accuracy of the behavior graph structure in depicting real risk scenarios.
[0030] In some implementations, establishing the edge based on the device state switching relationship and network environment change relationship between adjacent dynamic behavior segments includes:
[0031] For the aforementioned dynamic behavior segment and the latter dynamic behavior segment, obtain the corresponding device identification information, device operating parameters, and network access parameters;
[0032] If the time interval between the first dynamic behavior segment and the second dynamic behavior segment is less than a preset duration, determine whether there is a device switching or a sudden change in the network environment between them.
[0033] The device switching includes at least one of the following: device identification change, device fingerprint change, or device operating parameter change reaching a preset range; the network environment change includes at least one of the following: network address change, access method change, or geographical location change reaching a preset range.
[0034] When it is determined that there is a device switching or a sudden change in the network environment, an abnormal transfer edge is established between the previous dynamic behavior segment and the next dynamic behavior segment, and the edge weight of the abnormal transfer edge is increased to the corresponding preset risk weight.
[0035] When it is determined that there is no device switching and no network environment change, a normal transition edge is established between the previous dynamic behavior segment and the next dynamic behavior segment, and the edge weight of the normal transition edge is set to the corresponding basic weight.
[0036] In existing technologies, information such as changes in device identification, network address, or geographical location is typically used as common input features in account risk identification, and is input into the model along with features such as transaction amount, transaction time, and account status for risk scoring. However, this approach can only reflect whether there are anomalies in a single behavioral segment, and it is difficult to express the abnormal transfer relationships formed by device switching or sudden changes in network environment that occur in a short period of time between previous and subsequent dynamic behavioral segments. As a result, graph neural networks cannot focus on such high-risk jump paths during feature propagation, which can easily lead to lag or missed detection of avoidance-type transaction behaviors.
[0037] To address this issue, this application first determines whether device switching or network environment mutation occurs between adjacent dynamic behavior segments within a preset time period when constructing the target behavior evolution graph. Based on the determination result, abnormal transfer edges and normal transfer edges are established. At the same time, abnormal transfer edges are assigned higher edge weights than normal transfer edges, so that the abnormal continuity relationship between device spoofing, network jump and subsequent transaction initiation can be explicitly strengthened in the graph structure, thereby improving the graph neural network's ability to identify short-term avoidance transaction risk links.
[0038] As described above, by determining device switching or network environment mutations when the time interval between adjacent dynamic behavior segments is less than a preset duration, and distinguishing between abnormal and normal transfer edges, and assigning different edge weights, abnormal switching behavior in a short period of time can be directly mapped to high-risk graph connection relationships. This allows the graph neural network to focus on high-risk behavior jump paths during subsequent propagation, thereby improving the efficiency and accuracy of identifying fraudulent entities' rapid device switching and disguised network environments.
[0039] In some implementations, inputting the target behavior evolution graph into a graph neural network model and performing feature propagation calculations on each node includes:
[0040] The behavioral features of adjacent nodes are aggregated based on the weights of the abnormal and normal transition edges between nodes to generate adjacency aggregate features. Multiple rounds of iterative updates are then performed in conjunction with the node's own features to generate behavioral embedding features corresponding to each dynamic behavioral segment.
[0041] As can be seen from the above description, by aggregating the behavioral features of adjacent nodes based on the weights of abnormal and normal transition edges, and performing multiple rounds of iterative updates in combination with the node’s own features, it is possible to generate more comprehensive behavioral embedding features by utilizing both local adjacency behavioral information and the node’s own behavioral information. This enables the model to capture abnormal propagation paths while retaining the features of the current behavioral segment itself, thereby improving the stability and accuracy of the transaction risk representation results.
[0042] In some implementations, the behavioral features of adjacent nodes are aggregated based on the weights of the abnormal and normal transition edges between nodes, including:
[0043] Extract the features of adjacent nodes corresponding to normal transition edges and abnormal transition edges that are connected to the target node, respectively.
