Risk control method, device, equipment, medium and program product
By constructing risk behavior sequence templates and performing matching degree analysis on incremental traffic, the problem of insufficient risk control coverage and accuracy in existing technologies is solved, and more reliable risk identification and control are achieved.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- ZHEJIANG E COMMERCE BANK CO LTD
- Filing Date
- 2025-11-19
- Publication Date
- 2026-06-19
AI Technical Summary
Existing risk control solutions rely on a single data dimension and manually set rules and strategies, resulting in insufficient coverage and accuracy of risk control.
By generating risk behavior sequence templates based on historical traffic behavior sequences from application layer gateways, high-risk call interfaces are filtered using sequence clustering and interface clustering features, risk behavior sequence templates are constructed, and incremental traffic is analyzed for matching degree to identify suspicious behavior sequences.
It has improved the accuracy and coverage of risk control, achieved more reliable risk identification and management, and enhanced the comprehensiveness and timeliness of risk control.
Smart Images

Figure CN122247665A_ABST
Abstract
Description
[0001] This application is a divisional application of the invention patent application filed on November 19, 2025, with application number 202511705183.1 and invention title "Risk Control Method, Apparatus, Equipment, Medium and Procedure Product". Technical Field
[0002] This specification relates to the field of information security technology, and in particular to a risk control method, device, equipment, medium, and program product. Background Technology
[0003] Currently, risk control in online businesses primarily relies on data collection triggered by security incidents and risk identification using pre-defined rules and policies. Related technologies involve collecting static metadata (such as user identifiers, device fingerprints, and action types) related to a security incident when it is detected that a user has performed actions such as registration, login, or fund transfer. Based on the collected static metadata and pre-defined rules and policies, it is determined whether the business entity is at risk of account trading, fraud, or other similar activities.
[0004] However, current risk control solutions rely on relatively limited data dimensions and risk identification mechanisms that depend on manually set rules and strategies, resulting in insufficient coverage and accuracy of risk control. A more reliable risk control method is needed. Summary of the Invention
[0005] This specification provides a risk control method, apparatus, equipment, medium, and program product that can improve the coverage and accuracy of risk control, thereby improving the reliability of risk control.
[0006] Firstly, the embodiments of this specification provide a risk control method, including: Based on historical application layer traffic passing through the application layer gateway, obtain the historical traffic behavior sequences associated with each of the multiple confirmed risk cases; Based on the historical traffic behavior sequences associated with multiple confirmed risk cases, a risk behavior sequence template is generated. Based on risk behavior sequence templates, risk control is performed on incremental application layer traffic passing through the application layer gateway.
[0007] In one possible implementation, based on historical application layer traffic passing through the application layer gateway, the historical traffic behavior sequences associated with each of the multiple confirmed risk cases are obtained, including: Based on historical application layer traffic passing through the application layer gateway, construct a historical traffic behavior sequence at the subject level; Based on the case data corresponding to each of the multiple confirmed risk cases, the historical traffic behavior sequences associated with each of the multiple confirmed risk cases are selected from the historical traffic behavior sequences of the subject dimension.
[0008] In one possible implementation, case data includes the identifiers of the parties involved and the timestamps of the case. Based on the case data corresponding to each of the multiple confirmed risk cases, the historical traffic behavior sequences associated with each of the multiple confirmed risk cases were filtered from the historical traffic behavior sequences at the subject level, including: Based on the identification of the parties involved in each of the multiple confirmed risk cases, the historical traffic behavior sequences corresponding to the parties involved in the multiple confirmed risk cases are selected from the historical traffic behavior sequences of the parties involved. Based on the timestamps of each of the confirmed risk cases, the sequence before and after the time point of the case is extracted from the historical traffic behavior sequence of the subjects involved in the confirmed risk cases, and used as the historical traffic behavior sequence associated with each of the confirmed risk cases.
[0009] In one possible implementation, a risk behavior sequence template is generated based on the historical traffic behavior sequences associated with each of the multiple confirmed risk cases, including: Based on the historical traffic behavior sequences associated with multiple confirmed risk cases, obtain at least one high-risk historical traffic behavior sequence and at least one high-risk call interface in the high-risk historical traffic behavior sequence. Based on at least one high-risk historical traffic behavior sequence, determine the invocation order of at least one high-risk API call; High-risk API calls are combined into risk behavior sequence templates according to the order of invocation.
[0010] In one possible implementation, based on the historical traffic behavior sequences associated with multiple confirmed risk cases, at least one high-risk historical traffic behavior sequence and at least one high-risk call interface from the high-risk historical traffic behavior sequence are obtained, including: Obtain the sequence clustering features corresponding to the historical traffic behavior sequences associated with each of the multiple confirmed risk cases; Based on the sequence clustering characteristics, at least one high-risk historical traffic behavior sequence is selected from the historical traffic behavior sequences associated with multiple confirmed risk cases. Obtain the interface clustering characteristics corresponding to the API calls in at least one high-risk historical traffic behavior sequence; Based on the clustering characteristics of interfaces, at least one high-risk call interface is selected from at least one high-risk historical traffic behavior sequence.
[0011] In one possible implementation, the sequence clustering characteristics include sequence occurrence frequency and sequence occurrence count; the interface clustering characteristics include interface call frequency and interface call count. Based on the clustering characteristics of sequences, at least one high-risk historical traffic behavior sequence is selected from the historical traffic behavior sequences associated with multiple confirmed risk cases, including: From the historical traffic behavior sequences associated with multiple confirmed risk cases, select historical traffic behavior sequences whose sequence occurrence frequency reaches a first preset frequency threshold and whose sequence occurrence frequency reaches a first preset frequency threshold, and use them as at least one high-risk historical traffic behavior sequence; Based on the clustering characteristics of interfaces, at least one high-risk call interface is selected from at least one high-risk historical traffic behavior sequence, including: Select at least one high-risk calling interface from at least one high-risk historical traffic sequence whose calling frequency reaches a second preset frequency threshold and whose number of calls reaches the second preset frequency threshold.
[0012] In one possible implementation, before performing risk control on incremental application layer traffic passing through the application layer gateway based on risk behavior sequence templates, the above method further includes: Based on incremental application layer traffic passing through the application layer gateway, construct an incremental traffic behavior sequence at the subject level; Based on risk behavior sequence templates, risk control is performed on incremental application layer traffic passing through the application layer gateway, including: Calculate the matching degree between the risk behavior sequence template and the incremental traffic behavior sequence of the subject dimension corresponding to the incremental application layer traffic; Incremental traffic behavior sequences that reach a preset matching degree threshold are identified as suspicious incremental traffic behavior sequences. The entities involved in suspicious incremental traffic behavior sequences are compared and verified with the entities involved in potential risk cases; Perform risk control operations on entities whose suspicious incremental traffic behavior sequences have been verified.
