Fraud risk prevention and control method and system
By combining multi-source heterogeneous data processing with Gaussian mixture models and GBDT risk assessors, the problems of single risk identification and poor scenario adaptability in existing anti-fraud technologies have been solved, achieving precise prevention and control of new fraud scenarios.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- FUJIAN FUNO MOBILE COMM TECH CO LTD
- Filing Date
- 2026-05-09
- Publication Date
- 2026-06-05
AI Technical Summary
Existing anti-fraud technology systems suffer from limitations such as a single risk identification dimension, insufficient accuracy in early warning, difficulty in responding to dynamic changes in fraud methods, and inability to effectively identify fraudulent numbers in their incubation period.
By acquiring multi-source heterogeneous data and performing feature engineering, combining Gaussian mixture models and GBDT risk assessors for unsupervised clustering and fraud risk assessment, user risk profile features and real-time context features are generated. Heterogeneous evidence graphs are used for fraud inference to achieve dynamic risk prevention and control.
It enables the detection of potential risk users at the source, adapts to dynamically changing new fraud scenarios, and improves the accuracy and response speed of fraud risk prevention and control.
Smart Images

Figure CN122155757A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of communication management technology, and in particular to a method and system for preventing and controlling fraud risks. Background Technology
[0002] Existing anti-fraud technology systems generally suffer from the following shortcomings: (i) Risk identification dimensions are too narrow and early warning accuracy is insufficient. Currently, the data engineering of anti-fraud models focuses on the analysis of individual user behavior characteristics, while ignoring the source of risk, resulting in a large number of "latent" fraud numbers escaping detection in the early stages; (ii) Poor scenario adaptability, making it difficult to cope with the dynamic changes in fraud methods. Existing anti-fraud systems mostly identify preset fraud scenarios and then perform targeted modeling and early warning, lacking an effective adaptive update mechanism, making it difficult to quickly respond to new fraud scenarios.
[0003] Therefore, there is an urgent need for a method to prevent and control fraud risks that can detect the source of fraud and respond quickly to constantly changing new fraud scenarios. Summary of the Invention
[0004] The technical problem to be solved by this invention is: This invention provides a method and system for preventing and controlling fraud risks, which can realize the perception of the source of fraud and respond quickly to the ever-changing new fraud scenarios, thereby achieving accurate prevention and control of fraud risks.
[0005] To solve the above-mentioned technical problems, the technical solution adopted by the present invention is as follows: In a first aspect, the present invention provides a method for preventing and controlling fraud risks, comprising: Acquire multi-source heterogeneous data of all users, perform feature engineering on the multi-source heterogeneous data to generate individual feature vectors for each user, and simultaneously input the multi-source heterogeneous data into a pre-trained channel risk assessment model to perform channel risk scoring to generate channel risk assessment results for each user. Concatenate the channel risk assessment results of each user with the corresponding individual feature vectors to obtain risk profile features for all users. All users' risk profile features are input into a Gaussian mixture model for unsupervised clustering. The Gaussian mixture model uses the Bayesian information criterion to adaptively determine the optimal number of potential fraud scenarios K within a preset range of scenario numbers, so as to obtain K potential fraud scenarios and the probability vector of each user belonging to each potential fraud scenario. The system acquires real-time communication data of all users, generates real-time context feature vectors for all users based on the real-time communication data, inputs the real-time context feature vectors of all users, risk profile features, and probability vectors of each user belonging to each potential fraud scenario into the GBDT risk assessor to conduct fraud risk assessment, and obtains the first fraud risk assessment result for all users. At the same time, the system inputs the risk profile features of all users into the rule assessor to conduct fraud risk assessment, and obtains the second fraud risk assessment result for all users. The first and second fraud risk assessment results of each user are combined with the corresponding risk profile features to construct a heterogeneous evidence graph for each user. Fraud inference is performed on the heterogeneous evidence graph of each user to output the final fraud risk prediction probability of each user. A list of fraud risks is generated based on the final fraud risk prediction probabilities of all users. Risk prevention and control are carried out based on the fraud risk list and risk prevention and control feedback data is generated. Based on the risk prevention and control feedback data, the channel risk assessment model, the Gaussian mixture model, the GBDT risk evaluator, the rule evaluator, and the heterogeneous evidence graph of each user are reverse optimized to achieve dynamic risk prevention and control.
[0006] The beneficial effects of this invention are as follows: By concatenating the channel risk assessment results of each user with the corresponding individual feature vector, the risk profile features of users are enriched. This breaks through the limitations of existing anti-fraud models that only focus on the analysis of individual user behavior characteristics while ignoring the source of risk, and can effectively capture latent early-stage risk users from the source. Unsupervised clustering using a Gaussian mixture model and determining the optimal number of potential fraud scenarios using the Bayesian information criterion eliminates the need for manual pre-setting of fraud scenarios, automatically uncovering hidden fraud scenarios. The output is a probability vector of each user belonging to each potential fraud scenario, overcoming the limitation of existing anti-fraud models that assign fixed labels to users. This quantifies the degree of association between users and each potential fraud scenario, reflecting the uncertainty and gradual change of user fraud risk, and can capture the implicit patterns of new fraud scenarios, adapting to dynamically changing new fraud scenarios. Combining the GBDT risk assessor and rule assessor for dual-model fraud risk assessment, with different assessors having different inputs, fully leverages the characteristics of the two assessors, forming complementary advantages and improving the accuracy of generating the fraud risk list. Furthermore, it can reverse-optimize the channel risk assessment model, Gaussian mixture model, GBDT risk evaluator, rule evaluator, and heterogeneous evidence graph for each user based on risk prevention and control feedback data. This enables it to quickly respond to constantly changing new fraud scenarios and achieve precise fraud risk prevention and control.
[0007] Optionally, the multi-source heterogeneous data includes historical communication data. Simultaneously, the multi-source heterogeneous data is input into a pre-trained channel risk assessment model to perform channel risk scoring, generating a channel risk assessment result for each user, including: Historical card activation data is obtained from the historical communication data, and all card activation channels are obtained based on the historical card activation data. Each card activation channel is evaluated according to M indicators under N preset dimensions to obtain the evaluation results of M indicators for each card activation channel. For each card-opening channel, the evaluation results of each indicator in each dimension are processed by extreme value normalization to obtain the individual risk score of each card-opening channel for each indicator. Based on the evaluation results of all card opening channels on the same indicator, the information entropy of each indicator is calculated, and the distribution weight of each indicator is calculated according to the information entropy of each indicator. The distribution weight of each indicator is combined with the preset expert weight to generate the indicator weight of each indicator. The static channel risk score for each card opening channel is obtained by weighting and summing the individual risk score for each indicator for each card opening channel with the corresponding indicator weight. Extract the month-on-month growth rate of key factors within a first preset time window from the evaluation results of M indicators for each card opening channel, and calculate the dynamic correction factor for each card opening channel based on the month-on-month growth rate of key factors. Dynamically correct the corresponding static channel risk score according to the dynamic correction factor of each card opening channel to obtain the dynamic channel risk score for each card opening channel. Assign the dynamic channel risk score of each card opening channel to each user under the corresponding card opening channel to generate the channel risk assessment result for each user. The month-on-month growth rate of key factors includes the month-on-month growth rate of card opening numbers marked as fraudulent in the card opening channel and the month-on-month growth rate of card opening numbers marked as high-risk warning in the card opening channel.
[0008] As described above, each card-opening channel is comprehensively evaluated using M indicators across N preset dimensions. This avoids the bias inherent in single-indicator evaluations and ensures the evaluation results are highly normalized, improving the scientific rigor of the individual risk scores for each channel on each indicator. The individual risk scores are then weighted and summed with indicator weights derived from a combination of distributed weights and preset expert weights, balancing the objectivity of the indicator data distribution with the professionalism of expert experience, thus enhancing the accuracy of the static channel score for each card-opening channel. Furthermore, a dynamic correction factor is introduced into the static channel score for each card-opening channel, addressing the limitation of static channel scores in adapting to dynamic changes in channel risk, further improving the accuracy of the channel risk assessment results for each user.
