Abnormal user identification method and apparatus, device, and medium

Abstract

This application relates to the field of internet risk control technology, and discloses a method, apparatus, and medium for identifying abnormal users. The method includes: acquiring behavioral characteristic data of a target user in a business scenario, the behavioral characteristic data including positive features, negative features, and rating features; quantifying the positive and negative features according to a preset segmented scoring function to obtain initial feature scores; performing exponential decay calculation on the initial feature scores according to a preset decay function to obtain a cumulative feature score, wherein the decay function is configured such that the earlier the initial feature score, the smaller its contribution to the cumulative feature score; calculating a baseline score for the target user based on the rating features; and merging the baseline score and the cumulative feature score into a risk quantification assessment value, used to identify whether the target user is an abnormal user. This application achieves the effect of efficient and accurate dynamic risk quantification assessment of user behavior without relying on a large amount of labeled data for training.

Description

Technical Field

[0001] This application relates to the field of internet risk control technology, and in particular to an abnormal user identification method, apparatus, device, and medium thereof. Background Technology

[0002] In internet business scenarios, abnormal user identification is a key link in ensuring business security, which usually requires risk quantification assessment of user behavior to identify potential risky users.

[0003] Existing technologies typically employ supervised learning-based scorecard models or machine learning models for risk assessment. These methods require the prior collection of large amounts of labeled historical data to train model parameters and the calculation of risk scores through static feature mapping relationships.

[0004] However, when faced with complex and ever-changing business scenarios, existing technologies, due to their high reliance on labeled data and relatively static evaluation models, struggle to cope with internet business scenarios where labeled data is scarce and user behavior is dynamically changing. This results in long model iteration cycles and risk assessment results that fail to accurately reflect the user's real-time risk status.

[0005] In summary, existing technologies, in the process of identifying abnormal users, are limited by their reliance on labeled data and the limitations of static evaluation models, making it difficult to achieve efficient and accurate dynamic risk quantification assessment of user behavior in internet business scenarios. Summary of the Invention

[0006] The purpose of this application is to solve the above-mentioned problems by providing an abnormal user identification method, apparatus, device, and medium.

[0007] According to one aspect of this application, an abnormal user identification method is provided, comprising the following steps: Acquire behavioral characteristic data of target users in business scenarios, including positive characteristics, negative characteristics, and rating characteristics; The positive and negative features are quantized according to the preset segmented scoring function to obtain the initial feature scores; The initial feature score is subjected to exponential decay calculation according to a preset decay function to obtain the cumulative feature score. The decay function is configured such that the contribution of the initial feature score from a longer time period to the cumulative feature score is smaller. The baseline score of the target user is calculated based on the grading characteristics. The baseline score and the cumulative characteristic score are then combined into a risk quantification assessment value to identify whether the target user is an abnormal user.

[0008] According to another aspect of this application, an abnormal user identification device is provided, comprising: The behavior feature acquisition module is used to acquire the behavior feature data of the target user in the business scenario. The behavior feature data includes positive features, negative features, and rating features. The segmented scoring and quantization module is used to quantize the positive and negative features according to a preset segmented scoring function to obtain initial feature scores. The time decay accumulation module is used to perform exponential decay calculation on the initial feature score according to a preset decay function to obtain the cumulative feature score. The decay function is configured such that the contribution of the initial feature score from a longer time period to the cumulative feature score is smaller. The risk fusion assessment module is used to calculate the baseline score of the target user based on the rating characteristics, and to fuse the baseline score and the cumulative characteristic score into a risk quantification assessment value, which is used to identify whether the target user is an abnormal user.

[0009] According to another aspect of this application, an electronic device is provided, including a central processing unit and a memory, wherein the central processing unit is configured to invoke and run a computer program stored in the memory to perform the steps of the abnormal user method described in this application.

[0010] According to another aspect of this application, a non-volatile readable storage medium is provided, which stores a computer program implemented according to the aforementioned abnormal user method in the form of computer-readable instructions, wherein the computer program, when invoked by a computer, performs the steps included in the method.

[0011] Compared to existing technologies, this application directly quantifies positive and negative features by configuring a pre-defined segmented scoring function, eliminating the need to train model parameters based on labeled data, thus reducing data dependence and shortening the model iteration cycle. It introduces a decay function to exponentially decay the initial feature scores to obtain cumulative feature scores, ensuring that older behaviors contribute less, dynamically reflecting the user's real-time risk status. Simultaneously, it calculates a baseline score based on the grading features and merges it with the cumulative feature scores to obtain a risk quantification assessment value, achieving a balance between the user's basic risk level and dynamic behavioral risk. This enables efficient and accurate dynamic risk quantification assessment of abnormal users in internet business scenarios. Attached Figure Description

[0012] Figure 1 This is an exemplary network architecture suitable for applying the abnormal user identification method of this application; Figure 2 This is a flowchart illustrating one embodiment of the abnormal user identification method of this application; Figure 3 This is a schematic block diagram of the abnormal user identification device of this application; Figure 4This is a schematic diagram of the structure of an electronic device used in this application. Detailed Implementation

[0013] The embodiments of this application are described in detail below. Examples of these embodiments are shown in the accompanying drawings, wherein the same or similar reference numerals denote the same or similar elements or elements having the same or similar functions throughout. The embodiments described below with reference to the accompanying drawings are exemplary and are only used to explain this application, and should not be construed as limiting this application.

[0014] Those skilled in the art will understand that, unless specifically stated otherwise, the singular forms “a,” “an,” “the,” and “the” used herein may also include the plural forms. It should be further understood that the term “comprising” as used in this application means the presence of the stated features, integers, steps, operations, elements, and / or components, but does not exclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and / or groups thereof. It should be understood that when we say an element is “connected” or “coupled” to another element, it can be directly connected or coupled to the other element, or there may be intermediate elements. Furthermore, “connected” or “coupled” as used herein can include wireless connections or wireless coupling. The term “and / or” as used herein includes all or any units and all combinations of one or more associated listed items.

[0015] Those skilled in the art will understand that, unless otherwise defined, all terms used herein (including technical and scientific terms) have the same meaning as commonly understood by one of ordinary skill in the art to which this application pertains. It should also be understood that terms such as those defined in general dictionaries should be understood to have the same meaning as in the context of the prior art, and should not be interpreted in an idealized or overly formal sense unless specifically defined as herein.

[0016] Those skilled in the art will understand that the terms "client," "terminal," and "terminal device" as used herein include both devices that receive wireless signals, devices that only possess wireless signal receiver capabilities without transmission capabilities, and devices with receiving and transmitting hardware, devices that have receiving and transmitting hardware capable of bidirectional communication over a bidirectional communication link. Such devices may include: cellular or other communication devices such as personal computers or tablets, having single-line displays, multi-line displays, or cellular or other communication devices without multi-line displays; PCS (Personal Communications Service) that can combine voice, data processing, fax, and / or data communication capabilities; PDAs (Personal Digital Assistants) that may include radio frequency receivers, pagers, internet / intranet access, web browsers, notepads, calendars, and / or GPS (Global Positioning System) receivers; and conventional laptops and / or handheld computers or other devices that have and / or include radio frequency receivers. As used herein, "client," "terminal," and "terminal device" can be portable, transportable, installed in a means of transportation (air, sea, and / or land), or suitable and / or configured to operate locally and / or in a distributed manner, operating in any other location on Earth and / or in space. "Client," "terminal," and "terminal device" as used herein can also be a communication terminal, an internet access terminal, or a music / video playback terminal, such as a PDA, a MID (Mobile Internet Device), and / or a mobile phone with music / video playback capabilities, or a smart TV, set-top box, etc.