[0013] Secondly, embodiments of this specification provide a risk control device, including: The acquisition module is used to obtain the historical traffic behavior sequences associated with each of the multiple confirmed risk cases based on the historical application layer traffic passing through the application layer gateway. The generation module is used to generate risk behavior sequence templates based on the historical traffic behavior sequences associated with multiple confirmed risk cases. The control module is used to perform risk control on incremental application layer traffic passing through the application layer gateway based on risk behavior sequence templates.
[0014] Thirdly, embodiments of this specification provide an electronic device, including: a processor and a memory; the memory stores a computer program, which, when executed by the processor, implements the method steps provided in the first aspect of embodiments of this specification.
[0015] Fourthly, embodiments of this specification provide a computer storage medium storing a plurality of instructions adapted for loading by a processor and executing the method steps provided in the first aspect of embodiments of this specification.
[0016] Fifthly, embodiments of this specification provide a computer program product, including a computer program; when the computer program is executed by a processor, it implements the method steps provided in the first aspect of embodiments of this specification.
[0017] The aforementioned risk control methods, devices, equipment, media, and program products, in the offline analysis phase, acquire historical traffic behavior sequences associated with multiple confirmed risk cases based on historical application layer traffic passing through the application layer gateway. Based on these sequences, a risk behavior sequence template is generated, which helps to trace the complete behavioral trajectory of users before and after the occurrence of multiple confirmed risk cases, thereby more accurately identifying risk patterns and improving the precision of risk control. In the online processing phase, risk control is applied to incremental application layer traffic passing through the application layer gateway based on the risk behavior sequence template. This helps to obtain full user behavioral data from incremental application layer traffic from the traffic entry point, improving the coverage of risk control. The entire risk control process, based on application layer traffic collected through embedded points on the application layer gateway, enables black sample template construction and online risk decision-making, effectively improving the precision and coverage of risk control, and thus enhancing its reliability. Attached Figure Description
[0018] To more clearly illustrate the technical solutions in the embodiments of this specification, the accompanying drawings used in the embodiments will be briefly introduced below. Obviously, the drawings described below are only some embodiments of this specification. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0019] Figure 1 A schematic diagram illustrating the application environment of a risk control method provided as an exemplary embodiment of this specification; Figure 2 A flowchart illustrating a risk control method provided as an exemplary embodiment of this specification; Figure 3 A flowchart illustrating another risk control method provided as an exemplary embodiment of this specification; Figure 4A flowchart illustrating yet another risk control method provided as an exemplary embodiment of this specification; Figure 5 A schematic diagram of the structure of a risk control device provided for an exemplary embodiment of this specification; Figure 6 This is a schematic diagram of the structure of an electronic device provided as an exemplary embodiment of this specification. Detailed Implementation
[0020] To make the objectives, technical solutions, and advantages of this specification clearer, the following detailed description is provided in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative and not intended to limit the scope of this specification.
[0021] In the description of this specification, it should be understood that the terms "first," "second," etc., are used for descriptive purposes only and should not be construed as indicating or implying relative importance. Those skilled in the art can understand the specific meaning of these terms in this specification based on the specific circumstances. Furthermore, in the description of this specification, unless otherwise stated, "multiple" means two or more. "And / or" describes the relationship between related objects, indicating that three relationships can exist. For example, A and / or B can represent: A alone, A and B simultaneously, or B alone. The character " / " generally indicates that the preceding and following related objects are in an "or" relationship.
[0022] The risk control methods provided in the embodiments of this specification can be applied to, for example, Figure 1 The application environment shown depicts a scenario where terminal 10 communicates with server 20 via a network. A data storage system can store the data that server 20 needs to process. This data storage system can be integrated onto server 20 or hosted on a cloud or other network server.
[0023] In some possible implementations, risk control personnel can initiate an offline analysis command to server 20 via terminal 10. In response to the offline analysis command, server 20 obtains historical traffic behavior sequences associated with multiple confirmed risk cases based on historical application layer traffic passing through the application layer gateway. Based on these historical traffic behavior sequences, server 20 generates a risk behavior sequence template and sends it to terminal 10 for display and confirmation by risk control personnel. After confirming the template generated by server 20, risk control personnel can also initiate an online processing command to server 20 via terminal 10, triggering server 20 to perform risk control on incremental application layer traffic passing through the application layer gateway based on the risk behavior sequence template.
[0024] It is worth noting that the above-described process of manually triggering the server 20 to complete risk control through the terminal 10 only describes one optional implementation. In practical applications, the offline analysis process and online processing process in the above-described risk control scheme can also be automatically and periodically executed by the server 20 according to a preset strategy. This specification does not limit this embodiment.
[0025] Understandably, terminal 10 can be, but is not limited to, various personal computers, laptops, smartphones, tablets, IoT devices, and portable wearable devices. Server 20 can be implemented using a standalone server or a server cluster consisting of multiple servers.
[0026] In one embodiment, such as Figure 2 As shown, a risk control method is provided, which is applied to... Figure 1 Taking server 20 as an example, the explanation includes the following steps: S202: Based on historical application layer traffic passing through the application layer gateway, obtain the historical traffic behavior sequence associated with each of the multiple confirmed risk cases.
[0027] The application layer gateway is the hardware and software infrastructure that handles application layer protocols in network communication. As the unified entry point for business traffic, it is used to parse, forward, and process application layer traffic such as HTTP and HTTPS. Historical application layer traffic refers to Layer 7 network traffic that has passed through the aforementioned application layer gateway within a preset historical time period. Multiple confirmed risk cases are risk cases that have been reported and obtained by server 20 from the data storage system.
[0028] Optionally, a collection probe (Agent) is deployed on the application layer gateway of the business system to collect traffic passing through the application layer gateway. This collection probe has traffic mirroring capabilities, used to receive application layer traffic mirrored from the application layer gateway and forward it to server 20 for processing. Server 20 receives the application layer traffic sent by the collection probe, and obtains the historical application layer traffic passing through the application layer gateway within a first preset time period; it also obtains the case data corresponding to each of the multiple confirmed risk cases with the relevant timestamps within a second preset time period from the data storage system; then, based on the above case data and the above historical application layer traffic, it obtains the historical traffic behavior sequence associated with each of the multiple confirmed risk cases.