[0009] Optionally, obtaining the probability vector of each user belonging to each potential fraud scenario includes: The triggering conditions of each scenario attribution rule are obtained from the preset scenario attribution rule library. The risk profile features of each user are matched with the triggering conditions of each scenario attribution rule one by one. If a match is successful, the successfully matched scenario attribution rule and the successfully matched user are obtained. The probability vector corresponding to the successfully matched user is probability corrected according to the attribution strength of the successfully matched scenario attribution rule to obtain the probability corrected probability vector.
[0010] As described above, by introducing a pre-defined scenario attribution rule library, the probability vectors of successfully matched users are modified according to the attribution strength of the successfully matched scenario attribution rules. This avoids the disconnect between the unsupervised clustering of Gaussian mixture models and actual fraud scenarios, and improves the accuracy of user probability vectors.
[0011] Optionally, generating real-time context feature vectors for all users based on the real-time communication data includes: The call records of each user within the second preset time window are extracted from the real-time communication data. The average number of calls and the standard deviation of the number of calls for each user are calculated based on the call records. At the same time, the total number of calls for each user within the third preset time window is counted based on the call records. The total number of calls for each user within the third preset time window, the average number of calls for each user, and the standard deviation of the number of calls for each user are input into the call anomaly formula to calculate the call anomaly index, thus obtaining the call anomaly index for each user. Extract the first signaling trajectory of each user within the third preset time window and the second signaling trajectory within the fourth preset time window from the real-time communication data. Obtain the permanent base station of each user within the third preset time window based on the first signaling trajectory. At the same time, obtain the current base station of each user within the fourth preset time window based on the second signaling trajectory. Input the current base station of each user within the fourth preset time window and the permanent base station of each user within the third preset time window into the geographic displacement anomaly formula to calculate the geographic displacement anomaly index and obtain the geographic displacement anomaly index of each user. Extract each user's new contact records within the third preset time window from the real-time communication data, and count the total number of new contacts for each user within the third preset time window based on the new contact records. Match each user's new contact records within the third preset time window with each user's call records within the second preset time window, filter out new contacts without call records, and count the number of new contacts to obtain the number of contacts without records for each user. Input the total number of new contacts for each user within the third preset time window and the corresponding number of contacts without records into the interaction anomaly formula to calculate the interaction anomaly index for each user. Each user's real-time contextual feature vector is generated based on their call anomaly index, displacement anomaly index, and interaction anomaly index.
[0012] As described above, each user's call anomaly index, geographical displacement anomaly index, and social interaction anomaly index are calculated based on call records, signaling trajectories, and new contact records. This allows for the construction of a real-time context feature vector for each user, ensuring that the real-time context feature vector can comprehensively reflect the user's real-time abnormal state.
[0013] Optionally, the GBDT risk assessor includes a parameterized attention gating network and a gradient boosting decision tree model. The step of inputting all users' real-time contextual feature vectors, risk profile features, and the probability vector of each user belonging to each potential fraud scenario into the GBDT risk assessor for fraud risk assessment includes: The probability vector of each user belonging to each potential fraud scenario is concatenated with the corresponding real-time context feature vector to obtain the concatenated vector of each user. The concatenated vector of each user is then input into a parameterized attention gating network to output attention weights with the same dimension as the risk profile features of each user. The attention weights are then multiplied element-wise with the corresponding risk profile features to obtain the weighted feature vector of each user. The weighted feature vector of each user is input into the gradient boosting decision tree model to assess the risk of fraud, thereby generating the first risk assessment result for each user.
[0014] As described above, the introduction of a parameterized attention gating network into the GBDT risk assessor enables dynamic weighting of risk profile features, suppresses interference from irrelevant features in the risk profile features, and highlights features related to the user's probability vector and real-time context feature vector, thereby improving the accuracy of the first fraud risk assessment result.
[0015] Optionally, simultaneously inputting the risk profile features of all users into the rule evaluator for fraud risk assessment includes: The system retrieves the triggering conditions for each fraudulent behavior rule from a pre-defined database of fraudulent behavior rules. It then matches each user's risk profile characteristics with the triggering conditions of each fraudulent behavior rule one by one. If a match is successful, it retrieves the preset risk value of the successfully matched fraudulent behavior rule and aggregates the preset risk values of all successfully matched fraudulent behavior rules for the same user to generate a second fraudulent risk assessment result for each user.
[0016] As described above, matching a user's risk profile features with fraudulent behavior rules in the fraudulent behavior rule base can comprehensively capture a user's fraudulent behavior. Furthermore, aggregating the preset risk values of successfully matched fraudulent behavior rules for the same user can quantify the user's overall fraudulent risk level and improve the objectivity and accuracy of the second fraudulent risk assessment results.
[0017] Optionally, the step of combining each user's first fraud risk assessment result, second fraud risk assessment result, and corresponding risk profile features to construct a heterogeneous evidence graph for each user, performing fraud inference on each user's heterogeneous evidence graph to output each user's final fraud risk prediction probability, and generating a fraud risk list based on the final fraud risk prediction probabilities of all users includes: Each user is treated as an independent central node, and the risk profile features, the first fraud risk assessment result, and the second fraud analysis assessment result of each user are used as evidence nodes for the corresponding central node. A directed edge is established between each central node and each corresponding evidence node. A heterogeneous evidence graph for each user is constructed based on the central node, the corresponding evidence node, and the corresponding directed edge. By using a two-layer graph attention network to perform fraud-related reasoning on the heterogeneous evidence graph of each user, evidence fusion and conflict elimination are achieved, so as to output the final risk prediction probability and corresponding prediction confidence of each user. The final risk prediction probability and corresponding prediction confidence of each user are input into the comprehensive risk assessment formula for calculation to obtain the comprehensive risk assessment result of each user. Based on the comprehensive risk assessment result, all users are sorted in descending order to obtain the comprehensive risk assessment result sequence after descending order. Under multi-objective constraints, a greedy algorithm is used to traverse the descending-ordered sequence of comprehensive risk assessment results to filter out users who meet the multi-objective constraints and generate a fraud risk list, wherein the multi-objective constraints are: ; in, This represents the i-th user in the sequence of comprehensive risk assessment results after descending order. This indicates the total daily warning quota. This represents the lower limit of the number of warnings for the k-th fraud scenario out of K potential fraud scenarios within the t-th period. This represents the upper limit of the number of warnings for the k-th fraud scenario out of K potential fraud scenarios within the t-th period. Let represent the probability vector that the i-th user belongs to the k-th potential fraud scenario out of K potential fraud scenarios. This represents the maximum daily processing capacity of the c-th disposal channel. The i-th user is assigned to the c-th processing channel.
[0018] As described above, each user is treated as a separate central node, and the corresponding first fraud risk assessment result, second fraud risk assessment result, and risk profile features serve as evidence nodes for that central node, ensuring that the constructed heterogeneous evidence graph closely matches the user. A two-layer graph attention network is used to perform fraud-related reasoning on each user's heterogeneous evidence graph, achieving evidence fusion and conflict resolution, improving the accuracy of the final risk prediction probability and corresponding prediction confidence. Combining multi-objective constraints and a greedy algorithm to filter out the fraud risk list ensures both the risk concentration of the obtained fraud risk list and considers resource allocation such as the overall budget, warning amount, and handling channel capacity, thereby enhancing the targeted nature of fraud risk prevention and control.