[0017] The hardware referred to by the names "server," "client," and "service node" in this application is essentially an electronic device with the equivalent capabilities of a personal computer. It is a hardware device with the necessary components revealed by the von Neumann architecture, such as a central processing unit (including an arithmetic logic unit and a control unit), memory, input devices, and output devices. The computer program is stored in its memory, and the central processing unit loads the program stored in the secondary storage into the main memory to run it, execute the instructions in the program, and interact with the input and output devices to complete specific functions.

[0018] It should be noted that the concept of "server" used in this application can also be extended to apply to server clusters. Based on network deployment principles as understood by those skilled in the art, the servers should be logically divided; physically, these servers can be independent yet accessible through interfaces, or they can be integrated into a single physical computer or a computer cluster. Those skilled in the art should understand this flexibility and should not use it to constrain the implementation of the network deployment method described in this application.

[0019] One or more of the technical features of this application, unless explicitly specified herein, can be deployed on a server and accessed by a client remotely calling the online service interface provided by the server, or can be directly deployed and run on a client for access.

[0020] Unless otherwise specified, all data involved in this application may be stored remotely on a server or on a local terminal device, as long as it is suitable for use by the technical solution of this application.

[0021] Those skilled in the art will understand that although the various methods in this application are described based on the same concept and thus present commonality among them, they can be performed independently unless otherwise specified. Similarly, the various embodiments disclosed in this application are all based on the same inventive concept; therefore, concepts expressed in the same way, as well as concepts that are appropriately changed for convenience but are expressed differently, should be understood equivalently.

[0022] Unless otherwise expressly stated, the various embodiments disclosed in this application can be combined in a cross-cutting manner to flexibly construct new embodiments, as long as such combination does not depart from the inventive spirit of this application and can meet the needs of the prior art or solve a certain deficiency in the prior art. Those skilled in the art should be aware of such modifications.

[0023] To facilitate understanding of the various embodiments of this application, exemplary network architectures and application scenarios will be introduced first.

[0024] like Figure 1 As shown, the network architecture of this application aims to build an abnormal user identification system based on time decay and segmented penalty mechanism. The network architecture includes a client 80 and a server 81, wherein the client 80 and the server 81 are connected via the Internet.

[0025] Specifically, client 80 responds to the target user's business operations, generating behavioral feature data; server 81 acquires the target user's behavioral feature data in the business scenario, and quantifies the acquired positive and negative features according to a preset segmented scoring function to obtain initial feature scores; server 81 performs exponential decay calculation on the initial feature scores according to a preset decay function to obtain cumulative feature scores; server 81 calculates the target user's baseline score based on the rating features, and merges the baseline score with the cumulative feature scores into a risk quantification assessment value; server 81 uses the risk quantification assessment value to identify whether the target user is an abnormal user.

[0026] Accordingly, Server 81 directly quantifies risk through a pre-defined segmented scoring function and segmented penalty logic, without relying on a large number of labeled black market samples for model training; Server 81 can quickly respond to gray and black market variations by adjusting the parameters of the scoring function or decay function, without retraining the model, thus achieving rapid response in risk identification; Server 81 uses exponential decay calculation to ensure that the risk assessment value accurately reflects the user's current real-time risk status; Server 81 integrates the baseline score and the cumulative feature score, retaining both the baseline score for long-term risk limits and reflecting short-term behavioral fluctuations, achieving a more comprehensive and three-dimensional identification of abnormal users.

[0027] In an exemplary application scenario, the abnormal user identification method of this application can be applied to the abnormal user identification process in various Internet business scenarios. The following uses a social game application scenario (such as multi-person voice parties, interactive casual game communities, etc.) as an example for illustration.

[0028] In social gaming applications, a large number of legitimate players engage in activities such as game matchmaking, voice chat, and virtual gift-giving. Simultaneously, gray-market groups use scripts to simulate these actions in bulk, aiming to acquire game currency, maliciously divert users, manipulate rankings at low cost, or disrupt game fairness. In this scenario, client 80 is deployed on the user's terminal, responding to the target user's social and gaming actions and generating behavioral data in real time; server 81 is deployed in the cloud or data center, serving as the entity responsible for risk quantification and assessment.

[0029] Specifically, server 81 receives behavioral characteristic data reported by client 80. For identifying disguised positive characteristics, such as daily game match counts and voice chat interaction counts, which are typically considered positive characteristics, server 81 uses a segmented scoring function to quantify them. When a player's interaction frequency is within the normal range, server 81 gives a positive score to reflect player engagement. However, when it detects an account entering and leaving different game rooms extremely frequently within a short period, or exhibiting an abnormal surge in sending low-value gifts at a high frequency (seconds), server 81 automatically triggers segmented penalty logic without waiting for manual intervention, directly converting this extreme "positive characteristic" into a negative score, thus accurately identifying bot scripts disguised as "highly active players." Regarding the temporal dynamics of game behavior, server 81 uses a decay function to process historical interaction data. For example, if a player experienced occasional disconnections due to network fluctuations a week ago, resulting in "passive play," server 81 may use this function. The negative complaint characteristics, calculated through exponential decay, mean that the contribution of historical negative characteristics from a week ago to the current risk assessment will approach zero, with an impact far lower than today's violations. This ensures that the assessment results focus on the player's current real-time social and gaming status, effectively avoiding long-term mis-injury to normal players. Regarding the risk accumulation of high-risk game accounts, if a target user has engaged in egregious behavior such as using game cheats or making serious violations in voice chat, triggering the corresponding classification characteristics, server 81 will calculate and lock an extremely low baseline score for them. Even if the black market account subsequently stops cheating and "silently AFKs," causing its short-term accumulated negative characteristic score to decay to zero over time, due to its low underlying baseline score, its overall risk quantification assessment value will remain firmly in the high-risk range, completely preventing black market accounts from attempting to whitewash their risk through "AFK farming." Based on the final integrated risk quantification assessment value, server 81 decides whether to take action against the target user, such as interrupting game matchmaking, restricting voice permissions, requiring facial verification via pop-up windows, or directly banning the account.

[0030] Accordingly, in this application scenario, this application can block new types of gold farming and traffic-driving plug-ins in seconds without waiting for time-consuming manual labeling of black market samples; at the same time, it can accurately distinguish between real highly active players and fake bot accounts, and continuously suppress long-term high-risk users, effectively ensuring the competitive fairness and content ecosystem security of social gaming platforms.

[0031] Through the detailed description of the network architecture and application scenarios described above, a better understanding of the specific application of the abnormal user identification method of this application in the field of internet risk control technology can be achieved. The following will elaborate on the detailed description of various specific embodiments of this application based on these exemplary contents.