[0044] The adjacency node features corresponding to the normal transition edge are subjected to a first aggregation process to generate a first aggregated feature, and the adjacency node features corresponding to the abnormal transition edge are subjected to a second aggregation process to generate a second aggregated feature; the edge weight corresponding to the second aggregation process is higher than the edge weight corresponding to the first aggregation process.
[0045] The first aggregated feature and the second aggregated feature are fused to generate the adjacency aggregated feature of the target node, and the adjacency aggregated feature is used as the input feature for node iterative update.
[0046] In existing technologies, when graph neural networks propagate features from transaction behavior graphs, all neighboring nodes of the target node are typically aggregated according to a uniform rule. This fails to distinguish the risk differences between normal and abnormal behavior transition paths, resulting in the average dilution of abnormal path information such as device switching, network mutations, and immediate transactions after sensitive operations within a large number of normal behavior connections. Furthermore, it easily leads to the over-amplification of individual abnormal nodes while neglecting normal behavior context information, resulting in insufficient ability to identify covert abnormal transactions and a high false positive rate. To address this issue, this application distinguishes neighboring nodes connected to the target node into nodes corresponding to normal transition edges and nodes corresponding to abnormal transition edges, and performs first and second aggregation processes respectively, increasing the aggregation weight corresponding to abnormal transition edges. The two aggregation results are then fused and used as input features for iterative node updates. This approach retains the background of normal behavior evolution while strengthening the influence of abnormal behavior propagation links, solving the technical problems of graph neural networks in transaction risk prediction where abnormal path signals are easily diluted, normal background information is insufficiently utilized, and covert combined fraud behavior is difficult to identify.
[0047] By performing differentiated aggregation processing on the adjacent node features corresponding to normal transfer edges and the adjacent node features corresponding to abnormal transfer edges, and increasing the aggregation weight of abnormal transfer edges, the model can focus on strengthening abnormal path information during feature propagation while retaining normal behavior background information. This improves the ability to identify hidden abnormal transaction behaviors and reduces the risk of misjudgment caused by relying solely on abnormal features.
[0048] In some implementations, a second aggregation process is performed on the features of the adjacent nodes corresponding to the abnormal transfer edge to generate a second aggregated feature, including:
[0049] The adjacent node features are arranged according to the occurrence time sequence of the dynamic behavior segments corresponding to each abnormal transition edge;
[0050] Increase the weighting coefficient of the features of the preset number of neighboring nodes closest to the time of the target transaction request;
[0051] The features of each adjacent node after adjusting the weighting coefficients are weighted and summed to generate the second aggregated feature.
[0052] As can be seen from the above description, by arranging the features of adjacent nodes in the order of occurrence of the dynamic behavior segments corresponding to the abnormal transfer edges, and increasing the weighting coefficient of the feature of the node closest to the target transaction request time, the model can focus on abnormal behavior changes that occur close to the current transaction time, thereby more accurately identifying immediate risk behaviors such as temporary device switching, sudden network changes, and rapid fund transfers, and improving the real-time performance and sensitivity of risk prediction.
[0053] Specifically, in the embodiment, performing a second aggregation process on the features of the adjacent nodes corresponding to the abnormal transfer edge and generating a second aggregated feature can be implemented in the following manner.
[0054] Suppose the system constructs a target behavior evolution graph for a specific transaction request and identifies the dynamic behavior segment corresponding to the current initiation of a transfer operation as the target node V0. Before the target node V0, the system identifies several upstream dynamic behavior segments that have abnormal transfer edge connections with it, namely:
[0055] Node V1: A remote device logged in 12 minutes ago;
[0056] Node V2: A network proxy switch occurred 8 minutes ago;
[0057] Node V3: A change of receiving account occurred 3 minutes ago;
[0058] Node V4: A small test transfer occurred 1 minute ago.
[0059] The abnormal transfer edges between nodes V1 to V4 and the target node V0 indicate that these behaviors have a high risk correlation with the current transaction request.