[0029] Understandably, the case data corresponding to each of the multiple confirmed risk cases includes, but is not limited to, the identification of the involved entity (such as the involved user account, involved device number), involved bank card number, cause of action, and involved timestamp, etc., for each of the multiple confirmed risk cases. The start time of the first preset time period is earlier than the start time of the second preset time period, and the end time of the first preset time period is later than the end time of the second preset time period. This ensures that the complete behavioral trajectory of the user before and after the incident can be traced back based on the application layer traffic passing through the application layer gateway within a certain period before and after the occurrence of multiple confirmed risk cases, so as to more accurately identify risk patterns in the future.
[0030] S204: Generate a risk behavior sequence template based on the historical traffic behavior sequences associated with each of the multiple confirmed risk cases.
[0031] The risk behavior sequence template is derived from the analysis and extraction of historical traffic behavior sequences associated with multiple confirmed risk cases, and is used to abstract commonalities in business risk behaviors. The risk behavior sequence template includes multiple high-risk call interfaces arranged in a specific call order, representing typical operational paths for completing a certain type of risk activity.
[0032] Optionally, server 20 first selects at least one high-risk historical traffic behavior sequence from the historical traffic behavior sequences associated with each of the multiple confirmed risk cases based on the sequence clustering characteristics. Then, based on the interface clustering characteristics of the interfaces called in the at least one high-risk historical traffic behavior sequence, at least one high-risk calling interface is selected from the at least one high-risk historical traffic behavior sequence. Next, based on the at least one high-risk historical traffic behavior sequence, the calling order of the at least one high-risk calling interface is determined. Finally, according to the above calling order, the high-risk calling interfaces are combined into a risk behavior sequence template at the interface level. For example, the risk behavior sequence template is an ordered list composed of risk interface identifiers, such as [risk interface A, risk interface A, risk interface A, risk interface B, risk interface B, risk interface C, ...].
[0033] In this embodiment, during the offline analysis phase, the server obtains the historical traffic behavior sequences associated with each of the multiple confirmed risk cases based on the historical application layer traffic passing through the application layer gateway. Based on the historical traffic behavior sequences associated with each of the multiple confirmed risk cases, a risk behavior sequence template is generated. This helps to trace the complete behavioral trajectory of users before and after the occurrence of multiple confirmed risk cases, thereby more accurately identifying risk patterns and improving the accuracy of risk control.
[0034] S206: Based on risk behavior sequence templates, perform risk control on incremental application layer traffic passing through the application layer gateway.
[0035] Optionally, the server 20 calculates the matching degree between the risk behavior sequence template and the incremental traffic behavior sequence corresponding to the incremental application layer traffic passing through the application layer gateway at a preset time period, and identifies the incremental traffic behavior sequence with a matching degree reaching a preset matching degree threshold as a suspicious incremental traffic behavior sequence, thereby performing risk control on the incremental application layer traffic passing through the application layer gateway.
[0036] The preset time period is a manually set processing cycle, such as one hour, which can be adjusted according to actual needs, such as half an hour or two hours. The shorter the preset time period, the higher the processing frequency for incremental application layer traffic, and the stronger the timeliness of risk control. However, if the preset time period is set too short, it will lead to an excessive amount of data processing for server 20 to implement online risk control, thereby increasing the computing resources and costs consumed by server 20 in implementing business risk control.
[0037] In this embodiment, during the online processing phase, the server performs risk control on incremental application layer traffic passing through the application layer gateway based on the risk behavior sequence template. This helps to obtain complete user behavior data from the incremental application layer traffic from the traffic inlet, thereby improving the coverage of risk control.
[0038] In the aforementioned risk control method, during the offline analysis phase, the server obtains historical traffic behavior sequences associated with multiple confirmed risk cases based on historical application layer traffic passing through the application layer gateway. Based on these sequences, a risk behavior sequence template is generated, which helps to trace the complete behavioral trajectory of users before and after the occurrence of multiple confirmed risk cases, thereby more accurately identifying risk patterns and improving the precision of risk control. During the online processing phase, the server performs risk control on incremental application layer traffic passing through the application layer gateway based on the risk behavior sequence template. This helps to obtain full user behavioral data from incremental application layer traffic from the traffic entry point, improving the coverage of risk control. The entire risk control process, based on application layer traffic collected through embedded points on the application layer gateway, enables black sample template construction and online risk decision-making, effectively improving the precision and coverage of risk control, and thus enhancing its reliability.
[0039] In one embodiment, such as Figure 3 As shown, another risk control method is provided, which can be applied to... Figure 1 Taking server 20 as an example, the explanation includes the following steps: S302: Based on historical application layer traffic passing through the application layer gateway, construct a historical traffic behavior sequence at the subject level.
[0040] The historical traffic behavior sequence at the subject level can be, but is not limited to, historical traffic behavior sequences at the user account level or historical traffic behavior sequences at the device ID level. The following explanation uses the historical traffic behavior sequence at the user account level as an example to illustrate this.
[0041] Optionally, server 20 receives application layer traffic sent by collection probes deployed on the application layer gateway, parses and cleans it to obtain historical application layer traffic passing through the application layer gateway within a first preset time period, and then constructs a historical traffic behavior sequence at the user account level based on the aforementioned historical application layer traffic. Understandably, the historical traffic behavior sequence at the user account level is a structured data sequence formed by arranging and aggregating all application layer network access behaviors generated by the user within the first preset time period in chronological order, using the user account as a unique identifier. Specifically, server 20 extracts key fields such as user account, timestamp, and API call from the historical application layer traffic passing through the application layer gateway within the first preset time period, then aggregates it using the user account as the primary key, and sorts all of the user's behaviors according to the timestamp, ultimately forming the historical traffic behavior sequence at the user account level.
[0042] S304: Based on the case data corresponding to each of the multiple confirmed risk cases, filter out the historical traffic behavior sequences associated with each of the multiple confirmed risk cases from the historical traffic behavior sequences of the subject dimension.