[0019] Optionally, the step of performing fraud-related reasoning on the heterogeneous evidence graph of each user through a two-layer graph attention network to achieve evidence fusion and conflict elimination, and outputting the final risk prediction probability and corresponding prediction confidence for each user, includes: The first-layer graph attention network performs dimensionality reduction on the feature vectors of all nodes in the heterogeneous evidence graph of each user through a trainable shared weight matrix, resulting in the corresponding dimensionality-reduced feature vectors of all nodes, including the center node and the evidence node. The feature vector of the central node after dimensionality reduction in the same heterogeneous evidence graph is concatenated with the feature vector of the adjacent dimensionality-reduced evidence nodes to obtain all concatenated vectors. All concatenated vectors are then input into Q parallel attention heads, so that each attention head independently calculates the attention coefficient of each concatenated vector. All attention coefficients calculated under the same attention head are weighted and aggregated with the corresponding concatenated vector to obtain the aggregated feature vector under each attention head. All aggregated feature vectors in the same heterogeneous evidence graph are concatenated a second time to obtain concatenated aggregated feature vectors. Then, a linear transformation is performed on the concatenated aggregated feature vectors to obtain linearly transformed aggregated feature vectors. The linearly transformed aggregated feature vectors are used as the fusion feature vectors of the corresponding dimensionality-reduced center nodes. The fused feature vector of each central node is merged with the dimensionality-reduced feature vector through residual connections to obtain the merged fused feature vector of each central node. The merged fused feature vector of each central node is then normalized through the LayerNorm layer to obtain the updated feature vector of each central node output by the first layer graph attention network. The updated feature vector of each central node output by the first layer graph attention network and the feature vector of the corresponding dimensionality-reduced evidence node in the first layer graph attention network are used as input to the second layer graph attention network. The second layer graph attention network repeatedly executes the update operation of the first layer graph attention network to obtain the updated feature vector of each central node output by the second layer graph attention network. The update operation includes dimensionality reduction, first concatenation, weighted aggregation, second concatenation, linear transformation, merging and normalization. The updated feature vectors of each central node output by the second-layer graph attention network are input into the first fully connected layer and activated by the first sigmoid function to obtain the final risk prediction probability for each user. At the same time, the updated feature vectors of each central node output by the second-layer graph attention network are input into the second fully connected layer and activated by the second sigmoid function to output the prediction confidence corresponding to the final risk prediction probability for each user.
[0020] As described above, a trainable shared weight matrix is used to reduce the dimensionality of the feature vectors of all nodes in the heterogeneous evidence graph for each user, thereby reducing computational load and improving efficiency. Parallel Q attention heads are used to calculate attention coefficients and perform weighted aggregation, enabling comprehensive mining of evidence relationships between evidence nodes and improving the accuracy of evidence fusion and conflict resolution. Introducing residual connections and LayerNorm layers effectively alleviates the degradation of the graph attention network, accelerates convergence, and improves its stability. The output of the first-layer graph attention network is used as the input of the second-layer graph attention network, gradually enhancing the accuracy of evidence fusion and conflict resolution, and improving the accuracy of the final risk prediction probability and corresponding prediction confidence.
[0021] Secondly, the present invention provides a fraud risk prevention and control system, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the computer program to implement the fraud risk prevention and control method described in the first aspect.
[0022] The technical effects of the fraud risk prevention and control system provided in the second aspect are the same as those of the fraud risk prevention and control method provided in the first aspect. Attached Figure Description
[0023] Figure 1 This is a flowchart of a fraud risk prevention and control method provided in this embodiment; Figure 2 This is a schematic diagram of the overall process of a fraud risk prevention and control method provided in this embodiment; Figure 3 This is a schematic diagram of the fraud risk assessment process involved in this embodiment; Figure 4 This is a schematic diagram of the structure of a fraud risk prevention and control system provided in this embodiment.
[0024] [Explanation of Labels in the Attached Image] 1. A fraud risk prevention and control system; 2. Processor; 3. Memory. Detailed Implementation
[0025] To better understand the above technical solutions, exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. Although exemplary embodiments of the present invention are shown in the drawings, it should be understood that the present invention can be implemented in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that the present invention can be understood more clearly and thoroughly, and that the scope of the present invention can be fully conveyed to those skilled in the art.
[0026] Example 1 Please refer to Figures 1 to 3 The present invention provides a method for preventing and controlling fraud risks, comprising the following steps: S1. Obtain multi-source heterogeneous data of all users, perform feature engineering on the multi-source heterogeneous data to generate individual feature vectors for each user, and simultaneously input the multi-source heterogeneous data into a pre-trained channel risk assessment model to perform channel risk scoring, generate channel risk assessment results for each user, and concatenate the channel risk assessment results of each user with the corresponding individual feature vectors to obtain risk profile features for all users. In this embodiment, as Figure 2As shown, multi-source heterogeneous data for all users is acquired. This data includes historical communication data and static basic data. Historical communication data includes historical SIM card activation data, historical communication plans, historical call records, historical signaling trajectories, and historical network access / SIM card activation duration. Static basic data includes the user's name, date of birth, ID type, residential address, and ID card address. Feature engineering is performed on the multi-source heterogeneous data to generate individual feature vectors for each user. Different feature engineering processes are applied to different types of multi-source heterogeneous data. The types of multi-source heterogeneous data include: numerical, categorical, textual, and sequential. Specifically, the user's date of birth and historical network access / SIM card activation duration are numerical; historical communication plans and ID type are categorical; ID card address and residential address are textual; and historical call records are sequential. When performing feature engineering on numerical, multi-source heterogeneous data, numerical feature standardization and nonlinear coding are employed. For example, for historical network access / SIM card activation duration, Z-score standardization is first performed, followed by quantile transformation to map it to a uniform distribution to eliminate the influence of outliers and capture nonlinear relationships. For instance, the interval above the 95th percentile of historical network access / SIM card activation duration is encoded as a separate feature bucket. When performing feature engineering on categorical, multi-source heterogeneous data, smoothing target coding based on historical fraud data is used. For example, for Category 1 in historical communication packages, its encoded value is calculated as follows: ; in, This represents the encoded value corresponding to category 1 in the historical communication package. This indicates the percentage of users involved in fraud among all users in Category 1. This indicates the percentage of users involved in fraud among all users; When performing feature engineering on text-based multi-source heterogeneous data, LSTM-CRF is used to parse administrative levels. A classification task outputs a ternary probability distribution for urban areas / townships / villages, and a regression task outputs a geographic risk index. The geographic risk index is calculated by normalizing the historical fraud case density of the administrative region. When performing feature engineering on sequence-based multi-source heterogeneous data, preprocessing including noise reduction and filtering is performed to eliminate outlier interference and ensure the validity and consistency of the sequence-based multi-source heterogeneous data.
[0027] Simultaneously, multi-source heterogeneous data is input into the pre-trained channel risk assessment model to score channel risk. The channel risk assessment results of each user are concatenated with the corresponding individual feature vector to construct the risk profile features of each user, thus obtaining the risk profile features of all users.
[0028] At this point, the multi-source heterogeneous data mentioned in step S1 includes historical communication data. Simultaneously, the multi-source heterogeneous data is input into a pre-trained channel risk assessment model to perform channel risk scoring, generating a channel risk assessment result for each user, including: S11. Obtain historical card opening data from the historical communication data, and obtain all card opening channels based on the historical card opening data. Evaluate each card opening channel according to M indicators under N preset dimensions to obtain the evaluation results of M indicators for each card opening channel. S12. For each card opening channel, the evaluation results of each indicator in each dimension are normalized to obtain the single risk score of each card opening channel for each indicator. S13. Calculate the information entropy of each indicator based on the indicator evaluation results of all card opening channels on the same indicator, and calculate the distribution weight of each indicator based on the information entropy of each indicator. Combine the distribution weight of each indicator with the preset expert weight to generate the indicator weight of each indicator. S14. The single risk score for each card opening channel on each indicator is weighted and summed with the corresponding indicator weight to obtain the static channel risk score for each card opening channel. S15. Extract the month-on-month growth rate of key factors within the first preset time window from the evaluation results of M indicators for each card opening channel, and calculate the dynamic correction factor for each card opening channel based on the month-on-month growth rate of key factors. Dynamically correct the corresponding static channel risk score according to the dynamic correction factor of each card opening channel to obtain the dynamic channel risk score for each card opening channel. Assign the dynamic channel risk score of each card opening channel to each user under the corresponding card opening channel to generate the channel risk assessment result for each user. The month-on-month growth rate of key factors includes the month-on-month growth rate of card opening numbers marked as fraudulent in the card opening channel and the month-on-month growth rate of card opening numbers marked as high-risk warning in the card opening channel.
[0029] In this embodiment, as Figure 2 As shown, historical SIM card activation data is obtained from historical communication data. This historical SIM card activation data is equivalent to historical network access data. All SIM card activation channels are then identified based on this data, and these channels are also equivalent to network access channels. Each SIM card activation channel is evaluated using M indicators across N pre-defined dimensions, where N is 3. The three dimensions are: Public Security / Model Notification Dimension, Low-Quality Number Dimension, and Abnormal Account Opening Behavior Dimension. Different indicators exist for each dimension. The specific indicators for each dimension and their calculation methods are shown in Table 1, thus obtaining the M indicator evaluation results for each SIM card activation channel.