[0060] In some implementations, the system first arranges the features of adjacent nodes corresponding to nodes V1 to V4 according to the occurrence time sequence of the dynamic behavior segments corresponding to each abnormal transition edge, forming a time series queue, i.e.:
[0061] V1 → V2 → V3 → V4 → V0
[0062] The system then selects a preset number of nodes that are closest to the time of the target transaction request. For example, if the preset number is set to 2, then the most recent nodes V3 and V4 are selected, corresponding to:
[0063] Node V3: Modified the receiving account 3 minutes ago;
[0064] Node V4: Tested a transfer 1 minute ago.
[0065] The system increases the weighting coefficients of the features of the adjacent nodes corresponding to nodes V3 and V4, while nodes V1 and V2 maintain their basic weights.
[0066] For example:
[0067] The basic weight of node V1 is 1;
[0068] The base weight of node V2 is 1;
[0069] Node V3's weight is increased to 3;
[0070] Node V4's weight is increased to 4.
[0071] Based on this, a weighted aggregation is performed on the features of each adjacent node to generate a second aggregated feature, which is then input into the graph neural network for feature update of the target node V0.
[0072] In this way, the system allows the model to focus on key anomalous actions occurring close to the current transaction time, rather than treating all historical anomalous behaviors equally. In other words, for the current large transfer request:
[0073] While login activity from a different location 12 minutes ago has some reference value, its timeliness is weak; test transfer activity 1 minute ago is often more likely to be a probing action before a formal fraudulent transfer, and therefore should have a higher risk contribution.
[0074] In another embodiment, if the target transaction request is an online credit card payment request, its abnormal adjacent nodes include:
[0075] Node A: Replaced commonly used equipment 15 minutes ago;
[0076] Node B: Switched network address 5 minutes ago;
[0077] Node C: Entered verification codes multiple times in a row 2 minutes ago;
[0078] Node D: Modified delivery address 30 seconds ago.
[0079] The system can use nodes C and D as a preset number of nodes closest to the current transaction, increase their weighting coefficients, and enable the graph neural network to focus on learning the continuous risk chain of abnormal CAPTCHA input, temporary change of delivery address, and immediate payment.
[0080] This implementation method can effectively identify the following immediate risk scenarios:
[0081] Payments are made immediately after changing devices within a short period of time; withdrawals are made immediately after switching networks within a short period of time; transfers are made immediately after modifying account information within a short period of time; and large transactions are initiated immediately after testing transactions within a short period of time.
[0082] By assigning higher propagation weights to recently abnormal nodes, the graph neural network acquires the ability to reinforce recency during the feature propagation stage, thereby significantly improving the accuracy and response speed in identifying real-time transaction risk behaviors such as temporary device switching, sudden network changes, and rapid fund transfers.
[0083] In some implementations, determining the anomalous evolution link associated with the anomalous behavior transition node includes:
[0084] Starting from the abnormal behavior jump node, reverse tracing and forward expansion are performed along the edges of the target behavior evolution graph to generate the corresponding abnormal propagation path, and the abnormal propagation path is determined as the abnormal evolution link.
[0085] As can be seen from the above description, by taking the abnormal behavior jump node as the starting point and performing reverse tracing and forward expansion along the target behavior evolution graph, an abnormal propagation path and an abnormal evolution link can be generated. This allows for expansion from a single abnormal node to the complete upstream and downstream chain of abnormal behavior, enabling the tracking of abnormal causes and the identification of subsequent diffusion effects, thereby improving the ability to locate risk events and track abnormal behavior.
[0086] In some implementations, performing backward tracing and forward expansion along the edges of the target behavior evolution graph includes:
[0087] From the abnormal behavior jump node, trace back a preset number of upstream nodes along the incoming edge direction to determine the abnormal triggering path;
[0088] The abnormal behavior jump node expands downstream nodes at a predetermined number of levels along the outgoing edge direction to determine the abnormal propagation path.
[0089] As can be seen from the above description, by tracing upstream nodes step by step along the incoming edge to determine the path of anomaly induction, and by extending downstream nodes step by step along the outgoing edge to determine the path of anomaly diffusion, the formation process and diffusion process of abnormal behavior can be separated and analyzed. This allows for a more accurate distinction between the source behavior of risk and subsequent chain behaviors, facilitating the system to take targeted risk control measures and improve the efficiency of risk control and disposal.