[0032] like Figure 2 As shown, in one embodiment, the abnormal user identification method of this application includes: Step S5100: Obtain the behavioral characteristic data of the target user in the business scenario. The behavioral characteristic data includes positive characteristics, negative characteristics, and rating characteristics.

[0033] The client responds to the target user's business operations, generates behavioral feature data, and sends the behavioral feature data to the server via the Internet; the server receives the behavioral feature data and parses it to obtain positive features, negative features, and rating features.

[0034] The business scenario can be a social game scenario that includes multimedia interaction and virtual transactions.

[0035] Behavioral feature data can be used as behavioral indicators of target users in business scenarios. Positive features can represent behavioral indicators that have a positive impact on business scenarios, such as the number of user activities, payment amount, or login frequency. Negative features can represent behavioral indicators that have a negative impact on business scenarios, such as the number of user refunds, complaints, or abnormal aggregations. Rating features can represent behavioral indicators used to determine the benchmark score for risk quantification assessment, such as the user's historical violation records, real-name authentication status, or account credit rating.

[0036] The server can receive behavior logs reported by clients through application programming interfaces or log collection agents, and preprocess the behavior logs, including data cleaning, format standardization, and outlier filtering.

[0037] The server can classify preprocessed behavioral indicators into positive features, negative features, and rating features based on a preset feature configuration table. For example, in a social interaction scenario, the server can configure the number of likes per unit time as a positive feature, the number of reports per unit time as a negative feature, and whether the account has been banned as a rating feature.

[0038] The server can extract the feature values ​​of each feature and store the feature values ​​and their feature types in memory or a database.

[0039] The acquisition of behavioral feature data is not limited to client-initiated reporting; it can also be achieved by the server actively polling the client's status or by synchronously acquiring data from a third-party data platform.

[0040] The specific types of positive features, negative features, and rating features can be configured and adjusted according to the needs of specific business scenarios. For example, in online transaction scenarios, the transaction success rate can be configured as a positive feature, and the chargeback rate can be configured as a negative feature.

[0041] Step S5200: Quantize the positive and negative features according to the preset segmented scoring function to obtain the initial feature scores.

[0042] The server reads the positive and negative feature values ​​from the behavioral feature data, inputs them into the segmented scoring function, and outputs an initial feature score that represents the degree of contribution of feature risk through function calculation.

[0043] A piecewise scoring function can be a mapping relationship built based on rules or statistical distributions, used to convert feature values ​​into standardized scores. Unlike traditional models that require training weights using labeled data, the parameters of a piecewise scoring function can be directly determined based on business rules or feature statistical distributions. Positive features refer to behavioral indicators where larger feature values ​​represent lower risk or more positive contributions, while negative features refer to behavioral indicators where larger feature values ​​represent higher risk or more negative contributions. The aim is to achieve differentiated quantification of features of different natures without relying on large amounts of labeled data for training, providing basic data support for subsequent risk assessment.

[0044] The specific mathematical form of the piecewise scoring function can be a piecewise function modified from the Sigmoid function, or other monotonic or nonlinear functions with similar piecewise properties. The specific values ​​of the parameters can be set based on the historical data statistical distribution of the business scenario or expert experience rules.

[0045] Step S5300: Perform exponential decay calculation on the initial feature score according to the preset decay function to obtain the cumulative feature score. The decay function is configured such that the earlier the initial feature score is, the smaller its contribution to the cumulative feature score.

[0046] The server performs exponential decay calculations on the initial feature score according to a preset decay function, obtaining the decayed scores for each historical period. It then sums the initial feature score for the current period with the decayed scores from all historical periods to obtain the cumulative feature score. The decay function is configured such that the older the initial feature score, the smaller the decayed score, thus contributing less to the cumulative feature score.

[0047] User behavior risk is time-sensitive; recent behavior typically reflects a user's current risk status better than historical behavior. A decay function can be used to simulate the decrease in scores over time, reflecting the impact of time on risk assessment. The cumulative feature score characterizes the user's overall accumulated behavioral risk at the current moment. By introducing a time decay mechanism, the problem of historical risk scores dominating and causing a lag in risk assessment results is avoided, ensuring that the assessment results dynamically reflect the user's real-time risk status.

[0048] The specific mathematical form of the decay function can be an exponential decay formula, or any monotonically decreasing function that can achieve the function that the contribution of the score decreases over time, such as a linear decay function or a piecewise decay function.

[0049] Step S5400: Calculate the baseline score of the target user based on the rating characteristics, and merge the baseline score and the cumulative characteristic score into a risk quantification assessment value to identify whether the target user is an abnormal user.

[0050] The server calculates the baseline score of the target user based on the classification characteristics, merges the baseline score and the cumulative characteristic score into a risk quantification assessment value, and identifies whether the target user is an abnormal user based on the risk quantification assessment value.

[0051] The cumulative feature score decays over time, potentially causing high-risk users to reach zero, thus failing to reflect long-term risk. The baseline score, used to characterize a user's basic risk level, only decreases, never increases. Integrating both scores enables a comprehensive assessment, taking into account both dynamic behavior and long-term risk baselines.

[0052] The fusion method can be either addition or weighted summation.

[0053] The server can read the preset anomaly detection threshold and compare the risk quantification assessment value with the anomaly detection threshold. When the risk quantification assessment value is greater than or equal to the anomaly detection threshold, the server can update the target user's identification status to "normal user"; otherwise, the server can maintain the "abnormal user" status and generate an alarm log.

[0054] As can be seen from the above embodiments, this application acquires behavioral feature data including positive features, negative features, and rating features, and directly configures the parameters of the segmented scoring function based on business rules or statistical distribution to quantify positive and negative features. This eliminates the need to train model weights based on labeled data, thus reducing data dependence and supporting rapid model construction and iteration. By calculating and accumulating the initial feature scores using an exponential decay function based on time intervals, the contribution of older behaviors to the current score is minimized, achieving a dynamic reflection of the user's real-time risk status and avoiding lag in assessment results. Simultaneously, by selecting the minimum rating feature score to adjust the benchmark score and employing a locking mechanism that only decreases and never increases, the benchmark score and the accumulated feature score are merged into a risk quantification assessment value. This achieves a balance between the accumulation of the user's basic risk level and dynamic behavioral risk fluctuations, thereby realizing efficient and accurate dynamic risk quantification assessment of abnormal users in internet business scenarios.

[0055] Based on any embodiment of the method in this application, positive and negative features are quantized according to a preset segmented scoring function to obtain initial feature scores, including: Step S5210: Configure the tolerance number parameter, penalty start point parameter, and score limit parameter of the segmented scoring function.

[0056] Based on business rules or feature statistical distribution, the server sets specific values ​​for tolerance count parameters, penalty start point parameters, and score limit parameters, and applies the configured parameters to the segmented scoring function to define the mapping relationship between feature values ​​and initial feature scores.

[0057] The server can construct a segmented scoring function in the following form. : In the formula, This is the first segment logic. This is the second segmentation logic. For eigenvalues, The growth rate coefficient, The penalty rate coefficient, For the tolerance number parameter, To penalize the starting parameter, This is the upper limit parameter for the score. This is a penalty parameter for zero points.