[0030] Table 1. Dimension-Indicator Table
[0031] For each card-opening channel, extreme value normalization is performed on the evaluation results of each indicator within each dimension to obtain the individual risk score for each channel on each indicator. Based on the indicator evaluation results of all card-opening channels on the same indicator, the information entropy of each indicator is calculated. The calculation of information entropy can be performed by selecting local indicator evaluation results from the full set of indicator evaluation results, such as selecting indicator evaluation results from the past 30 days. The distribution weight of each indicator is calculated based on its information entropy. This distribution weight is then combined with preset expert weights to generate the indicator weight for each indicator. The formula for calculating the distribution weight is as follows: ; in, This represents the distribution weight of index j. This represents the information entropy of index j; The formula for calculating the indicator weight is as follows: ; in, This represents the weight of indicator j. This represents the preset empirical coefficient. This represents the preset expert weights for indicator j; The preset empirical coefficient range is (0,1), and the value used in this case is 0.6.
[0032] The static channel risk score for each card-opening channel is obtained by weighting and summing the individual risk scores for each indicator for each card-opening channel. From the evaluation results of M indicators for each card-opening channel, the month-on-month growth rate of key factors within a first preset time window is extracted. This first preset time window is the past 7 days. The month-on-month growth rate of key factors includes the month-on-month growth rate of card-opening numbers marked as fraudulent and the month-on-month growth rate of card-opening numbers marked as high-risk warnings. A dynamic correction factor is then calculated for each card-opening channel based on the month-on-month growth rate of key factors. The formula for calculating the dynamic correction factor is as follows: ; in, This represents the dynamic correction factor for the card opening channel m. This represents the adjustment coefficient. This represents the month-on-month growth rate of SIM card numbers marked as fraudulent within SIM card activation channel m. This represents the month-on-month growth rate of card numbers marked as high-risk warnings in card issuance channel m. The adjustment coefficient ranges from (0,1), and its value in this instance is 0.5.
[0033] The static channel risk score can be dynamically adjusted based on the dynamic adjustment factor of each card opening channel to obtain the dynamic channel risk score for each channel. The calculation formula for dynamic adjustment is as follows: ; in, This represents the dynamic channel risk score for the card opening channel m. This represents the dynamic channel risk score for the card opening channel m.
[0034] The dynamic channel risk score of each card opening channel is assigned to each user under the corresponding card opening channel, generating a channel risk assessment result for each user.
[0035] S2. Input the risk profile features of all users into a Gaussian mixture model for unsupervised clustering. The Gaussian mixture model uses the Bayesian information criterion to adaptively determine the optimal number of potential fraud scenarios K within a preset range of scenario numbers, so as to obtain K potential fraud scenarios and the probability vector of each user belonging to each potential fraud scenario. In this embodiment, as Figure 2 As shown, the risk profile features of all users are input into a Gaussian mixture model for unsupervised clustering. The Gaussian mixture model uses the Bayesian information criterion to adaptively determine the optimal number of potential fraud scenarios K within a preset range of [2, 15], outputting K Gaussian distributions, each corresponding to a potential fraud scenario, thus obtaining K potential fraud scenarios. The probability vector of each user belonging to each Gaussian distribution is then calculated, and this probability vector is used as the probability vector of each user belonging to each potential fraud scenario.
[0036] At this point, step S2, which involves obtaining the probability vector for each user belonging to each potential fraud scenario, includes: S21. Obtain the triggering condition of each scenario attribution rule from the preset scenario attribution rule library, match each user's risk profile features with the triggering condition of each scenario attribution rule one by one, if the match is successful, obtain the successfully matched scenario attribution rule and the successfully matched user, and perform probability correction on the probability vector corresponding to the successfully matched user according to the attribution strength of the successfully matched scenario attribution rule to obtain the probability vector after probability correction.
[0037] In this embodiment, as Figure 2As shown, the triggering conditions for each scenario attribution rule are retrieved from a pre-defined scenario attribution rule library. Each user's risk profile features are matched against the triggering conditions of each scenario attribution rule. If a match is successful, the successfully matched scenario attribution rule and the successfully matched user are obtained. The probability vector corresponding to the successfully matched user is then probability-corrected based on the attribution strength of the successfully matched scenario attribution rule, resulting in a probability-corrected probability vector. The successfully matched scenario attribution rules are recorded as a basis for subsequent interpretability. The attribution strength is preset based on expert experience, and the probability correction calculation formula is as follows: ( ; ; in,( This represents the probability vector after the probability of the i-th user has been corrected. Let represent the probability vector that the i-th user belongs to the k-th potential fraud scenario. Indicating scene attribution rules The strength of belonging, Indicating scene attribution rules The strength of the association with potential fraud scenarios, Indicating scene attribution rules The total number of users with a history of fraud.
[0038] The scene attribution rule strength in the scene attribution rule base is updated according to a preset period, and the specific update formula is as follows: ; in, Indicating scene attribution rules Updated ownership strength Indicates the learning rate. Indicating scene attribution rules The accuracy rate of early warnings over the past 7 days This represents the average accuracy of all scenario attribution rules over the past 7 days. It changes with the results of unsupervised clustering, that is, it updates as K is updated.
[0039] S3. Obtain the real-time communication data of all users, generate the real-time context feature vector of all users based on the real-time communication data, input the real-time context feature vector of all users, risk profile features, and probability vector of each user belonging to each potential fraud scenario into the GBDT risk assessor to conduct fraud risk assessment, and obtain the first fraud risk assessment result of all users. At the same time, input the risk profile features of all users into the rule assessor to conduct fraud risk assessment, and obtain the second fraud risk assessment result of all users. In this embodiment, as Figure 2 As shown, real-time communication data of all users is obtained. This real-time communication data contains the same data as the historical communication data mentioned above, differing only in the time dimension. Real-time contextual feature vectors for all users are generated based on the real-time communication data. A dual-risk evaluator—the GBDT risk evaluator and the rule evaluator—is used to assess fraud risk. Considering that the GBDT risk evaluator is data-driven, it inputs the real-time contextual feature vectors of all users, risk profile features, and the probability vector of each user belonging to each potential fraud scenario. The rule evaluator, on the other hand, is rule-driven; therefore, it inputs the risk profile features of all users to assess fraud risk. This yields the first and second fraud risk assessment results for all users.
[0040] At this point, step S3, which involves generating real-time context feature vectors for all users based on the real-time communication data, includes: S31. Extract the call records of each user within the second preset time window from the real-time communication data, and calculate the average number of calls and the standard deviation of the number of calls for each user based on the call records. At the same time, count the total number of calls for each user within the third preset time window based on the call records. Input the total number of calls for each user within the third preset time window, the average number of calls for each user, and the standard deviation of the number of calls for each user into the call anomaly formula to calculate the call anomaly index, and obtain the call anomaly index for each user. S32. Extract the first signaling trajectory of each user within the third preset time window and the second signaling trajectory within the fourth preset time window from the real-time communication data. Obtain the permanent base station of each user within the third preset time window based on the first signaling trajectory. At the same time, obtain the current base station of each user within the fourth preset time window based on the second signaling trajectory. Input the current base station of each user within the fourth preset time window and the permanent base station of each user within the third preset time window into the geographic displacement anomaly formula to calculate the geographic displacement anomaly index and obtain the geographic displacement anomaly index of each user. S33. Extract the new contact records of each user within the third preset time window from the real-time communication data, and count the total number of new contacts of each user within the third preset time window based on the new contact records. Match the new contact records of each user within the third preset time window with the call records of each user within the second preset time window, filter out the new contacts without call records, and count the number of new contacts to obtain the number of contacts without records for each user. Input the total number of new contacts of each user within the third preset time window and the corresponding number of contacts without records into the communication abnormality formula to calculate the communication abnormality index and obtain the communication abnormality index for each user. S34. Generate a real-time context feature vector for each user based on each user's call anomaly index, each user's displacement anomaly index, and each user's interaction anomaly index.