[0090] Specifically, in this embodiment, the step of tracing upstream nodes at a predetermined number of levels along the incoming edge direction from the abnormal behavior transition node to determine the abnormal triggering path includes:
[0091] Obtain the upstream nodes corresponding to each incoming edge connected to the abnormal behavior jump node;
[0092] Sort according to the edge weight, occurrence time interval, and node anomaly level of each incoming edge;
[0093] Prioritize selecting upstream nodes whose sorting results are within the first preset number as the current level traceability nodes;
[0094] The upstream tracing continues with the current level tracing node as the new target node until the preset number of levels is reached, or the tracing reaches at least one of the initial login behavior node, device change behavior node, or account information modification behavior node. At this point, the tracing stops, and the tracing result is determined as the abnormal triggering path.
[0095] As can be seen from the above description, by introducing a joint screening mechanism of edge weight, time interval and node anomaly level in the reverse tracing process, it is possible to prioritize the upstream behavior nodes with the highest correlation to abnormal jump behavior, avoid indiscriminately backtracking a large number of low-value nodes in complex behavior graphs, and thus improve the accuracy and efficiency of risk source location.
[0096] And, the step-by-step expansion of a predetermined number of downstream nodes from the abnormal behavior jump node along the outgoing edge direction to determine the abnormal propagation path includes:
[0097] Obtain the downstream nodes corresponding to each outgoing edge connected to the abnormal behavior jump node;
[0098] Identify the behavior type of each downstream node's corresponding dynamic behavior segment;
[0099] Select downstream nodes corresponding to at least one of the following behaviors as key expansion nodes: device switching behavior, network environment change behavior, sudden increase in transaction amount behavior, continuous high-frequency transaction behavior, or change of account payee behavior.
[0100] The downstream expansion is preferentially continued along the key expansion nodes until the preset number of levels is reached, or when at least one of the following nodes appears: transaction interception node, identity verification node, or transaction termination node, the expansion stops and the expansion result is determined as the abnormal diffusion path.
[0101] As can be seen from the above description, by prioritizing key expansion nodes with high-risk behavioral characteristics during the forward expansion process, it is possible to quickly identify the chain operation paths that may be triggered by abnormal behavior and improve the ability to predict the trend of risk diffusion.
[0102] After determining the abnormal induction path and the abnormal propagation path, the method further includes:
[0103] Calculate the source contribution value of the anomaly induction path and the diffusion impact value of the anomaly diffusion path;
[0104] When the source contribution value is higher than a preset threshold, the node corresponding to the abnormal induction path is marked as a priority handling node;
[0105] When the diffusion impact value is higher than a preset threshold, the node corresponding to the abnormal diffusion path is marked as a priority interception node.
[0106] As can be seen from the above description, by quantifying and evaluating the abnormal induction path and the abnormal spread path respectively, and generating differentiated handling marks, the system can implement measures such as account verification and permission restriction for the risk source node, and implement measures such as transaction interception and limit control for the risk spread node, thereby improving the accuracy and efficiency of transaction risk control and handling.
[0107] In some implementations, matching the anomaly evolution link with a preset avoidance pattern library includes:
[0108] The device switching behavior, network environment change behavior, and transaction operation behavior in the abnormal evolution link are extracted to form a multi-channel behavior sequence;
[0109] Extract each avoidance template from the preset avoidance pattern library and divide them into equipment avoidance channels, environment avoidance channels and transaction avoidance channels;
[0110] When at least two channels in the multi-channel behavior sequence have a similarity to the corresponding channel of the same avoidance template that is higher than a preset threshold, the avoidance template is determined to be a collaborative avoidance template, and the avoidance action sequence is generated based on the collaborative avoidance template.
[0111] As described above, by forming a multi-channel behavior sequence from device switching behavior, network environment change behavior, and transaction operation behavior in the abnormal evolution link, and co-matching it with multi-channel evasion templates in the evasion pattern library, it is possible to identify complex evasion strategies implemented by abnormal subjects across devices, networks, and operation dimensions, thereby improving the predictive ability for advanced fraudulent behavior and combined evasion behavior.