[0058] The server can obtain the feature value corresponding to reaching the maximum score. And use the formula to calculate and ,in, and The calculation formula is as follows: The parameters of the segmented scoring function determine the trend and critical point of feature scores. Specifically, the tolerance number parameter defines the fluctuation range of normal behavior, the penalty start point parameter defines the trigger threshold for abnormal behavior, and the score cap parameter limits the maximum contribution of the feature to risk assessment. By directly configuring these parameters, rather than learning weights through model training, rapid model building without labeled data can be achieved, supporting flexible adjustments to business rules.

[0059] The server can configure the penalty zero-point parameter of the segmented scoring function. Based on business rules or feature statistical distribution, the specific value of the penalty zero-point parameter can be set, and the configured parameter can be applied to the segmented scoring function to define the critical point when the feature score changes from positive to negative or from negative to positive.

[0060] The server can determine parameter values ​​based on the statistical distribution of historical behavior data. For example, the tolerance count parameter can be set to a specific quantile of the feature value distribution, the penalty start point parameter can be set to an anomaly threshold determined by business experience, and the penalty zero point parameter can be set to a feature value point where the score polarity is reversed. The parameter determination process does not require model training based on labeled data.

[0061] The server can obtain the tolerance limit parameter by reading a configuration file or database. Penalty starting point parameters Score limit parameter and penalty zero-point parameter .

[0062] Step S5220: When the feature values ​​of positive and / or negative features are less than or equal to the tolerance number parameter, the initial feature score is output as zero.

[0063] The server compares the acquired feature value with the pre-configured tolerance count parameter. If the condition of less than or equal to is met, the initial feature score corresponding to that feature is directly set to zero, and the calculation of the segmented scoring function formula is skipped.

[0064] The tolerance count parameter is used to define the normal fluctuation range or noise threshold of user behavior. In real-world business scenarios, a small number of user actions, such as occasional logins or a few clicks, are usually within the normal range and should not be considered a risk signal. By setting the tolerance count parameter, the behavioral characteristic scores within this range can be set to zero, eliminating the interference of normal behavioral noise on the risk assessment results. This ensures that the initial characteristic scores only reflect significant behavioral risks that exceed the normal tolerance range, thereby improving the signal-to-noise ratio of the risk assessment.

[0065] After receiving the feature value, the server can execute conditional judgment logic. For example, the server can determine whether the feature value satisfies... If the judgment result is true, the server can assign the initial feature score to 0.

[0066] Different types of behavioral characteristics can correspond to different tolerance parameters. For example, for the login count characteristic, the server can be configured with a tolerance parameter of 5 times; for the payment count characteristic, the server can be configured with a tolerance parameter of 1 time. The server can execute the judgment logic independently for each behavioral characteristic.

[0067] Step S5230: When the feature value of the positive feature and / or negative feature is greater than the tolerance number parameter and less than the penalty start point parameter, the output is an initial feature score that approaches the upper limit parameter as the feature value increases.

[0068] The server identifies feature values ​​within the normal accumulation range, calls the first segment logic of the segmented scoring function to calculate, and generates initial feature scores with a monotonically increasing trend and an upper limit boundary.

[0069] Between the tolerance threshold and the penalty threshold, user behavior is considered a valid risk signal, but has not yet reached the abnormal penalty threshold. Within this range, feature scores increase with the intensity of the behavior, reflecting the cumulative effect of risk or contribution. The upper limit of the score is used to prevent a single feature score from becoming too large and dominating the overall assessment result, ensuring the balance of risk assessment. For positive features, the score approaches the positive upper limit; for negative features, the score approaches the negative upper limit, thus achieving differentiated quantification of features of different natures.

[0070] The server can execute conditional judgment logic to verify whether the feature values ​​are satisfied. If the conditions are met, the server can call the first segment logic of the segmented scoring function to calculate the initial feature score.

[0071] For positive features, the server can configure the maximum score parameter to a positive value. At this point, the calculated initial feature scores are positive and tend to approach the upper limit parameter as the feature value increases; for negative features, the server can configure the upper limit parameter to a negative value. At this point, the calculated initial feature score is negative and approaches the upper limit parameter of the score as the feature value increases.

[0072] Step S5240: When the positive feature is greater than or equal to the penalty starting point parameter, output the initial feature score that decreases as the feature value increases.

[0073] The server identifies a feature value that falls within the abnormal penalty range, calls the pre-configured penalty calculation logic, and generates an initial feature score that decreases as the feature value increases, in order to implement abnormal penalty for that feature value.

[0074] When a feature value exceeds the penalty threshold parameter, user behavior is considered abnormal or high-risk; for example, an excessively large positive feature value may indicate bot-generated traffic. Within this range, the initial feature score decreases as the intensity of the behavior increases, reflecting the penalty effect. The penalty zero-point parameter is used to define the critical point at which the polarity of the score reverses, ensuring that positive features can turn into negative scores when the anomaly is severe, thus accurately reflecting a high-risk state.

[0075] The server can execute conditional judgment logic to verify whether the feature values ​​are satisfied. If the conditions are met, the server can call the second segment logic of the segmented scoring function to calculate the initial feature score.

[0076] In one embodiment, for a positive feature, when the feature value reaches the penalty zero-point parameter, the calculated initial feature score is 0; when the feature value is greater than the penalty zero-point parameter, the initial feature score becomes negative, thereby achieving negative penalty for the positive feature.

[0077] As can be seen from the above embodiments, this application directly configures the tolerance number parameter, penalty start point parameter, score upper limit parameter, and penalty zero point parameter of the segmented scoring function based on business rules or statistical distribution, without the need for model training based on labeled data, thus achieving the effect of reducing data dependence and supporting rapid model construction and iteration; the first segment logic and the second segment logic of the segmented scoring function respectively differentiate and quantify the normal accumulation interval and the abnormal penalty interval, especially when the positive feature value exceeds the penalty start point, the second segment logic is activated for penalty, achieving the effect of flexibly adapting to the abnormal penalty requirements of positive features and breaking through the limitations of the static evaluation mode; by filtering normal behavior noise through the tolerance number parameter and limiting the contribution of a single feature through the score upper limit parameter, the accuracy and balance of risk quantification assessment are improved, thereby achieving efficient and accurate dynamic risk quantification assessment.

[0078] Based on any embodiment of the method in this application, an exponential decay calculation is performed on the initial feature score according to a preset decay function to obtain a cumulative feature score. The decay function is configured such that the contribution of the earlier the initial feature score is to the cumulative feature score is smaller, including: Step S5310: Determine the time interval between the historical behavior time and the current evaluation time of the initial feature score.

[0079] The server obtains the historical behavior time corresponding to the generation of the initial feature score, obtains the current assessment time corresponding to the current risk assessment operation, calculates the difference between the historical behavior time and the current assessment time, and determines the difference as the time interval.

[0080] The server can read the historical behavior timestamps associated with the initial feature scores, obtain the current time as the current evaluation timestamp, and calculate the difference between the two timestamps.