[0041] In this embodiment, as Figure 3 As shown, each user's real-time context feature vector is actually anomaly behavior features, specifically including call anomaly index, displacement anomaly index, and interaction anomaly index. Call records for each user within a second preset time window (approximately 7 days) are extracted from real-time communication data. The average and standard deviation of each user's call counts are calculated based on these records. Simultaneously, the total number of calls for each user within a third preset time window (approximately 24 hours) is calculated. The total number of calls for each user within the third preset time window, along with the average and standard deviation of their calls, are input into the call anomaly formula to calculate the call anomaly index for each user. The call anomaly formula is as follows: ; in, This represents the call anomaly index for the i-th user. This represents the total number of calls made by the i-th user within the third preset time window. This represents the average number of calls made by the i-th user. This represents the standard deviation of the number of calls made by the i-th user. This indicates the smoothing term.
[0042] Extract the first signaling trajectory of each user within the third preset time window and the second signaling trajectory within the fourth preset time window from real-time communication data, where the fourth preset time window is the current time. Obtain the permanent base station of each user within the third preset time window based on the first signaling trajectory, and obtain the current base station of each user within the fourth preset time window based on the second signaling trajectory. Input the current base station of each user within the fourth preset time window and the permanent base station of each user within the third preset time window into the geographic displacement anomaly formula to calculate the geographic displacement anomaly index, and obtain the geographic displacement anomaly index of each user.
[0043] The formula for geographic displacement anomaly is: ; in, This represents the geographic displacement anomaly index of the i-th user. This represents the current base station for the i-th user within the fourth preset time window. This represents the base station where the i-th user is permanently stationed within the third preset time window. This represents the distance threshold.
[0044] Extract each user's new contact records within the third preset time window from real-time communication data, and calculate the total number of new contacts for each user within the third preset time window based on these records. Match each user's new contact records within the third preset time window with their call records within the second preset time window, filter out new contacts without call records, and count the number of new contacts to obtain the number of contacts without records for each user. Input the total number of new contacts and the corresponding number of contacts without records for each user within the third preset time window into the interaction anomaly formula to calculate the interaction anomaly index for each user.
[0045] The formula for abnormal interaction is as follows: ; in, This represents the abnormal interaction index of the i-th user. This represents the total number of new contacts added by the i-th user within the third preset time window. This represents the number of unrecorded contacts for the i-th user. This indicates the threshold for interaction.
[0046] At this point, the GBDT risk assessor mentioned in step S3 includes a parameterized attention gating network and a gradient boosting decision tree model. The step of inputting all users' real-time contextual feature vectors, risk profile features, and the probability vector of each user belonging to each potential fraud scenario into the GBDT risk assessor for fraud risk assessment includes: S35. Concatenate the probability vector of each user belonging to each potential fraud scenario with the corresponding real-time context feature vector to obtain the concatenated vector of each user. Input the concatenated vector of each user into a parameterized attention gating network to output attention weights with the same dimension as the risk profile features of each user. Multiply the attention weights element-wise with the corresponding risk profile features to obtain the weighted feature vector of each user. S36. Input the weighted feature vector of each user into the gradient boosting decision tree model to conduct fraud risk assessment, so as to generate the first fraud risk assessment result for each user.
[0047] In this embodiment, as Figure 3 As shown, the GBDT risk assessor includes a parametric attention gating network and a gradient boosting decision tree model. The gradient boosting decision tree model here is the standard GBDT. In fact, the GBDT risk assessor is an improved GBDT with the addition of a parametric attention gating network. The probability vector of each user belonging to each potential fraud scenario is concatenated with the corresponding real-time context feature vector. The parametric attention gating network generates an attention weight for each concatenated vector, and this attention weight has the same dimension as the user's risk profile features. The attention weight is then multiplied element-wise with the corresponding risk profile features to obtain the weighted feature vector for each user. That is, the risk profile features are dynamically weighted, suppressing interference from irrelevant features and highlighting features related to the user's probability vector and real-time context feature vector, i.e., emphasizing risk features. The weighted feature vector of each user is input into the gradient boosting decision tree model for fraud risk assessment to generate the first fraud risk assessment result for each user. The parameters in the parametric attention gating network and the parameters in the gradient boosting decision tree model are jointly optimized end-to-end with loss minimization.
[0048] At this point, step S3, which involves simultaneously inputting the risk profile features of all users into the rule evaluator for fraud risk assessment, includes: S37. Obtain the triggering conditions of each fraudulent behavior rule from the preset fraudulent behavior rule library, match each user's risk profile features with the triggering conditions of each fraudulent behavior rule one by one, if the match is successful, obtain the preset risk value of the successfully matched fraudulent behavior rule, and aggregate the preset risk values of all successfully matched fraudulent behavior rules under the same user to generate a second fraudulent risk assessment result for each user.
[0049] In this embodiment, as Figure 3 As shown, the system retrieves the triggering conditions for each fraudulent behavior rule from a pre-defined fraudulent behavior rule library. It then matches each user's risk profile characteristics against the triggering conditions of each fraudulent behavior rule. If a match is successful, the system obtains the preset risk value of the matched fraudulent behavior rule and records it for future interpretability. Finally, it aggregates the preset risk values of all successfully matched fraudulent behavior rules for the same user to generate a second fraudulent risk assessment result for each user.
[0050] S4. Combine the first fraud risk assessment result and the second fraud risk assessment result of each user with the corresponding risk profile features to construct a heterogeneous evidence graph for each user. Perform fraud inference on the heterogeneous evidence graph of each user to output the final fraud risk prediction probability of each user, and generate a fraud risk list based on the final fraud risk prediction probability of all users. In this embodiment, as Figure 2 As shown, a unique heterogeneous evidence graph is constructed for each user, and fraud-related reasoning is performed on it to output the final fraud risk prediction probability for each user. A fraud risk list is generated based on the final fraud risk prediction probabilities of all users. In addition to the fraud-related reasoning method described in steps S41-S44, the fraud risk list can also be generated directly based on users marked as fraudulent by both the first and second fraud risk assessment results. In this case, if there is a conflict between the first and second fraud risk assessment results, the fraud-related reasoning method described in steps S41-S44 can be used again to achieve evidence fusion and conflict elimination, thereby generating the fraud risk list.
[0051] At this point, the generation of the fraud risk list based on the first fraud risk assessment results and the second fraud risk assessment results of all users in step S4 includes: S41. Treat each user as an independent central node, and treat each user's risk profile features, first fraud risk assessment results and second fraud analysis assessment results as evidence nodes of the corresponding central node. Establish directed edges between each central node and each corresponding evidence node. Construct a heterogeneous evidence graph for each user based on each user's central node, corresponding evidence nodes and corresponding directed edges. S42. Perform fraud-related reasoning on the heterogeneous evidence graph of each user through a two-layer graph attention network to achieve evidence fusion and conflict elimination, so as to output the final risk prediction probability and corresponding prediction confidence of each user. S43. Input the final risk prediction probability and the corresponding prediction confidence of each user into the comprehensive risk assessment formula for calculation, obtain the comprehensive risk assessment result of each user, and sort all users in descending order according to the comprehensive risk assessment result to obtain the comprehensive risk assessment result sequence after descending order. S44. Under multi-objective constraints, a greedy algorithm is used to traverse the comprehensive risk assessment result sequence after descending sorting, and users who meet the multi-objective constraints are selected to generate a fraud risk list, wherein the multi-objective constraints are: ; in, This represents the i-th user in the sequence of comprehensive risk assessment results after descending order. This indicates the total daily warning quota. This represents the lower limit of the number of warnings for the k-th fraud scenario out of K potential fraud scenarios within the t-th period. This represents the upper limit of the number of warnings for the k-th fraud scenario out of K potential fraud scenarios within the t-th period. Let represent the probability vector that the i-th user belongs to the k-th potential fraud scenario out of K potential fraud scenarios. This represents the maximum daily processing capacity of the c-th disposal channel. The i-th user is assigned to the c-th processing channel.