[0112] In some implementations, generating a risk prediction result corresponding to the target transaction request based on the real-time risk characterization result, the anomaly evolution chain, and the avoidance action sequence includes:
[0113] A weighted fusion model is used to fuse the real-time risk characterization results, the link risk value of the abnormal evolution link, and the avoidance probability value of the avoidance action sequence to generate the comprehensive risk level corresponding to the target transaction request.
[0114] As described above, by employing a weighted fusion model to integrate and calculate the real-time risk characterization results, the link risk value of the abnormal evolution chain, and the avoidance probability value of the avoidance action sequence, a comprehensive risk level can be generated. This allows for a unified quantitative assessment of the current risk status, the risk of behavioral propagation, and the risk of future avoidance, thereby improving the comprehensiveness and reliability of risk prediction results and providing a more accurate basis for graded handling in the trading system.
[0115] In some implementations, determining the abnormal propagation path further includes:
[0116] Downstream nodes that correspond to device switching behavior, network environment changes, or sudden increases in transaction amount are selected as key expansion nodes.
[0117] As described above, by prioritizing downstream nodes corresponding to high-risk characteristics such as device switching, network environment changes, and sudden increases in transaction amounts during the abnormal diffusion path identification process, it is possible to quickly identify key nodes that are more likely to trigger risk diffusion from a large number of subsequent behavioral nodes, avoiding ineffective expansion of low-value normal nodes and improving the efficiency of abnormal diffusion path identification. At the same time, it is beneficial to promptly detect the behavior of fraudulent entities that escalate risks by changing devices, switching network environments, or increasing transaction amounts in a short period of time, thereby enhancing the real-time nature and pertinence of transaction risk prediction.
[0118] In some implementations, determining the abnormal propagation path as an abnormal evolution link includes:
[0119] Calculate the path risk value, path continuity value, and path anomaly density value for the anomaly induction path and the anomaly propagation path, respectively; when the path risk value, the path continuity value, and the path anomaly density value all meet the corresponding thresholds, the anomaly propagation path is determined as an anomaly evolution link.
[0120] As described above, by comprehensively judging the abnormal propagation path from three dimensions—risk intensity, behavioral continuity, and the concentration of abnormal nodes—misjudgments caused by relying on a single abnormal indicator can be avoided, thus improving the accuracy and stability of identifying abnormal evolution links. Among them, the path risk value is used to measure the overall risk level, the path continuity value is used to reflect whether the abnormal behavior has continuous evolutionary characteristics, and the path anomaly density value is used to reflect the degree of aggregation of abnormal nodes in the path. Therefore, it can more realistically identify risk behavior links with continuous attack intentions and diffusion trends, providing a reliable basis for subsequent transaction interception or hierarchical control.
[0121] In some implementations, a risk prediction result corresponding to the target transaction request is generated based on the real-time risk characterization result, the anomaly evolution chain, and the avoidance action sequence, including:
[0122] First, obtain the real-time risk representation result output by the graph neural network. The real-time risk representation result may include the node risk vector corresponding to the current transaction request, the graph-level risk vector, and the basic risk score. Let the basic risk score output by the graph neural network be... ,in ∈[0,1], the larger the value, the higher the risk of the current transaction.
[0123] Secondly, link risk quantification is performed on the abnormal evolution link. The abnormal evolution link consists of anomaly induction paths and anomaly propagation paths, and the number of abnormal nodes, the total weight of abnormal edges, the path length, and the number of consecutive abnormal jumps can be extracted from the link. Let the link risk value be... It can be calculated using the following formula:
[0124]
[0125] in, Indicates the number of abnormal nodes;
[0126] Indicates the total number of nodes in the link;
[0127] This represents the sum of the weights of the abnormal transition edges;
[0128] This represents the sum of the total edge weights of the link;
[0129] Indicates the number of consecutive abnormal jumps;
[0130] This indicates the preset maximum number of consecutive transitions;
[0131] , , These are the weighting coefficients. .