[0081] The server can convert the difference to a standard period unit. For example, if the decay period is configured to days, the server can divide the timestamp difference by 24 hours to get the number of days. If the decay period is configured to minutes, the server can convert the timestamp difference into minutes. The server can customize the decay period based on the statistical time granularity of behavioral features, such as the initial feature score of a certain day after... After decaying to 0, the initial feature score at a certain minute granularity is processed... It decays to 0 after minutes.

[0082] Step S5320: Based on the time interval and decay function, the initial feature scores of each historical period are exponentially decayed to obtain the decayed scores of each historical period.

[0083] The server takes the time interval as an input parameter and substitutes it into the decay function to calculate the initial feature score corresponding to each historical period, generating the decayed score after time correction.

[0084] The server can determine the time interval between the historical behavior time of the initial feature score and the current evaluation time, and convert this time interval into a number of periods. Based on the number of cycles and attenuation coefficient The exponential decay formula is used to calculate the decayed score of the initial characteristic score of each historical period in the current period. The formula is as follows: In the formula, The initial feature score represents the initial feature score when the number of decay periods is 0. The decay period is The score after decay.

[0085] The server can automatically calculate the attenuation coefficient. The formula is as follows: In the formula, It is a preset positive number close to 0.

[0086] The server can configure different decay periods and decay coefficients for different dimensions of behavioral characteristics. For example, for login frequency characteristics, the server can be configured with a shorter decay period to quickly reflect recent activity changes; for violation record characteristics, the server can be configured with a longer decay period to retain long-term risk impact. After calculation, the server can store the accumulated feature scores in temporary variables or memory.

[0087] Step S5330: Sum the initial feature score of the current period with the decayed scores of each historical period to obtain the cumulative feature score.

[0088] The server obtains the newly generated initial feature scores within the current evaluation period, reads the feature scores generated in each historical period and calculates their decayed scores to the current time, adds all currently valid scores, and generates a cumulative feature score that represents the total cumulative risk of user behavior.

[0089] The cumulative feature score is the core indicator of risk assessment, representing the cumulative amount of a user's overall behavioral risk at the current moment. A score for a single period only reflects short-term behavior; by accumulating historically decayed scores, the continuity of user behavior and historical contributions can be taken into account.

[0090] After obtaining the decayed scores for each period, the server can calculate the cumulative feature score for the current period. The formula is as follows: In the formula, The number of decay cycles is represented as The score after decay over time represents the oldest historical score.

[0091] As can be seen from the above embodiments, this application determines the time interval between the historical behavior time and the current evaluation time of the initial feature score, and calculates the decayed score by exponential decay of the initial feature score of each historical period based on the time interval and decay function. This achieves the effect that the older the behavior, the smaller its contribution to the current score. By summing the initial feature score of the current period with the decayed scores of each historical period, the cumulative feature score is obtained. This achieves the effect of taking into account the continuity of user behavior and historical contribution, and dynamically reflecting the user's real-time risk status. This overcomes the limitations of the static evaluation mode and realizes efficient and accurate dynamic risk quantification evaluation.

[0092] Based on any embodiment of the method in this application, a baseline score for the target user is calculated according to the rating characteristics. The baseline score and the cumulative characteristic score are then integrated into a risk quantification assessment value to identify whether the target user is an abnormal user, including: Step S5410: Calculate the rating feature score of the rating feature according to the preset segmented scoring function.

[0093] The server obtains the feature values ​​of the grading features, inputs them into the segmented scoring function, and outputs the grading feature score that represents the degree of risk contribution of the grading features through function calculation.

[0094] The rating feature characterization represents behavioral indicators used to determine the baseline score for risk quantification assessment, such as a user's historical violation records, real-name authentication status, or account credit rating. Reusing the segmented scoring function can maintain the consistency of the assessment logic without the need to build separate models or train parameters for the rating features.

[0095] The server can obtain the feature values ​​of the rating features and calculate the rating feature scores using a segmented scoring function. Since rating features are usually risk indicators, the server typically only uses the first segment logic of the segmented scoring function for calculation. For rating features, the server usually configures the upper limit parameter of the score to a negative value or zero, so that the calculated rating feature score is used as a deduction item from the baseline score.

[0096] Step S5420: Select the minimum value among the grading feature scores as the benchmark score adjustment amount, and add the preset initial benchmark score to the benchmark score adjustment amount to obtain the current calculated value.

[0097] The server compares the numerical values ​​of multiple grading feature scores obtained from the calculation, selects the score with the smallest value as the baseline score adjustment amount, reads the pre-configured initial baseline score, adds the initial baseline score and the baseline score adjustment amount, and generates the current calculated value.

[0098] The rating feature score represents a user's basic risk level across different dimensions, and is typically configured as a negative or zero value. The minimum value is selected as the baseline score adjustment to reflect that the user's basic risk level is determined by the most severe rating feature.

[0099] The server can obtain the set of classification feature scores. ,in, This represents the number of grading features. The server can iterate through the set of grading feature scores, compare the scores, and select the minimum value as the baseline adjustment. Since the upper limit parameter for grading feature scores is usually configured as a negative value, the minimum value represents the score with the greatest risk contribution.

[0100] The server can read the preset initial baseline score, which can be configured according to the risk tolerance of the business scenario, such as 100 points, 0 points or other baseline values.

[0101] The server can add the initial baseline score to the baseline score adjustment to obtain the current calculated value.

[0102] If there is only one grading feature, the server can directly use the score of that grading feature as the adjustment amount for the baseline score. If all grading feature scores are zero, the server can set the baseline score adjustment amount to zero, at which point the current calculated value is equal to the initial baseline score.

[0103] Step S5430: Compare the current calculated value with the benchmark score of the previous period, and select the smaller value of the two as the benchmark score of the current period.

[0104] The server reads the baseline score stored in the previous period, compares it with the current calculated value, and determines the smaller value as the baseline score for the current period.

[0105] The baseline score characterizes a user's basic risk level and has the characteristic of only decreasing and never increasing. The cumulative feature score decays over time, potentially causing a high-risk user's score to drop to zero, making it impossible to accumulate long-term risk. By selecting a smaller value, a one-way locking mechanism for the baseline score is implemented. Once a user's baseline score decreases due to rating features, even if the rating feature score recovers in subsequent periods, the baseline score will not automatically recover. This ensures that the historical risk records of high-risk users are accumulated long-term, preventing risk from being wiped out due to time decay.

[0106] The server can obtain the current calculated value and read the benchmark score of the previous period from the database or cache. If the current period is the first evaluation period, the server can use the preset initial benchmark score as the benchmark score of the previous period.

[0107] The server can execute comparison logic to determine the baseline score for the current period, using the following formula: In the formula, This is the baseline score for the current period. This represents the current computational load. This is the baseline score for the previous period.

[0108] Step S5440: Add the baseline score and cumulative feature score of the current period to obtain the risk quantification assessment value.

[0109] The server reads the baseline score and cumulative feature score for the current period, adds the two together, and generates a quantitative risk assessment value that represents the overall risk level of the target user.