[0052] In this embodiment, as Figure 2As shown, an independent heterogeneous evidence graph is constructed for each user. Each user is treated as an independent central node, while the corresponding risk profile features, the first fraud risk assessment result, and the second fraud risk assessment result are used as evidence nodes. That is, the nodes in each user's heterogeneous evidence graph include: one central node and multiple evidence nodes. Directed edges are established between each central node and each corresponding evidence node, and an initial edge weight is set for each directed edge. The initial edge weight is set based on the mutual information between the evidence node and historical fraud-related tags. The setting of the initial edge weight provides interpretable business prior knowledge for the subsequent two-layer graph attention network to perform fraud-related reasoning on the heterogeneous evidence graph, achieving evidence fusion and conflict resolution, thus improving the convergence speed and interpretability of the two-layer graph attention network. This yields the heterogeneous evidence graph for each user.
[0053] A two-layer graph attention network is employed to perform fraud-related reasoning on the heterogeneous evidence graphs of each user, achieving evidence fusion and conflict elimination. Specifically, all evidence nodes are fused to eliminate conflicts between the first and second fraud risk assessment results, yielding the final risk prediction probability and corresponding prediction confidence for each user. These final risk prediction probabilities and corresponding prediction confidence are then input into a comprehensive risk assessment formula to calculate the comprehensive risk assessment result for each user. The comprehensive risk assessment formula is as follows: ; in, This represents the overall risk assessment result for the i-th user. This represents the final risk prediction probability for the i-th user. This represents the prediction confidence level for the i-th user. This represents the urgency coefficient of social harm for the i-th user.
[0054] The social harm urgency coefficient is determined based on the scenario attribution rules for successful matching recorded in step S21 and the fraudulent behavior rules for successful matching recorded in step S37.
[0055] Based on the comprehensive risk assessment results of all users, all users are sorted in descending order to obtain a sequence of comprehensive risk assessment results in descending order. Under multi-objective constraints, a greedy algorithm is used to traverse the sequence of comprehensive risk assessment results in descending order, and users who meet the multi-objective constraints are selected to generate a list of users at risk of fraud. The greedy algorithm stops when the daily warning quota is reached, the sequence of comprehensive risk assessment results in descending order is completely traversed, or the daily processing capacity of the handling channel is reached.
[0056] At this point, step S42 includes: S421. The first layer graph attention network performs dimensionality reduction on the feature vectors of all nodes in the heterogeneous evidence graph of each user through a trainable shared weight matrix, and obtains the feature vectors of all nodes after dimensionality reduction, where all nodes include the center node and the evidence node. S422. Perform a first concatenation process on the feature vector of the central node after dimensionality reduction in the same heterogeneous evidence graph and the feature vector of the adjacent evidence nodes after dimensionality reduction to obtain all concatenated vectors. Input all concatenated vectors into Q parallel attention heads respectively, so that each attention head independently calculates the attention coefficient of each concatenated vector. Perform weighted aggregation process on all attention coefficients calculated under the same attention head and the corresponding concatenated vector to obtain the aggregated feature vector under each attention head. S423. Perform a second concatenation process on all aggregated feature vectors in the same heterogeneous evidence graph to obtain a concatenated aggregated feature vector. Perform a linear transformation process on the concatenated aggregated feature vector to obtain a linearly transformed aggregated feature vector. Use the linearly transformed aggregated feature vector as the fusion feature vector of the corresponding dimensionality-reduced center node. S424. The fused feature vector of each central node is merged with the feature vector after dimensionality reduction through residual connection to obtain the fused feature vector of each central node after fusion processing. The fused feature vector of each central node after fusion processing is normalized through LayerNorm layer to obtain the updated feature vector of each central node output by the first layer graph attention network. S425. The updated feature vector of each center node output by the first layer graph attention network and the feature vector of the corresponding dimension-reduced evidence node in the first layer graph attention network are used as the input of the second layer graph attention network. The second layer graph attention network repeatedly executes the update operation of the first layer graph attention network to obtain the updated feature vector of each center node output by the second layer graph attention network. The update operation includes dimension reduction, first concatenation, weighted aggregation, second concatenation, linear transformation, merging and normalization. S426. The updated feature vector of each central node output by the second layer graph attention network is input into the first fully connected layer and activated by the first sigmoid to obtain the final risk prediction probability of each user. At the same time, the updated feature vector of each central node output by the second layer graph attention network is input into the second fully connected layer and activated by the second sigmoid to output the prediction confidence corresponding to the final risk prediction probability of each user.
[0057] In this embodiment, the first-layer graph attention network uses a trainable shared weight matrix and Xavier uniform initialization to reduce the dimensionality of the feature vectors of all nodes in the heterogeneous evidence graph for each user, obtaining the corresponding dimensionality-reduced feature vectors of all nodes. That is, dimensionality reduction is performed on the central node and all evidence nodes in the heterogeneous evidence graph for each user. The feature vector of the dimensionality-reduced central node in the same heterogeneous evidence graph is concatenated with the feature vectors of adjacent dimensionality-reduced evidence nodes to obtain all concatenated vectors. All concatenated vectors are input into Q parallel attention heads, where Q is set to 4, but can be adjusted according to actual conditions. Each attention head has independent trainable parameters, such as a co-occurrence weight matrix and a bias term. The bias term refers to the initial weight of the directed edge between the central node and the evidence node. Therefore, the attention coefficient of each concatenated vector is calculated by each attention head, and the attention coefficients calculated for each attention are saved for subsequent generation of evidence contribution heatmaps to assist staff in analysis. The specific calculation method of the attention coefficients is as follows: ; in, This represents the attention coefficient corresponding to the concatenated vector of the feature vector of the center node n after dimensionality reduction and the feature vector of the adjacent evidence node g after dimensionality reduction. This represents the concatenated vector of the eigenvector of the center node n after dimensionality reduction and the eigenvector of the adjacent evidence node g after dimensionality reduction. This represents the activation function of a leaky linear rectified circuit. This represents the transpose of the trainable attention vectors of the first-layer graph attention network. This represents the center node n after dimensionality reduction. The evidence node g after dimensionality reduction, The central node n after dimensionality reduction is represented by... The initial edge weights of the directed edges between the evidence nodes g after dimensionality reduction. Represents an exponential function. This represents the set of all evidence nodes adjacent to the central node n; All attention coefficients calculated under the same attention head are weighted and aggregated with their corresponding concatenated vectors to obtain the aggregated feature vector for each attention head. All aggregated feature vectors in the same heterogeneous evidence graph are then concatenated a second time, and a linear transformation is applied to the concatenated aggregated feature vector. The linearly transformed aggregated feature vector is used as the fusion feature vector of the corresponding dimensionality-reduced center node. The fusion feature vector of each center node is merged with the dimensionality-reduced feature vector through residual connections, and the merged fusion feature vector of each center node is normalized using a LayerNorm layer. This yields the updated feature vector of each center node output by the first-layer graph attention network. The output of the first-layer graph attention network and the corresponding dimensionality-reduced evidence node feature vector in the first-layer graph attention network are used as the input to the second-layer graph attention network. The second-layer graph attention network repeatedly performs the update operation of the first-layer graph attention network, i.e., it repeatedly performs: dimensionality reduction, first concatenation, weighted aggregation, second concatenation, linear transformation, merging, and normalization. This yields the updated feature vector of each central node output by the second-layer graph attention network, which is then input into two connection layers and activated by the Sigmoid algorithm to output the final risk prediction probability and corresponding prediction confidence for each user.
[0058] S5. Based on the fraud risk list, perform risk prevention and control and generate risk prevention and control feedback data. Based on the risk prevention and control feedback data, perform reverse optimization on the channel risk assessment model, the Gaussian mixture model, the GBDT risk evaluator, the rule evaluator, and the heterogeneous evidence graph of each user to achieve dynamic risk prevention and control.
[0059] In this embodiment, as Figure 2 As shown, risk prevention and control are carried out based on the list of suspected fraud, and risk prevention and control feedback data is generated. Based on this feedback data, the channel risk assessment model in step S1, the Gaussian mixture model in step S2, the GBDT risk evaluator and rule evaluator in step S3, and the heterogeneous evidence graph in step S4 are reverse-optimized. The risk prevention and control feedback data includes users' actual suspected fraud labels and early warning decision results. Users' actual suspected fraud labels refer to whether the user's account opening number is a suspected fraud number and whether the account opening channel is a suspected fraud channel. Early warning decision results refer to the actual risk prevention and control measures implemented and their feedback results.