[0043] Optionally, server 20 retrieves case data corresponding to multiple confirmed risk cases within a second preset time period from the data storage system, where the start time of the second preset time period is later than the start time of the first preset time period, and the end time of the second preset time period is earlier than the end time of the first preset time period. Then, server 20 filters out the historical traffic behavior sequences associated with each of the multiple confirmed risk cases from the historical traffic behavior sequences at the subject dimension, based on the subject-related entity identifiers and timestamps of each of the multiple confirmed risk cases.
[0044] In this embodiment, server 20 constructs a historical traffic behavior sequence at the subject dimension based on historical application layer traffic passing through the application layer gateway, which can collect full behavioral data of users at the traffic entry point; based on the case data corresponding to each of the multiple confirmed risk cases, it filters out the historical traffic behavior sequences associated with each of the multiple confirmed risk cases from the historical traffic behavior sequence at the subject dimension, which helps to discover potential risk behavior patterns and improves the accuracy of risk control.
[0045] S306: Based on the historical traffic behavior sequences associated with each of the multiple confirmed risk cases, obtain at least one high-risk historical traffic behavior sequence and at least one high-risk call interface from the high-risk historical traffic behavior sequence.
[0046] Optionally, server 20 analyzes the clustering characteristics of historical traffic behavior sequences associated with each of the confirmed risk cases based on the case type of the confirmed risk cases, and obtains at least one high-risk historical traffic behavior sequence and at least one high-risk call interface from the high-risk historical traffic behavior sequence based on the clustering characteristics of the historical traffic behavior sequences associated with each of the confirmed risk cases.
[0047] In one embodiment, based on the historical traffic behavior sequences associated with each of multiple confirmed risk cases, obtaining at least one high-risk historical traffic behavior sequence and at least one high-risk calling interface from the high-risk historical traffic behavior sequence includes: obtaining sequence clustering features corresponding to the historical traffic behavior sequences associated with each of the multiple confirmed risk cases; based on the sequence clustering features, selecting at least one high-risk historical traffic behavior sequence from the historical traffic behavior sequences associated with each of the multiple confirmed risk cases; obtaining interface clustering features corresponding to the calling interfaces in the at least one high-risk historical traffic behavior sequence; and based on the interface clustering features, selecting at least one high-risk calling interface from the at least one high-risk historical traffic behavior sequence.
[0048] The sequence clustering characteristics include sequence occurrence frequency and sequence occurrence count, while the interface clustering characteristics include interface call frequency and interface call count. Optionally, server 20 obtains the sequence occurrence frequency and sequence occurrence count corresponding to the historical traffic behavior sequences associated with each of the multiple confirmed risk cases, and selects sequences with higher sequence occurrence frequencies and sequence occurrence counts from the historical traffic behavior sequences associated with each of the multiple confirmed risk cases as at least one high-risk historical traffic behavior sequence. Then, server 20 obtains the interface call frequency and interface call count corresponding to the interfaces called in at least one high-risk historical traffic behavior sequence, and selects interfaces with higher interface call frequencies and interface call counts from the interfaces called in each high-risk historical traffic behavior sequence as at least one high-risk calling interface.
[0049] In this embodiment, the server analyzes the sequence clustering characteristics of the historical traffic behavior sequences associated with multiple confirmed risk cases, and filters out at least one high-risk historical traffic behavior sequence and at least one high-risk call interface from the historical traffic behavior sequences. This helps to construct a risk behavior sequence template based on at least one high-risk historical traffic behavior sequence and at least one high-risk call interface, thereby uncovering potential risk behavior patterns and improving the accuracy of risk control.
[0050] S308: Determine the invocation order of at least one high-risk API based on at least one high-risk historical traffic behavior sequence.
[0051] Understandably, the high-risk historical traffic behavior sequence includes multiple interface identifiers arranged in the order of invocation. The server 20 determines the invocation order of each group of high-risk call interfaces corresponding to each high-risk historical traffic behavior sequence based on the invocation order of the interface identifiers in each high-risk historical traffic behavior sequence.
[0052] S310: Combine high-risk API calls into a risk behavior sequence template according to the call order.
[0053] Optionally, the server 20 combines at least one high-risk call interface into a risk behavior sequence template according to the call order of each group of high-risk call interfaces. For example, it can be [risk interface A, risk interface A, risk interface A, risk interface B, risk interface B, risk interface C, ...].
[0054] In this embodiment, the server obtains at least one high-risk historical traffic behavior sequence and at least one high-risk call interface from the historical traffic behavior sequences associated with each of the multiple confirmed risk cases, and combines the at least one high-risk historical traffic behavior sequence and at least one high-risk call interface to form each risk behavior sequence template, which can effectively uncover potential risk behavior patterns and improve the accuracy of risk control.
[0055] S312: Based on incremental application layer traffic passing through the application layer gateway, construct an incremental traffic behavior sequence at the subject dimension.
[0056] The incremental traffic behavior sequence at the subject level can be, but is not limited to, incremental traffic behavior sequences at the user account level or device ID level. The following explanation uses the user account level incremental traffic behavior sequence as an example to illustrate this.
[0057] Optionally, server 20 parses and cleans incremental application-layer traffic passing through the application-layer gateway at preset time intervals to construct an incremental traffic behavior sequence at the user account level. Understandably, the incremental traffic behavior sequence at the user account level is a structured data sequence formed by arranging and aggregating all application-layer network access behaviors generated by a user within a preset time window in chronological order, using the user account as a unique identifier. Specifically, server 20 extracts key fields such as user account, timestamp, and API call from the incremental application-layer traffic passing through the application-layer gateway within the preset time window, then aggregates them using the user account as the primary key, and sorts all of the user's behaviors according to the timestamp, ultimately forming the incremental traffic behavior sequence at the user account level.
[0058] S314: Calculate the matching degree between the risk behavior sequence template and the incremental traffic behavior sequence of the subject dimension corresponding to the incremental application layer traffic.
[0059] Optionally, server 20 calculates the matching degree between the risk behavior sequence template and the incremental traffic behavior sequence of the subject dimension corresponding to the incremental application layer traffic, based on the longest common subsequence between the risk behavior sequence template and the incremental traffic behavior sequence of the subject dimension (such as the user account dimension). Specifically, server 20 determines the matching degree between the two based on the ratio of the length of the longest common subsequence to the length of the risk behavior sequence template.