[0110] The quantitative risk assessment value is the final decision-making basis for identifying abnormal users. The baseline score for the current period represents the user's long-term risk threshold, which only decreases and never increases, and is used to accumulate the historical records of high-risk users. The cumulative feature score represents the user's short-term dynamic behavioral risk, which has a time decay characteristic and is used to reflect the user's recent real-time risk status. By adding the two together, a comprehensive assessment index that includes both long-term risk memory and short-term behavioral fluctuations can be constructed.

[0111] The server can assign different weights to the baseline score and cumulative feature score for the current period before summing them. Both weights can be set to 1, essentially a direct sum; alternatively, they can be adjusted based on the importance of the business scenario. For example, if more attention is paid to long-term risk, the weight of the baseline score for the current period can be set to a value greater than the weight of the cumulative feature score.

[0112] As can be seen from the above embodiments, this application calculates the rating feature score according to a preset segmented scoring function, selects the minimum value among the rating feature scores as the benchmark score adjustment amount, compares the current calculated value with the benchmark score of the previous period and selects the smaller value as the benchmark score of the current period, and adds the benchmark score of the current period and the cumulative feature score to obtain the risk quantification assessment value. This achieves the risk accumulation effect of the benchmark score only decreasing and not increasing, prevents high-risk users from having their risk scores drop to zero due to time decay, takes into account both long-term risk bottom line and short-term behavioral fluctuations, thereby overcoming the limitations of the static assessment model and achieving efficient and accurate dynamic risk quantification assessment.

[0113] Based on any embodiment of the method in this application, before adding the baseline score and cumulative feature score of the current period to obtain the risk quantification assessment value, the following steps are included: Step S4441: Monitor the cumulative feature scores of the target users.

[0114] After calculating the cumulative feature score for the current period, the server reads the value of that cumulative feature score.

[0115] The server can trigger monitoring actions at the end of each evaluation period or when the cumulative feature score is updated.

[0116] The monitoring can be implemented in various ways, including not only periodic reading or event-triggered reading, but also real-time judgment in real-time streaming computing.

[0117] Step S4442: When the cumulative feature score exceeds the preset positive boost threshold, the preset transfer score is deducted from the cumulative feature score.

[0118] The server determines whether the cumulative feature score exceeds the preset positive improvement threshold. When the cumulative feature score exceeds the preset positive improvement threshold, the server deducts the preset transfer score from the cumulative feature score to obtain the updated cumulative feature score.

[0119] The cumulative feature score represents a user's short-term dynamic behavior. As a user exhibits consistently positive behavior, the cumulative feature score increases. By deducting a preset transfer score, a portion of the positive credit accumulated in the short term is transferred to the long-term baseline score. This serves two purposes: firstly, it prevents users from immediately and completely reverting to their original risk level due to short-term behavioral improvement, ensuring the continuity of positive behavior; secondly, it provides data for subsequent baseline score improvements, helping users gradually repair their historical risk records after maintaining good behavior over the long term, thus addressing the issue of a final score that cannot be recovered due to a low baseline score after behavioral improvement.

[0120] The preset transfer score can be a fixed value or a certain percentage of the accumulated feature score. For example, the server can be configured to set the preset transfer score as a certain percentage of the accumulated feature score exceeding the positive improvement threshold, or it can be configured as a fixed credit score unit. When deducting points, the server can set a lower limit for the accumulated feature score to ensure that the accumulated feature score after deduction is not lower than the preset minimum value, preventing score overflow or anomalies.

[0121] Step S4443: Add the deducted preset transfer score to the base score of the current period.

[0122] The server obtains the predetermined preset transfer score, reads the baseline score for the current period, and adds the preset transfer score to the baseline score for the current period to obtain the updated baseline score for the current period.

[0123] Baseline scores typically only decrease, never increase, serving to accumulate long-term risk and prevent high-risk users from automatically mitigating their risk over time. However, when a user consistently performs well, an excessively low baseline score can hinder the recovery of the risk quantification assessment, impacting the normal user experience. By transferring the pre-set transfer value of short-term accumulated positive credit to the long-term baseline score, a conditional recovery of the baseline score is achieved. This preserves the risk accumulation capability while providing users with a risk repair path, resolving the issue of a final score that cannot be recovered due to an excessively low baseline score after user behavior improves, thus balancing business security and user experience.

[0124] The server can set an upper limit for the baseline score to ensure that the updated baseline score does not exceed the preset initial baseline score.

[0125] As can be seen from the above embodiments, this application monitors the cumulative feature score of the target user. When the cumulative feature score exceeds the preset positive improvement threshold, a preset transfer score is deducted from the cumulative feature score and added to the benchmark score of the current period. This achieves the effect of providing users with a risk repair path while preserving the ability to accumulate long-term risks, avoiding the inability of users to recover assessment results due to historical risk records, balancing business security and user experience, thereby overcoming the limitations of the static assessment mode and achieving efficient and accurate dynamic risk quantification assessment.

[0126] Based on any embodiment of the method in this application, after calculating the baseline score of the target user according to the rating characteristics, and merging the baseline score and the cumulative characteristic score into a risk quantification assessment value, which is used to identify whether the target user is an abnormal user, the method includes: Step S6410: When the identified abnormal user is determined to be a mistakenly injured user, the cumulative feature score of the target user in the previous period is cleared to zero, and the target user's baseline score is restored to the preset initial baseline score.

[0127] After receiving a signal or instruction that the target user is a user who was mistakenly injured, the server modifies the value of the accumulated feature score of the previous period to zero, updates the value of the baseline score to the initial baseline score, and retains the feature score generated in the current period without being affected.

[0128] Falsely penalized users refer to legitimate users who are incorrectly flagged due to assessment errors. This application's risk assessment system includes a long-term baseline score and short-term cumulative feature scores. The baseline score has a risk accumulation characteristic, while the cumulative feature scores include historical accumulation and current behavior. Completely resetting all cumulative feature scores would result in the loss of the user's true behavior information for the current period; conversely, not resetting historical accumulation would prevent the elimination of false penalties. Only the cumulative feature scores for the previous period are reset, restoring the baseline score while retaining the feature scores for the current period. This eliminates the impact of historical misjudgments while ensuring that the user's current behavior is still included in the assessment, preventing users from maliciously manipulating scores through false penalty appeals, and balancing the fairness of error correction with system security.

[0129] The server can receive signals or instructions indicating that the target user was mistakenly identified as a user. These signals or instructions can originate from a manual review process, a user complaint system, or an automated error correction model.

[0130] Step S6420: Based on the cumulative feature score of the previous period after clearing and the initial benchmark score, recalculate the risk quantification assessment value to re-identify whether the target user is an abnormal user.

[0131] The server reads the accumulated feature score of the previous period after clearing and the initial baseline score after recovery, combines them with the retained feature score of the current period to perform a composite calculation to obtain a new risk quantification assessment value, and compares the new risk quantification assessment value with the preset anomaly judgment threshold to update the identification status of the target user.