[0060] The specific steps of reverse optimization are as follows: (1) Construct a multi-task loss function: ; in, This represents the total predicted loss. Indicates the predicted risk of loss. Indicates consistency loss. Indicating a loss of fairness, Indicates the loss of decision value. Regarding the balance coefficient for risk prediction loss, This represents the balance coefficient regarding consistency loss. This represents the balance coefficient regarding the loss of fairness. Among them, the risk prediction loss is calculated by binary cross-entropy based on the user's final risk prediction probability and the actual fraud-related label; the consistency loss is calculated based on the difference between the probability vector of each user belonging to each potential fraud scenario and the historical fraud-related baseline rate of each potential fraud scenario, and the regularization term of the probability distribution entropy is added; the fairness loss is calculated based on the mean square error of the warning rate between different potential fraud scenarios; and the decision value loss is calculated based on the utility gap between the comprehensive risk assessment result of users in the high-risk fraud risk list and the ideal optimal decision.
[0061] (2) Hierarchical parameter update: High-frequency fine-tuning: On a daily basis, gradient updates are performed on the trainable parameters in the two-layer graph attention network and the prediction confidence in the comprehensive risk assessment formula based on the multi-task loss function; Mid-frequency iteration: On a weekly basis, based on the accumulated risk prevention and control feedback data, the Gaussian mixture model, the gradient boosting decision tree model in the GBDT risk assessor, and the heterogeneous evidence graph for each user are retrained and constructed to perform new evidence fusion and conflict elimination. Low-frequency element optimization: On a monthly or quarterly basis, optimize the balance coefficient in the multi-task loss function, the social harm urgency coefficient in the comprehensive risk assessment formula, the preset range of scenarios and the number of potential fraud scenarios in the Gaussian mixture model, and the triggering conditions and preset risk values of fraud-related behavior rules in the rule evaluator.
[0062] (3) Enhanced channel risk feedback: The user's real fraud-related labels confirmed in the risk prevention and control feedback data are collected according to their card opening channels. The month-on-month growth rate of the key factor on which the dynamic correction factor in the channel risk assessment model depends is updated, and the updated dynamic channel risk score of the card opening channel is generated. This score is then used as an input feature and injected into the risk profile feature generation process in the next training cycle, forming a collaborative optimization closed loop between the channel risk assessment results and the risk profile features.
[0063] Example 2 Please refer to Figure 4The present invention provides a fraud risk prevention and control system 1, including a memory 3, a processor 2, and a computer program stored on the memory 3 and capable of running on the processor 2. When the processor 2 executes the computer program, it implements the steps in Embodiment 1.
[0064] Since the systems / devices described in the above embodiments of the present invention are systems / devices used to implement the methods of the above embodiments of the present invention, those skilled in the art can understand the specific structure and modifications of the systems / devices based on the methods described in the above embodiments of the present invention, and therefore will not be repeated here. All systems / devices used in the methods of the above embodiments of the present invention fall within the scope of protection of the present invention.
[0065] Those skilled in the art will understand that embodiments of the present invention can be provided as methods, systems, or computer program products. Therefore, the present invention can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention can take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.
[0066] This invention is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and / or block diagrams, as well as combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions.
[0067] It should be noted that any reference numerals placed between parentheses in the claims should not be construed as limiting the claims. The word "comprising" does not exclude the presence of components or steps not listed in the claims. The word "a" or "an" preceding a component does not exclude the presence of a plurality of such components. The invention can be implemented by means of hardware comprising several different components and by means of a suitably programmed computer. In claims that enumerate several means, several of these means may be embodied by the same hardware. The use of the terms first, second, third, etc., is merely for convenience of expression and does not indicate any order. These terms can be understood as part of the component names.
[0068] Furthermore, it should be noted that in the description of this specification, the terms "one embodiment," "some embodiments," "embodiment," "example," "specific example," or "some examples," etc., refer to specific features, structures, materials, or characteristics described in connection with that embodiment or example, which are included in at least one embodiment or example of the present invention. In this specification, the illustrative expressions of the above terms do not necessarily refer to the same embodiment or example. Moreover, the specific features, structures, materials, or characteristics described may be combined in any suitable manner in one or more embodiments or examples. Furthermore, without contradiction, those skilled in the art can combine and integrate the different embodiments or examples described in this specification, as well as the features of different embodiments or examples.
[0069] Although preferred embodiments of the invention have been described, those skilled in the art, upon learning the basic inventive concept, can make other changes and modifications to these embodiments. Therefore, the claims should be interpreted to include both the preferred embodiments and all changes and modifications falling within the scope of the invention.
[0070] Obviously, those skilled in the art can make various modifications and variations to this invention without departing from its spirit and scope. Therefore, if these modifications and variations fall within the scope of the claims of this invention and their equivalents, then this invention should also include these modifications and variations.
Claims
1. A method for preventing and controlling fraud risks, characterized in that, include: Acquire multi-source heterogeneous data of all users, perform feature engineering on the multi-source heterogeneous data to generate individual feature vectors for each user, and simultaneously input the multi-source heterogeneous data into a pre-trained channel risk assessment model to perform channel risk scoring to generate channel risk assessment results for each user. Concatenate the channel risk assessment results of each user with the corresponding individual feature vectors to obtain risk profile features for all users. All users' risk profile features are input into a Gaussian mixture model for unsupervised clustering. The Gaussian mixture model uses the Bayesian information criterion to adaptively determine the optimal number of potential fraud scenarios K within a preset range of scenario numbers, so as to obtain K potential fraud scenarios and the probability vector of each user belonging to each potential fraud scenario. The system acquires real-time communication data of all users, generates real-time context feature vectors for all users based on the real-time communication data, inputs the real-time context feature vectors of all users, risk profile features, and probability vectors of each user belonging to each potential fraud scenario into the GBDT risk assessor to conduct fraud risk assessment, and obtains the first fraud risk assessment result for all users. At the same time, the system inputs the risk profile features of all users into the rule assessor to conduct fraud risk assessment, and obtains the second fraud risk assessment result for all users. The first and second fraud risk assessment results of each user are combined with the corresponding risk profile features to construct a heterogeneous evidence graph for each user. Fraud inference is performed on the heterogeneous evidence graph of each user to output the final fraud risk prediction probability of each user. A list of fraud risks is generated based on the final fraud risk prediction probabilities of all users. Risk prevention and control are carried out based on the fraud risk list and risk prevention and control feedback data is generated. Based on the risk prevention and control feedback data, the channel risk assessment model, the Gaussian mixture model, the GBDT risk evaluator, the rule evaluator, and the heterogeneous evidence graph of each user are reverse optimized to achieve dynamic risk prevention and control.
2. The method for preventing and controlling fraud risks as described in claim 1, characterized in that, The multi-source heterogeneous data includes historical communication data. This multi-source heterogeneous data is then input into a pre-trained channel risk assessment model to perform channel risk scoring, generating a channel risk assessment result for each user, including: Historical card activation data is obtained from the historical communication data, and all card activation channels are obtained based on the historical card activation data. Each card activation channel is evaluated according to M indicators under N preset dimensions to obtain the evaluation results of M indicators for each card activation channel. For each card-opening channel, the evaluation results of each indicator in each dimension are processed by extreme value normalization to obtain the individual risk score of each card-opening channel for each indicator. Based on the evaluation results of all card opening channels on the same indicator, the information entropy of each indicator is calculated, and the distribution weight of each indicator is calculated according to the information entropy of each indicator. The distribution weight of each indicator is combined with the preset expert weight to generate the indicator weight of each indicator. The static channel risk score for each card opening channel is obtained by weighting and summing the individual risk score for each indicator for each channel with the corresponding indicator weight. Extract the month-on-month growth rate of key factors within a first preset time window from the evaluation results of M indicators for each card opening channel, and calculate the dynamic correction factor for each card opening channel based on the month-on-month growth rate of key factors. Dynamically correct the corresponding static channel risk score according to the dynamic correction factor of each card opening channel to obtain the dynamic channel risk score for each card opening channel. Assign the dynamic channel risk score of each card opening channel to each user under the corresponding card opening channel to generate the channel risk assessment result for each user. The month-on-month growth rate of key factors includes the month-on-month growth rate of card opening numbers marked as fraudulent in the card opening channel and the month-on-month growth rate of card opening numbers marked as high-risk warning in the card opening channel.