[0060] For example, the risk behavior sequence template is [risk interface A, risk interface A, risk interface B], and the incremental traffic behavior sequence of the subject dimension is [risk interface A, risk interface X, risk interface A, risk interface Y, risk interface B, risk interface Z]. In this case, the longest common subsequence between the risk behavior sequence template and the incremental traffic behavior sequence of the subject dimension is [risk interface A, risk interface A, risk interface B]. Since the length of the risk behavior sequence template is 3, the matching degree between the risk behavior sequence template and the incremental traffic behavior sequence of the subject dimension corresponding to the incremental application layer traffic is 100%.
[0061] In this embodiment, the server 20 calculates the matching degree between the risk behavior sequence template and the incremental traffic behavior sequence of the subject dimension by determining the longest common subsequence between them. This can effectively exclude general call interfaces that appear in the incremental traffic behavior sequence and only focus on the frequency and order of high-risk call interfaces, which effectively improves the accuracy and rationality of the matching calculation, thereby improving the accuracy of risk control.
[0062] S316: Identify incremental traffic behavior sequences that have reached a preset matching degree threshold as suspicious incremental traffic behavior sequences.
[0063] The preset matching threshold is a pre-defined similarity threshold, such as 90%, and can be adjusted according to actual needs, such as to 80% or 100%. A higher matching threshold results in a higher similarity between the suspicious incremental traffic behavior sequence and the risky behavior sequence template, but also weakens the fault tolerance. Optionally, server 20 identifies incremental traffic behavior sequences with a matching degree of 90% as suspicious incremental traffic behavior sequences.
[0064] S318: Compare and verify the subjects of suspicious incremental traffic behavior sequences with the subjects of potential risk cases.
[0065] Among them, potential risk cases are those that have been identified as having risks based on pre-set rules and strategies, but have not yet been reported.
[0066] Optionally, server 20 collects multi-dimensional metadata, including device and behavior data, during user registration, login, and transfers, based on proactive security event monitoring. Then, based on pre-defined rules and policies, such as whether a user's login failure count exceeds a preset threshold or their transfer frequency exceeds a preset frequency threshold, it identifies the risk level of each case. Cases with risk levels exceeding preset thresholds and not reported are designated as potential risk cases. The server stores the corresponding entity identifiers (such as the involved user account and device ID), bank card number, case details, and timestamps for each potential risk case in the data storage system. After identifying suspicious incremental traffic behavior sequences in the incremental application layer traffic, the entity of the suspicious incremental traffic behavior sequence is compared and verified with the entity of the potential risk case to determine the accuracy of the suspicious incremental traffic behavior sequence. Specifically, after determining that the subject of any suspicious incremental traffic behavior sequence does not belong to the subject corresponding to multiple potential risk cases in the data storage system, the server 20 determines that the verification result of any suspicious incremental traffic behavior sequence is verification failed; after determining that the subject of any suspicious incremental traffic behavior sequence belongs to the subject corresponding to multiple potential risk cases in the data storage system, the server 20 determines that the verification result of any suspicious incremental traffic behavior sequence is verification passed.
[0067] S320: Perform risk control operations on entities whose suspicious incremental traffic behavior sequences have been verified.
[0068] Optionally, server 20 performs risk control operations on entities whose suspicious incremental traffic behavior sequences have been verified, and reports the risk information to the data storage system. Specifically, the risk control operations performed by server 20 on entities whose suspicious incremental traffic behavior sequences have been verified include, but are not limited to: controlling the user account access permissions of the entity, controlling the bank card transfer limit of the entity, and sending security warning information to the entity.
[0069] In this embodiment, server 20 constructs an incremental traffic behavior sequence based on incremental application layer traffic from the traffic entry point, calculates the matching degree between the incremental traffic behavior sequence and the risk behavior sequence template, effectively quantifies the risk level of user behavior, and improves the comprehensiveness and accuracy of risk control; by comparing and verifying suspicious subjects with potential risk cases, a risk case review step is added on the basis of identifying suspicious incremental traffic behavior sequences, which effectively improves the reliability of risk control; by performing risk control operations on verified subjects, an automated closed loop from risk identification to risk disposal is formed, and the entire process effectively improves the reliability of risk control.
[0070] In the aforementioned risk control method, during the offline analysis phase, the server constructs a historical traffic behavior sequence at the subject level based on historical application layer traffic passing through the application layer gateway. Based on the case data corresponding to each of the multiple confirmed risk cases, it filters out the historical traffic behavior sequences associated with each of the confirmed risk cases from the historical traffic behavior sequences at the subject level. Based on the historical traffic behavior sequences associated with each of the confirmed risk cases, it obtains at least one high-risk historical traffic behavior sequence and at least one high-risk call interface from the high-risk historical traffic behavior sequence. Based on the at least one high-risk historical traffic behavior sequence, it determines the calling order of the at least one high-risk call interface and, according to the calling order, processes the high-risk calls... By combining interfaces into risk behavior sequence templates, potential risk behavior patterns can be mined from the full range of user behavior data at the traffic entry point, improving the accuracy of risk control. During the online processing phase, the server constructs incremental traffic behavior sequences at the subject dimension based on incremental application layer traffic passing through the application layer gateway. The matching degree between the risk behavior sequence template and the corresponding subject dimension incremental traffic behavior sequences is calculated. Incremental traffic behavior sequences with a matching degree reaching a preset threshold are identified as suspicious incremental traffic behavior sequences. This effectively quantifies the risk level of user behavior based on incremental application layer traffic from the traffic entry point and the risk behavior sequence template, improving the coverage and accuracy of risk control. The above method effectively improves the accuracy and coverage of risk control, thereby enhancing its reliability.
[0071] In one embodiment, such as Figure 4 As shown, another risk control method is provided, which can be applied to... Figure 1 Taking server 20 as an example, the explanation includes the following steps: S402: Based on historical application layer traffic passing through the application layer gateway, construct a historical traffic behavior sequence at the subject level.
[0072] The historical traffic behavior sequence of the subject dimension can be, but is not limited to, the historical traffic behavior sequence of the user account dimension, the historical traffic behavior sequence of the device number dimension, etc.
[0073] Specifically, S402 is the same as S302, and will not be repeated here.
[0074] S404: Based on the identification of the parties involved in each of the multiple confirmed risk cases, filter out the historical traffic behavior sequences corresponding to the parties involved in the multiple confirmed risk cases from the historical traffic behavior sequences of the parties.
[0075] Understandably, the identifier of the entity involved in the case can be either the identifier of the user account involved in the case or the identifier of the user account involved in the case. Specifically, when the historical traffic behavior sequence at the entity level constructed in S402 is a historical traffic behavior sequence at the user account level, the identifier of the entity involved in the case is the identifier of the user account involved in the case; when the historical traffic behavior sequence at the entity level constructed in S402 is a historical traffic behavior sequence at the device number level, the identifier of the entity involved in the case is the identifier of the device number involved in the case.