[0132] The above methods can reflect the overall risk level of abnormal links.
[0133] Then, the future risk of the avoidance action sequence is quantified. The avoidance action sequence is a set of actions that the target entity may subsequently perform, obtained by matching a preset avoidance pattern library, such as switching devices, switching networks, splitting transactions, and delaying operations. Let the avoidance action sequence contain m actions, and the probability of each action occurring be... The corresponding risk coefficient is Then avoid risk value It can be calculated using the following formula:
[0134]
[0135] in, This represents the predicted probability of the i-th evasion action;
[0136] This represents the risk impact coefficient corresponding to the i-th avoidance action.
[0137] For example, the risk factor for switching devices can be set to 0.7, the risk factor for splitting multiple transactions in a short period of time can be set to 0.9, and the risk factor for switching network addresses can be set to 0.6.
[0138] Furthermore, the real-time risk characterization results, link risk values, and avoidance risk values are fused together to generate a comprehensive risk score. :
[0139]
[0140] in, , and For fusion weighting coefficients;
[0141] In one embodiment, it can be set that:
[0142]
[0143] This means prioritizing current real-time risks while also considering risks associated with abnormal links and future risk mitigation.
[0144] Finally, based on the comprehensive risk score Output the risk prediction results. For example:
[0145] when When the value is less than 0.35, it is considered a low-risk transaction;
[0146] When 0.35≤R<0.65, it is judged as a medium-risk transaction, and SMS verification or secondary verification is triggered.
[0147] When R ≥ 0.65, the transaction is identified as high-risk and triggers limits, delayed confirmation, or transaction blocking.
[0148] Finally, it should be noted that although the above embodiments have been described in the text and drawings of this application, this should not limit the scope of patent protection of this application. Any technical solutions that are based on the essential concept of this application and utilize the content described in the text and drawings of this application, resulting in equivalent structural or procedural substitutions or modifications, as well as the direct or indirect application of the technical solutions of the above embodiments to other related technical fields, are all included within the scope of patent protection of this application.
Claims
1. A method for predicting transaction risk based on graph neural networks, characterized in that, Including the following steps: Obtain multiple dynamic behavior fragments corresponding to the target transaction request; construct a target behavior evolution graph based on the dynamic behavior fragments, where nodes in the target behavior evolution graph are used to represent the dynamic behavior fragments, and edges are used to represent the evolutionary transition relationships between adjacent dynamic behavior fragments; The step of constructing the target behavior evolution graph based on the dynamic behavior fragments includes: Extract the device state switching relationship and network environment change relationship between each dynamic behavior segment, and establish the edge based on the device state switching relationship and network environment change relationship between adjacent dynamic behavior segments; The process of establishing the edge based on the device state switching relationship and network environment change relationship between adjacent dynamic behavior segments includes: For the aforementioned dynamic behavior segment and the latter dynamic behavior segment, obtain the corresponding device identification information, device operating parameters, and network access parameters; If the time interval between the first dynamic behavior segment and the second dynamic behavior segment is less than a preset duration, determine whether there is a device switching or a sudden change in the network environment between them. The device switching includes at least one of the following: device identification change, device fingerprint change, or device operating parameter change reaching a preset range; the network environment change includes at least one of the following: network address change, access method change, or geographical location change reaching a preset range. When it is determined that there is a device switching or a sudden change in the network environment, an abnormal transfer edge is established between the previous dynamic behavior segment and the next dynamic behavior segment, and the edge weight of the abnormal transfer edge is increased to the corresponding preset risk weight. When it is determined that there is no device switching and no network environment change, a normal transition edge is established between the previous dynamic behavior segment and the next dynamic behavior segment, and the edge weight of the normal transition edge is set to the corresponding basic weight. The target behavior evolution graph is input into a graph neural network model, and feature propagation calculation is performed on each node to obtain the behavior embedding features corresponding to each dynamic behavior segment, and to generate the real-time risk representation result corresponding to the target transaction request. Based on the real-time risk characterization results, identify the abnormal behavior transition nodes in the target behavior evolution graph and determine the abnormal evolution links associated with the abnormal behavior transition nodes. The abnormal evolution chain is matched with a preset avoidance pattern library to predict the target subject's avoidance action sequence within a subsequent preset time window; The step of matching the abnormal evolution link with a preset avoidance pattern library includes: The device switching behavior, network environment change behavior, and transaction operation behavior in the abnormal evolution link are extracted to form a multi-channel behavior sequence; Extract each avoidance template from the preset avoidance pattern library and divide them into equipment avoidance channels, environment avoidance channels and transaction avoidance channels; When the similarity between at least two channels in the multi-channel behavior sequence and the corresponding channel of the same avoidance template is higher than a preset threshold, the avoidance template is determined to be a collaborative avoidance template, and the avoidance action sequence is generated based on the collaborative avoidance template. Based on the real-time risk characterization results, the abnormal evolution chain, and the avoidance action sequence, a risk prediction result corresponding to the target transaction request is generated.