[0132] As can be seen from the above embodiments, this application, when an identified abnormal user is determined to be a mistakenly identified user, clears the target user's cumulative feature score from the previous period to zero and restores the baseline score to the preset initial baseline score. It then recalculates the risk quantification assessment value by combining the retained current period feature score to re-identify the target user. This achieves the effect of quickly eliminating the impact of historical misjudgments while retaining the risk assessment of the current behavior, ensuring that the risk quantification assessment value reflects the corrected user status in real time, avoiding a lag in risk status recovery, balancing business security and user experience, thereby overcoming the limitations of the static assessment mode and achieving efficient and accurate dynamic risk quantification assessment.

[0133] Based on any embodiment of the method in this application, the method further includes: Step S6100: Obtain the auxiliary penalty features of the target user.

[0134] The server reads auxiliary penalty feature data representing specific high-risk behaviors from the client. The auxiliary penalty feature data is independent of positive features, negative features, and rating features, and is used to trigger additional penalty logic in subsequent risk assessments.

[0135] Auxiliary penalty features are behavioral or environmental indicators that have extremely high risk indication significance in business scenarios and require separate punitive assessment. Unlike positive and negative features, which are conventionally quantified through segmented scoring functions, auxiliary penalty features are typically used to identify specific gray and black market attack patterns, such as abnormal device fingerprints, IP clustering, and specific sensitive operation sequences.

[0136] The server can receive behavior logs reported by clients through the application programming interface, or extract auxiliary penalty features from the internal risk database.

[0137] Auxiliary penalty features can include device environment features, network environment features, or specific behavioral sequence features. For example, a server can configure whether a device has been jailbroken or rooted as a device environment feature; whether the currently logged-in IP belongs to a known proxy IP database as a network environment feature; and whether a specific combination of sensitive operations was performed within a unit of time as a specific behavioral sequence feature.

[0138] Step S6200: Determine whether the target user has triggered the auxiliary penalty feature. If so, calculate the initial feature score of the positive feature using the negative feature calculation logic.

[0139] The server detects the status of auxiliary penalty features. When it is confirmed that an auxiliary penalty feature has been triggered, the server calls the pre-configured negative feature scoring parameters or calculation rules to quantify the positive features of the target user and generate an initial feature score.

[0140] The server can determine whether the auxiliary penalty feature value meets the preset triggering conditions. For example, if the auxiliary penalty feature is a Boolean value, the server can determine whether it is true; if it is a numerical value, the server can determine whether it is greater than zero or exceeds a specific threshold. If the determination result is a trigger, the server can adjust the segmented scoring function parameters of the positive feature to conform to the calculation logic of the negative feature. For example, in the configured segmented scoring function, the upper limit parameter of the positive feature is usually configured to be greater than 0. When the auxiliary penalty feature is triggered, the server can temporarily adjust the upper limit parameter of the positive feature to a negative value.

[0141] As can be seen from the above embodiments, this application obtains the auxiliary penalty features of the target user and calculates the initial feature score of its positive features using the calculation logic of negative features when the auxiliary penalty features are triggered. This achieves the effect of dynamically adjusting the risk contribution direction of positive features in a high-risk environment, preventing gray and black market actors from using normal behavior indicators to cover up their attack intentions. It can flexibly respond to specific high-risk scenarios without relying on a large amount of labeled data for training, and enhances the sensitivity of the risk assessment system to mutated attacks. This overcomes the limitations of the static assessment mode and achieves efficient and accurate dynamic risk quantification assessment.

[0142] like Figure 3As shown, an abnormal user identification device according to one aspect of this application includes a behavior feature acquisition module 5100, a segmented scoring and quantification module 5200, a time decay accumulation module 5300, and a risk fusion assessment module 5400. The behavior feature acquisition module 5100 is used to acquire behavior feature data of a target user in a business scenario, including positive features, negative features, and rating features. The segmented scoring and quantification module 5200 is used to quantify positive and negative features according to a preset segmented scoring function to obtain initial feature scores. The time decay accumulation module 5300 is used to perform exponential decay calculation on the initial feature scores according to a preset decay function to obtain cumulative feature scores. The decay function is configured such that the earlier the initial feature score, the smaller its contribution to the cumulative feature score. The risk fusion assessment module 5400 is used to calculate a baseline score for the target user based on the rating features, and fuse the baseline score and the cumulative feature score into a risk quantification assessment value to identify whether the target user is an abnormal user.

[0143] Based on any embodiment of the device in this application, the segmented scoring and quantization module 5200 includes: The segmented parameter configuration module is used to configure the tolerance number parameters, penalty start point parameters, and score limit parameters of the segmented scoring function; The zero-tolerance output module is used to output an initial feature score of zero when the feature values ​​of positive and / or negative features are less than or equal to the tolerance number parameter. The incremental scaling module is used to output an initial feature score that approaches the upper limit parameter as the feature value increases when the feature value of positive and / or negative features is greater than the tolerance number parameter and less than the penalty start point parameter. The decreasing penalty module is used to output an initial feature score that decreases as the feature value increases when the positive feature is greater than or equal to the penalty start parameter.

[0144] Based on any embodiment of the device in this application, the time decay accumulation module 5300 includes: The time interval calculation module is used to determine the time interval between the historical behavior time of the initial feature score and the current evaluation time; The historical decay module is used to exponentially decay the initial feature scores of each historical period based on the time interval and decay function, so as to obtain the decayed scores of each historical period. The cumulative summation module is used to sum the initial feature score of the current period with the decayed scores of each historical period to obtain the cumulative feature score.

[0145] Based on any embodiment of the device in this application, the risk fusion assessment module 5400 includes: The grading feature scoring module is used to calculate the grading feature score based on the preset segmented scoring function; The benchmark score adjustment module is used to select the minimum value among the grading feature scores as the benchmark score adjustment amount, and add the preset initial benchmark score to the benchmark score adjustment amount to obtain the current calculated value; The benchmark score update module is used to compare the current calculated value with the benchmark score of the previous period and select the smaller value as the benchmark score of the current period. The risk fusion module is used to add the baseline score and cumulative feature score of the current period to obtain a quantitative risk assessment value.

[0146] Based on any embodiment of the apparatus in this application, prior to the risk fusion module, it includes: The cumulative score monitoring module is used to monitor the cumulative feature scores of target users; The score transfer and deduction module is used to deduct a preset transfer score from the cumulative feature score when the cumulative feature score exceeds the preset positive boost threshold. The baseline score addition module is used to add the deducted preset transfer score to the baseline score for the current period.

[0147] Based on any embodiment of the device in this application, after the risk fusion assessment module 5400, it includes: The false alarm recovery initialization module is used to clear the target user's accumulated feature score from the previous period to zero and restore the target user's baseline score to the preset initial baseline score when the identified abnormal user is determined to be a false alarm user. The false positive reassessment module is used to recalculate the risk quantification assessment value based on the cumulative feature score of the previous period after clearing and the initial baseline score, so as to re-identify whether the target user is an abnormal user.

[0148] Based on any embodiment of the device in this application, the abnormal user identification device further includes: The auxiliary feature acquisition module is used to acquire auxiliary penalty features of the target user; The auxiliary penalty processing module is used to determine whether the target user has triggered the auxiliary penalty feature. If it has, the initial feature score of the positive feature is calculated using the calculation logic of the negative feature.