[0076] Optionally, the server 20 filters out the historical traffic behavior sequence corresponding to the aforementioned user accounts involved in the case from the historical traffic behavior sequence at the user account level, based on the identification of the user accounts involved in the case corresponding to each of the multiple confirmed risk cases.
[0077] S406: Based on the timestamps of each of the multiple confirmed risk cases, extract the sequence before and after the time point of the case from the historical traffic behavior sequence of the subjects involved in the multiple confirmed risk cases, and use it as the historical traffic behavior sequence associated with each of the multiple confirmed risk cases.
[0078] Optionally, the server extracts the sequence of the user accounts involved in the case within a period before and after the time point of the case from the historical traffic behavior sequence corresponding to the aforementioned user accounts involved in the case, based on the timestamps of the cases corresponding to each of the multiple confirmed risk cases, as the historical traffic behavior sequence associated with each of the multiple confirmed risk cases.
[0079] In this embodiment, the server uses the subjects and timestamps of each of the confirmed risk cases to filter out the historical traffic behavior sequences associated with each of the confirmed risk cases from the historical traffic behavior sequences of the subject dimension. This can completely capture the dynamic behavioral context of users before and after the occurrence of the risk case, providing a reliable data foundation for subsequent risk behavior pattern mining, ensuring the reliability of the generated risk behavior sequence template, and thus ensuring the reliability of risk control.
[0080] S408: Obtain the sequence clustering characteristics corresponding to the historical traffic behavior sequences associated with each of the multiple confirmed risk cases; wherein, the sequence clustering characteristics include the sequence occurrence frequency and the sequence occurrence number.
[0081] Optionally, server 20 statistically analyzes the sequence clustering characteristics of historical traffic behavior sequences associated with each of the multiple confirmed risk cases, including the sequence occurrence frequency and the sequence occurrence frequency of each historical traffic behavior sequence. The sequence occurrence frequency refers to the proportion of a certain sequence pattern appearing in different historical traffic behavior sequences associated with confirmed risk cases, and can be calculated by dividing the number of sequences exhibiting that sequence pattern by the total number of all historical traffic behavior sequences associated with the confirmed risk cases. The sequence occurrence frequency refers to the total number of times a certain sequence pattern appears in all historical traffic behavior sequences associated with the confirmed risk cases; the sequence occurrence frequency is also the total number of times a certain sequence pattern appears.
[0082] S410: Select historical traffic behavior sequences that have a frequency higher than a first preset frequency threshold and a frequency of occurrence higher than the first preset frequency threshold from the historical traffic behavior sequences associated with multiple confirmed risk cases, and use them as at least one high-risk historical traffic behavior sequence.
[0083] Optionally, the server 20 compares the occurrence frequency and occurrence number of each sequence pattern with the preset frequency threshold and frequency threshold, respectively. Only when a sequence pattern simultaneously meets the following conditions: the occurrence frequency is higher than the first preset frequency threshold and the occurrence number is higher than the first preset frequency threshold, is it determined to be a high-risk historical traffic behavior sequence.
[0084] S412: Obtain the interface clustering characteristics corresponding to the interface calls in at least one high-risk historical traffic behavior sequence; wherein, the interface clustering characteristics include interface call frequency and interface call count.
[0085] Optionally, server 20 statistically analyzes the interface clustering characteristics corresponding to at least one high-risk historical traffic behavior sequence, including the interface call frequency and the interface call count of each interface in each high-risk historical traffic behavior sequence. Here, interface call frequency refers to the proportion of a given interface appearing in its corresponding high-risk historical traffic behavior sequence, and can be calculated by dividing the number of times the given interface appears by the total number of interfaces in the corresponding high-risk historical traffic behavior sequence. Interface call count refers to the number of times a given interface appears in its corresponding high-risk historical traffic behavior sequence.
[0086] S414: Select at least one high-risk calling interface from at least one high-risk historical traffic sequence whose interface call frequency is higher than the second preset frequency threshold and whose interface call frequency is higher than the second preset frequency threshold.
[0087] Optionally, the server 20 compares the call frequency and call count of each call interface in each high-risk historical traffic behavior sequence with the preset frequency threshold and frequency threshold, respectively. Only when a call interface simultaneously meets the following conditions: the occurrence frequency is higher than the second preset frequency threshold and the occurrence count is higher than the second preset frequency threshold, is it determined to be a high-risk call interface.
[0088] In this embodiment, the server identifies common risk behavior sequences of confirmed risk cases by analyzing the frequency and occurrence of historical traffic behavior sequences associated with each of the confirmed risk cases. Based on the selected high-risk behavior sequences, the server further filters out high-risk calling interfaces in each high-risk behavior sequence by analyzing the frequency and occurrence of interface calls. This helps to construct risk behavior sequence templates based on the selected high-risk behavior sequences and high-risk calling interfaces, effectively improving the reliability of risk control.
[0089] S416: Determine the invocation order of at least one high-risk API based on at least one high-risk historical traffic behavior sequence.
[0090] Specifically, S416 is the same as S308, and will not be repeated here.
[0091] S418: Combine high-risk API calls into a risk behavior sequence template according to the call order.
[0092] Specifically, S418 is the same as S310, and will not be repeated here.
[0093] S420: Based on incremental application layer traffic passing through the application layer gateway, construct an incremental traffic behavior sequence at the subject level.
[0094] Specifically, S420 is identical to S310, and will not be repeated here.
[0095] S422: Calculate the matching degree between the risk behavior sequence template and the incremental traffic behavior sequence of the subject dimension corresponding to the incremental application layer traffic.
[0096] Specifically, S420 is identical to S310, and will not be repeated here.
[0097] S424: Identify incremental traffic behavior sequences that have reached a preset matching degree threshold as suspicious incremental traffic behavior sequences.
[0098] Specifically, S424 is the same as S316, and will not be repeated here.
[0099] S426: Compare and verify the subject of the suspicious incremental traffic behavior sequence with the subject of the potential risk case.
[0100] Specifically, S426 is the same as S318, and will not be repeated here.
[0101] S428: Perform risk control operations on entities that have passed verification of suspicious incremental traffic behavior sequences.
[0102] Specifically, S428 is the same as S320, and will not be repeated here.