3. The method for preventing and controlling fraud risks as described in claim 1, characterized in that, The process of obtaining the probability vector for each user belonging to each potential fraud scenario includes: The triggering conditions of each scenario attribution rule are obtained from the preset scenario attribution rule library. The risk profile features of each user are matched with the triggering conditions of each scenario attribution rule one by one. If a match is successful, the successfully matched scenario attribution rule and the successfully matched user are obtained. The probability vector corresponding to the successfully matched user is probability corrected according to the attribution strength of the successfully matched scenario attribution rule to obtain the probability corrected probability vector.
4. The method for preventing and controlling fraud risks as described in claim 1, characterized in that, The step of generating real-time context feature vectors for all users based on the real-time communication data includes: The call records of each user within the second preset time window are extracted from the real-time communication data. The average number of calls and the standard deviation of the number of calls for each user are calculated based on the call records. At the same time, the total number of calls for each user within the third preset time window is counted based on the call records. The total number of calls for each user within the third preset time window, the average number of calls for each user, and the standard deviation of the number of calls for each user are input into the call anomaly formula to calculate the call anomaly index, thus obtaining the call anomaly index for each user. Extract the first signaling trajectory of each user within the third preset time window and the second signaling trajectory within the fourth preset time window from the real-time communication data. Obtain the permanent base station of each user within the third preset time window based on the first signaling trajectory. At the same time, obtain the current base station of each user within the fourth preset time window based on the second signaling trajectory. Input the current base station of each user within the fourth preset time window and the permanent base station of each user within the third preset time window into the geographic displacement anomaly formula to calculate the geographic displacement anomaly index and obtain the geographic displacement anomaly index of each user. Extract each user's new contact records within the third preset time window from the real-time communication data, and count the total number of new contacts for each user within the third preset time window based on the new contact records. Match each user's new contact records within the third preset time window with each user's call records within the second preset time window, filter out new contacts without call records, and count the number of new contacts to obtain the number of contacts without records for each user. Input the total number of new contacts for each user within the third preset time window and the corresponding number of contacts without records into the interaction anomaly formula to calculate the interaction anomaly index for each user. Each user's real-time contextual feature vector is generated based on their call anomaly index, displacement anomaly index, and interaction anomaly index.
5. The method for preventing and controlling fraud risks as described in claim 1, characterized in that, The GBDT risk assessor includes a parametric attention gating network and a gradient boosting decision tree model. The step of inputting all users' real-time contextual feature vectors, risk profile features, and the probability vector of each user belonging to each potential fraud scenario into the GBDT risk assessor for fraud risk assessment includes: The probability vector of each user belonging to each potential fraud scenario is concatenated with the corresponding real-time context feature vector to obtain the concatenated vector of each user. The concatenated vector of each user is then input into a parameterized attention gating network to output attention weights with the same dimension as the risk profile features of each user. The attention weights are then multiplied element-wise with the corresponding risk profile features to obtain the weighted feature vector of each user. The weighted feature vector of each user is input into the gradient boosting decision tree model to assess the risk of fraud, thereby generating the first risk assessment result of fraud for each user.
6. The method for preventing and controlling fraud risks as described in claim 1, characterized in that, The simultaneous input of all users' risk profile characteristics into the rule evaluator for fraud risk assessment includes: The system retrieves the triggering conditions for each fraudulent behavior rule from a pre-defined database of fraudulent behavior rules. It then matches each user's risk profile characteristics with the triggering conditions of each fraudulent behavior rule one by one. If a match is successful, it retrieves the preset risk value of the successfully matched fraudulent behavior rule and aggregates the preset risk values of all successfully matched fraudulent behavior rules for the same user to generate a second fraudulent risk assessment result for each user.
7. The method for preventing and controlling fraud risks as described in claim 1, characterized in that, The process involves combining each user's first and second fraud risk assessment results with corresponding risk profile features to construct a heterogeneous evidence graph for each user. Fraud inference is then performed on each user's heterogeneous evidence graph to output the final fraud risk prediction probability for each user. Finally, a fraud risk list is generated based on the final fraud risk prediction probabilities of all users, including: Each user is treated as an independent central node, and the risk profile features, the first fraud risk assessment result, and the second fraud analysis assessment result of each user are used as evidence nodes for the corresponding central node. A directed edge is established between each central node and each corresponding evidence node. A heterogeneous evidence graph for each user is constructed based on the central node, the corresponding evidence node, and the corresponding directed edge. By using a two-layer graph attention network to perform fraud-related reasoning on the heterogeneous evidence graph of each user, evidence fusion and conflict elimination are achieved, so as to output the final risk prediction probability and corresponding prediction confidence of each user. The final risk prediction probability and the corresponding prediction confidence of each user are input into the comprehensive risk assessment formula for calculation to obtain the comprehensive risk assessment result of each user. Based on the comprehensive risk assessment result, all users are sorted in descending order to obtain the comprehensive risk assessment result sequence after descending order. Under multi-objective constraints, a greedy algorithm is used to traverse the descending-ordered sequence of comprehensive risk assessment results to filter out users who meet the multi-objective constraints and generate a fraud risk list, wherein the multi-objective constraints are: ; in, This represents the i-th user in the sequence of comprehensive risk assessment results after descending order. This indicates the total daily warning quota. This represents the lower limit of the number of warnings for the k-th fraud scenario out of K potential fraud scenarios within the t-th period. This represents the upper limit of the number of warnings for the k-th fraud scenario out of K potential fraud scenarios within the t-th period. Let represent the probability vector that the i-th user belongs to the k-th potential fraud scenario out of K potential fraud scenarios. This represents the maximum daily processing capacity of the c-th disposal channel. The i-th user is assigned to the c-th processing channel.
8. A method for preventing and controlling fraud risks as described in claim 7, characterized in that, The process of using a two-layer graph attention network to perform fraud-related reasoning on the heterogeneous evidence graphs of each user, achieving evidence fusion and conflict elimination, and outputting the final risk prediction probability and corresponding prediction confidence for each user includes: The first-layer graph attention network performs dimensionality reduction on the feature vectors of all nodes in the heterogeneous evidence graph of each user through a trainable shared weight matrix, resulting in the corresponding dimensionality-reduced feature vectors of all nodes, including the center node and the evidence node. The feature vector of the central node after dimensionality reduction in the same heterogeneous evidence graph is concatenated with the feature vector of the adjacent dimensionality-reduced evidence nodes to obtain all concatenated vectors. All concatenated vectors are then input into Q parallel attention heads, so that each attention head independently calculates the attention coefficient of each concatenated vector. All attention coefficients calculated under the same attention head are weighted and aggregated with the corresponding concatenated vector to obtain the aggregated feature vector under each attention head. All aggregated feature vectors in the same heterogeneous evidence graph are concatenated a second time to obtain concatenated aggregated feature vectors. Then, a linear transformation is performed on the concatenated aggregated feature vectors to obtain linearly transformed aggregated feature vectors. The linearly transformed aggregated feature vectors are used as the fusion feature vectors of the corresponding dimensionality-reduced center nodes. The fused feature vector of each central node is merged with the dimensionality-reduced feature vector through residual connections to obtain the merged fused feature vector of each central node. The merged fused feature vector of each central node is then normalized through the LayerNorm layer to obtain the updated feature vector of each central node output by the first layer graph attention network. The updated feature vector of each central node output by the first layer graph attention network and the feature vector of the corresponding dimensionality-reduced evidence node in the first layer graph attention network are used as input to the second layer graph attention network. The second layer graph attention network repeatedly executes the update operation of the first layer graph attention network to obtain the updated feature vector of each central node output by the second layer graph attention network. The update operation includes dimensionality reduction, first concatenation, weighted aggregation, second concatenation, linear transformation, merging and normalization. The updated feature vectors of each central node output by the second-layer graph attention network are input into the first fully connected layer and activated by the first sigmoid function to obtain the final risk prediction probability for each user. At the same time, the updated feature vectors of each central node output by the second-layer graph attention network are input into the second fully connected layer and activated by the second sigmoid function to output the prediction confidence corresponding to the final risk prediction probability for each user.
9. A fraud risk prevention and control system, comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, characterized in that, When the processor executes the computer program, it implements the method as described in any one of claims 1 to 8.