[0149] like Figure 4As shown in the diagram, another embodiment of this application also provides an electronic device, wherein the internal structure of the electronic device is illustrated. The electronic device includes a processor, a computer-readable storage medium, a memory, and a network interface connected via a system bus. The computer-readable storage medium stores an operating system, a database, and computer-readable instructions. The database may store a sequence of control information. When the computer-readable instructions are executed by the processor, the processor can implement the abnormal user identification method described in this application. The processor of the electronic device provides computing and control capabilities to support the operation of the entire electronic device. The memory of the electronic device may store computer-readable instructions. When the computer-readable instructions are executed by the processor, the processor can execute the abnormal user identification method described in this application. The network interface of the electronic device is used for communication with a terminal. Those skilled in the art will understand that... Figure 4 The structure shown is merely a block diagram of a portion of the structure related to the present application and does not constitute a limitation on the electronic device to which the present application is applied. The specific electronic device may include more or fewer components than shown in the figure, or combine certain components, or have different component arrangements.

[0150] In this execution method, the processor is used for execution. Figure 3 The system contains the specific functions of each module and its submodules. The memory stores the program code and various data required to execute these modules or submodules. The network interface is used for data transmission between the user terminal and the server. In this execution method, the memory stores the program code and data required to execute all modules / submodules in the abnormal user identification device of this application. The server can call the server's program code and data to execute the functions of all submodules.

[0151] This application also provides a storage medium storing computer-readable instructions, which, when executed by one or more processors, cause the one or more processors to perform the steps of the method described in any embodiment of this application.

[0152] Those skilled in the art will understand that all or part of the processes in the methods of the above embodiments of this application can be implemented by a computer program instructing related hardware. This computer program can be stored in a non-volatile readable storage medium, and when executed, it can include the processes of the embodiments of the above methods. The aforementioned storage medium can be a computer-readable storage medium such as a magnetic disk, optical disk, read-only memory (ROM), or random access memory (RAM).

[0153] The above description is only a partial implementation method of this application. It should be noted that for those skilled in the art, several improvements and modifications can be made without departing from the principles of this application, and these improvements and modifications should also be considered within the scope of protection of this application.

Claims

1. A method for identifying abnormal users, characterized in that, include: Acquire behavioral characteristic data of target users in business scenarios, including positive characteristics, negative characteristics, and rating characteristics; The positive and negative features are quantized according to the preset segmented scoring function to obtain the initial feature scores; The initial feature score is subjected to exponential decay calculation according to a preset decay function to obtain the cumulative feature score. The decay function is configured such that the contribution of the initial feature score from a longer time period to the cumulative feature score is smaller. The baseline score of the target user is calculated based on the grading characteristics. The baseline score and the cumulative characteristic score are then combined into a risk quantification assessment value to identify whether the target user is an abnormal user.

2. The abnormal user identification method according to claim 1, characterized in that, The step of quantizing the positive and negative features according to a preset segmented scoring function to obtain initial feature scores includes: Configure the tolerance number parameter, penalty start point parameter, and score limit parameter of the segmented scoring function; When the feature value of the positive feature and / or negative feature is less than or equal to the tolerance number parameter, the initial feature score is output as zero; When the feature value of the positive feature and / or negative feature is greater than the tolerance number parameter and less than the penalty start point parameter, the output will approach the initial feature score of the score upper limit parameter as the feature value increases. When the positive feature is greater than or equal to the penalty starting point parameter, the output is an initial feature score that decreases as the feature value increases.

3. The abnormal user identification method according to claim 1, characterized in that, The step of performing exponential decay calculation on the initial feature score according to a preset decay function to obtain a cumulative feature score, wherein the decay function is configured such that the contribution of the earlier the initial feature score is to the cumulative feature score, includes: Determine the time interval between the historical behavior time and the current evaluation time for the initial feature score; Based on the time interval and decay function, the initial feature scores of each historical period are exponentially decayed to obtain the decayed scores of each historical period. The cumulative feature score is obtained by summing the initial feature score of the current period with the decayed scores of each historical period.

4. The abnormal user identification method according to claim 1, wherein calculating the baseline score of the target user based on the grading characteristics, and fusing the baseline score and the cumulative feature score into a risk quantification assessment value for identifying whether the target user is an abnormal user, includes: The scoring value of the scoring feature is calculated based on the preset segmented scoring function; The minimum value among the grading feature scores is selected as the benchmark score adjustment amount, and the preset initial benchmark score is added to the benchmark score adjustment amount to obtain the current calculated value; The current calculated value is compared with the benchmark score of the previous period, and the smaller value between the two is selected as the benchmark score of the current period. The baseline score and cumulative feature score of the current period are added together to obtain the risk quantification assessment value.

5. The abnormal user identification method according to claim 4, characterized in that, Before adding the baseline score and cumulative feature score of the current period to obtain the risk quantification assessment value, the following steps are included: Monitor the cumulative feature scores of target users; When the cumulative feature score exceeds a preset positive improvement threshold, a preset transfer score is deducted from the cumulative feature score; The deducted preset transfer score is added to the base score for the current period.

6. The abnormal user identification method according to claim 1, characterized in that, After calculating the target user's baseline score based on the grading characteristics, and merging the baseline score and cumulative characteristic scores into a risk quantification assessment value to identify whether the target user is an abnormal user, the process further includes: When an identified abnormal user is determined to be a mistakenly penalized user, the target user's accumulated feature score from the previous period is cleared to zero, and the target user's baseline score is restored to the preset initial baseline score. Based on the cumulative feature score of the previous period after the reset and the initial benchmark score, the risk quantification assessment value is recalculated to re-identify whether the target user is an abnormal user.

7. The abnormal user identification method according to claim 1, characterized in that, The method further includes: Obtain the auxiliary penalty characteristics of the target user; Determine whether the target user has triggered the auxiliary penalty feature. If so, calculate the initial feature score of the positive feature using the negative feature calculation logic.

8. An abnormal user identification device, characterized in that, include: The behavior feature acquisition module is used to acquire the behavior feature data of the target user in the business scenario. The behavior feature data includes positive features, negative features, and rating features. The segmented scoring and quantization module is used to quantize the positive and negative features according to a preset segmented scoring function to obtain initial feature scores. The time decay accumulation module is used to perform exponential decay calculation on the initial feature score according to a preset decay function to obtain the cumulative feature score. The decay function is configured such that the contribution of the initial feature score from a longer time period to the cumulative feature score is smaller. The risk fusion assessment module is used to calculate the baseline score of the target user based on the rating characteristics, and to fuse the baseline score and the cumulative characteristic score into a risk quantification assessment value, which is used to identify whether the target user is an abnormal user.

9. An electronic device comprising a central processing unit and a memory, characterized in that, The central processing unit is used to invoke and run a computer program stored in the memory to perform the steps of the method as described in any one of claims 1 to 7.

10. A non-volatile storage medium, characterized in that, It stores, in the form of computer-readable instructions, a computer program implemented according to any one of claims 1 to 7, which, when invoked by a computer, executes the steps included in the corresponding method.

Images