[0103] In the aforementioned risk control method, during the offline analysis phase, the server constructs a historical traffic behavior sequence at the subject level based on historical application layer traffic passing through the application layer gateway. Based on the case data corresponding to each of the multiple confirmed risk cases, it filters out the historical traffic behavior sequences associated with each of the confirmed risk cases from the historical traffic behavior sequences at the subject level. Based on the historical traffic behavior sequences associated with each of the confirmed risk cases, it obtains at least one high-risk historical traffic behavior sequence and at least one high-risk call interface from the high-risk historical traffic behavior sequence. Based on the at least one high-risk historical traffic behavior sequence, it determines the calling order of the at least one high-risk call interface and, according to the calling order, processes the high-risk calls... By combining interfaces into risk behavior sequence templates, potential risk behavior patterns can be mined from the full range of user behavior data at the traffic entry point, improving the accuracy of risk control. During the online processing phase, the server constructs incremental traffic behavior sequences at the subject dimension based on incremental application layer traffic passing through the application layer gateway. The matching degree between the risk behavior sequence template and the corresponding subject dimension incremental traffic behavior sequences is calculated. Incremental traffic behavior sequences with a matching degree reaching a preset threshold are identified as suspicious incremental traffic behavior sequences. This effectively quantifies the risk level of user behavior based on incremental application layer traffic from the traffic entry point and the risk behavior sequence template, improving the coverage and accuracy of risk control. The above method effectively improves the accuracy and coverage of risk control, thereby enhancing its reliability.
[0104] To illustrate the technical solution of the risk control method in the embodiments of this specification in detail, the following specific application example will be used to explain the entire process, which specifically includes the following steps: Phase 1: Offline Analysis Phase 1. The server parses and cleans the application layer traffic sent by the collection probe (Agent) deployed on the application layer gateway to obtain the historical application layer traffic that passed through the application layer gateway within the first preset time period.
[0105] 2. The server retrieves case data corresponding to multiple confirmed risk cases within a second preset time period from the data storage system, including the user accounts, bank card numbers, causes of action, and timestamps corresponding to each of the multiple confirmed risk cases; wherein the start time of the second preset time period is later than the start time of the first preset time period, and the end time of the second preset time period is earlier than the end time of the first preset time period.
[0106] 3. Based on historical application layer traffic passing through the application layer gateway, the server obtains the historical traffic behavior sequences associated with each of the multiple confirmed risk cases. Specifically, it performs the following processing: A) The server constructs a historical traffic behavior sequence at the user account level based on historical application layer traffic passing through the application layer gateway.
[0107] B) Based on the identifiers of the user accounts involved in multiple confirmed risk cases, the server filters out the historical traffic behavior sequences corresponding to the user accounts involved in multiple confirmed risk cases from the historical traffic behavior sequences at the user account level.
[0108] C) Based on the timestamps corresponding to the cases in each of the multiple confirmed risk cases, the server extracts the sequence before and after the time point of the case from the historical traffic behavior sequence corresponding to the user accounts involved in the multiple confirmed risk cases, and uses it as the historical traffic behavior sequence associated with each of the multiple confirmed risk cases.
[0109] 4. The server generates a risk behavior sequence template based on the historical traffic behavior sequences associated with each of the multiple confirmed risk cases. Specifically, it performs the following processing: A) The server obtains the sequence clustering characteristics of the historical traffic behavior sequences associated with each of the multiple confirmed risk cases, including the sequence occurrence frequency and the sequence occurrence number.
[0110] B) The server selects historical traffic behavior sequences that have a frequency higher than the first preset frequency threshold and a number of occurrences higher than the first preset frequency threshold from the historical traffic behavior sequences associated with multiple confirmed risk cases, and uses them as at least one high-risk historical traffic behavior sequence.
[0111] C) The server obtains the interface clustering characteristics, interface call frequency, and interface call count of at least one high-risk historical traffic behavior sequence corresponding to the interface call.
[0112] D) The server selects calling interfaces from at least one high-risk historical traffic sequence whose interface call frequency is higher than the second preset frequency threshold and whose interface call frequency is higher than the second preset frequency threshold, as at least one high-risk calling interface.
[0113] E) The server determines the invocation order of at least one high-risk API based on at least one high-risk historical traffic behavior sequence.
[0114] F) The server combines high-risk call interfaces into a risk behavior sequence template according to the call order. For example, it can be [risk interface A, risk interface A, risk interface A, risk interface B, risk interface B, risk interface C, ...].
[0115] Phase Two: Online Processing Phase 1. The server parses and cleans incremental application layer traffic passing through the application layer gateway at preset time intervals, and constructs an incremental traffic behavior sequence at the user account level.
[0116] 2. The server retrieves case data corresponding to multiple potential risk cases from the data storage system, including the user accounts involved in each potential risk case.
[0117] 3. The server calculates the matching degree between the risk behavior sequence template generated in the offline analysis phase and the incremental traffic behavior sequence of the user account dimension mentioned above.
[0118] 4. The server identifies incremental traffic behavior sequences that reach a preset matching threshold as suspicious incremental traffic behavior sequences.
[0119] 5. The server compares and verifies the user accounts corresponding to suspicious incremental traffic behavior sequences with the user accounts corresponding to potential risk cases, specifically performing the following processing: A) After determining that the user account corresponding to any suspicious incremental traffic behavior sequence does not belong to the user account corresponding to multiple potential risk cases in the data storage system, the server determines that the verification result of any suspicious incremental traffic behavior sequence is verification failure.
[0120] B) After determining that the user account corresponding to any suspicious incremental traffic behavior sequence belongs to the user account corresponding to multiple potential risk cases in the data storage system, the server determines that the verification result of any suspicious incremental traffic behavior sequence is verified as passed.
[0121] 6. The server performs risk control operations on the user accounts corresponding to the verified suspicious incremental traffic behavior sequences, such as controlling the user account's usage permissions, controlling the user account's bank card transfer limit, sending security warning information to the user account, and reporting the risk information to the data storage system.
[0122] It should be understood that although the steps in the flowcharts of the embodiments described above are shown sequentially according to the arrows, these steps are not necessarily executed in the order indicated by the arrows. Unless explicitly stated herein, there is no strict order restriction on the execution of these steps, and they can be executed in other orders. Moreover, at least some steps in the flowcharts of the embodiments described above may include multiple steps or multiple stages. These steps or stages are not necessarily completed at the same time, but can be executed at different times. The execution order of these steps or stages is not necessarily sequential, but can be performed alternately or in turn with other steps or at least some of the steps or stages of other steps.