2. The transaction risk prediction method based on graph neural networks according to claim 1, characterized in that, The step of inputting the target behavior evolution graph into a graph neural network model and performing feature propagation calculations on each node includes: The behavioral features of adjacent nodes are aggregated based on the weights of the abnormal and normal transition edges between nodes to generate adjacency aggregate features. Multiple rounds of iterative updates are then performed in conjunction with the node's own features to generate behavioral embedding features corresponding to each dynamic behavioral segment.
3. The transaction risk prediction method based on graph neural networks according to claim 2, characterized in that, Aggregating the behavioral features of adjacent nodes based on the weights of the abnormal and normal transition edges between nodes includes: Extract the features of adjacent nodes corresponding to normal transition edges and abnormal transition edges that are connected to the target node, respectively. The adjacency node features corresponding to the normal transition edge are subjected to a first aggregation process to generate a first aggregated feature, and the adjacency node features corresponding to the abnormal transition edge are subjected to a second aggregation process to generate a second aggregated feature; the edge weight corresponding to the second aggregation process is higher than the edge weight corresponding to the first aggregation process. The first aggregated feature and the second aggregated feature are fused to generate the adjacency aggregated feature of the target node, and the adjacency aggregated feature is used as the input feature for node iterative update.
4. The transaction risk prediction method based on graph neural networks according to claim 3, characterized in that, Perform a second aggregation process on the features of the adjacent nodes corresponding to the abnormal transfer edge and generate a second aggregated feature, including: The adjacent node features are arranged according to the occurrence time sequence of the dynamic behavior segments corresponding to each abnormal transition edge; Increase the weighting coefficient of the features of the preset number of neighboring nodes closest to the time of the target transaction request; The features of each adjacent node after adjusting the weighting coefficients are weighted and summed to generate the second aggregated feature.
5. The transaction risk prediction method based on graph neural networks according to claim 1, characterized in that, The determination of the abnormal evolution link associated with the abnormal behavior jump node includes: Starting from the abnormal behavior jump node, reverse tracing and forward expansion are performed along the edges of the target behavior evolution graph to generate the corresponding abnormal propagation path, and the abnormal propagation path is determined as the abnormal evolution link.
6. The transaction risk prediction method based on graph neural networks according to claim 5, characterized in that, The process of performing reverse tracing and forward expansion along the edges of the target behavior evolution graph includes: From the abnormal behavior jump node, trace back a preset number of upstream nodes along the incoming edge direction to determine the abnormal triggering path; The abnormal behavior jump node expands downstream nodes at a predetermined number of levels along the outgoing edge direction to determine the abnormal propagation path.
7. The transaction risk prediction method based on graph neural networks according to claim 1, characterized in that, The step of generating a risk prediction result corresponding to the target transaction request based on the real-time risk characterization result, the abnormal evolution chain, and the avoidance action sequence includes: A weighted fusion model is used to fuse the real-time risk characterization results, the link risk value of the abnormal evolution link, and the avoidance probability value of the avoidance action sequence to generate the comprehensive risk level corresponding to the target transaction request.