[0123] Based on the above-mentioned risk control method, such as Figure 5 As shown in the embodiments of this specification, a risk control device 500 for implementing the risk control method described above is also provided. The risk control device 500 includes: The acquisition module 501 is used to acquire the historical traffic behavior sequence associated with each of the multiple confirmed risk cases based on the historical application layer traffic passing through the application layer gateway. The generation module 502 is used to generate a risk behavior sequence template based on the historical traffic behavior sequences associated with each of the multiple confirmed risk cases. Control module 503 is used to perform risk control on incremental application layer traffic passing through the application layer gateway based on risk behavior sequence templates.
[0124] In one possible implementation, the acquisition module 501 is specifically used to: construct a historical traffic behavior sequence at the subject dimension based on historical application layer traffic passing through the application layer gateway; and filter out the historical traffic behavior sequences associated with each of the multiple confirmed risk cases from the historical traffic behavior sequence at the subject dimension according to the case data corresponding to each of the multiple confirmed risk cases.
[0125] In one possible implementation, the case data includes the identifier of the involved party and the timestamp of the case; the acquisition module 501 is specifically used to: based on the identifier of the involved party corresponding to each of the multiple confirmed risk cases, filter out the historical traffic behavior sequence corresponding to the involved parties of the multiple confirmed risk cases from the historical traffic behavior sequence of the involved parties in the subject dimension; based on the timestamp of the case corresponding to each of the multiple confirmed risk cases, extract the sequence before and after the time point of the case from the historical traffic behavior sequence corresponding to the involved parties of the multiple confirmed risk cases, as the historical traffic behavior sequence associated with each of the multiple confirmed risk cases.
[0126] In one possible implementation, the generation module 502 is specifically used to: obtain at least one high-risk historical traffic behavior sequence and at least one high-risk call interface in the high-risk historical traffic behavior sequence based on the historical traffic behavior sequences associated with each of the multiple confirmed risk cases; determine the calling order of at least one high-risk call interface according to the at least one high-risk historical traffic behavior sequence; and combine the high-risk call interfaces into a risk behavior sequence template according to the calling order.
[0127] In one possible implementation, the generation module 502 is specifically used to: obtain the sequence clustering features corresponding to the historical traffic behavior sequences associated with each of the multiple confirmed risk cases; based on the sequence clustering features, select at least one high-risk historical traffic behavior sequence from the historical traffic behavior sequences associated with each of the multiple confirmed risk cases; obtain the interface clustering features corresponding to the calling interfaces in the at least one high-risk historical traffic behavior sequence; and based on the interface clustering features, select at least one high-risk calling interface from the at least one high-risk historical traffic behavior sequence.
[0128] In one possible implementation, the sequence clustering feature includes sequence occurrence frequency and sequence occurrence count; the interface clustering feature includes interface call frequency and interface call count; the generation module 502 is specifically used to: select historical traffic behavior sequences with a sequence occurrence frequency higher than a first preset frequency threshold and a sequence occurrence count higher than the first preset frequency threshold from the historical traffic behavior sequences associated with multiple confirmed risk cases, as at least one high-risk historical traffic behavior sequence; and select calling interfaces with an interface call frequency higher than a second preset frequency threshold and an interface call count higher than the second preset frequency threshold from the at least one high-risk historical traffic sequence, as at least one high-risk calling interface.
[0129] In one possible implementation, the risk control device 500 further includes a sequence construction module for constructing an incremental traffic behavior sequence at the subject level based on the incremental application layer traffic passing through the application layer gateway; and a control module 503 for calculating the matching degree between the risk behavior sequence template and the incremental traffic behavior sequence at the subject level corresponding to the incremental application layer traffic; identifying incremental traffic behavior sequences with a matching degree higher than a preset matching degree threshold as suspicious incremental traffic behavior sequences; comparing and verifying the subject of the suspicious incremental traffic behavior sequence with the subject of a potential risk case; and performing risk control operations on the subject of the verified suspicious incremental traffic behavior sequence.
[0130] Each module in the aforementioned risk control device 500 can be implemented entirely or partially through software, hardware, or a combination thereof. These modules can be embedded in or independent of the processor in a computer device, or stored in the memory of a computer device as software, so that the processor can call and execute the operations corresponding to each module.
[0131] This specification also provides an electronic device, which may be a server, and its internal structure diagram may be as follows: Figure 6 As shown, this electronic device includes a processor, memory, input / output (I / O) interfaces, and a communication interface. The processor, memory, and I / O interfaces are connected via a system bus, and the communication interface is also connected to the system bus via the I / O interfaces. The processor provides computational and control capabilities. The memory includes non-volatile storage media and internal memory. The non-volatile storage media stores the operating system, computer programs, and a database. The internal memory provides the environment for the operating system and computer programs in the non-volatile storage media to run. The application database stores data on confirmed risk cases, potential risk cases, etc. The I / O interfaces are used for exchanging information between the processor and external devices. The communication interface is used for communicating with external terminals via a network. The processor executes computer programs to implement a risk control method.
[0132] Those skilled in the art will understand that Figure 6 The structures shown are merely block diagrams of a portion of the structure related to the scheme described in this specification, and do not constitute a limitation on the electronic devices to which the scheme described in this specification is applied. Specific electronic devices may include more or fewer components than those shown in the figures, or may combine certain components, or may have different component arrangements.
[0133] In one possible implementation, an electronic device is provided, including a memory and a processor, wherein the memory stores a computer program, and the processor executes the computer program to perform the following steps: Based on historical application layer traffic passing through the application layer gateway, obtain the historical traffic behavior sequences associated with each of the multiple confirmed risk cases; Based on the historical traffic behavior sequences associated with multiple confirmed risk cases, a risk behavior sequence template is generated. Based on risk behavior sequence templates, risk control is performed on incremental application layer traffic passing through the application layer gateway.
[0134] In one possible implementation, the processor, when executing the computer program, also performs the following steps: constructing a historical traffic behavior sequence at the subject dimension based on historical application layer traffic passing through the application layer gateway; and filtering out the historical traffic behavior sequences associated with each of the multiple confirmed risk cases from the historical traffic behavior sequence at the subject dimension, based on the case data corresponding to each of the multiple confirmed risk cases.
[0135] In one possible implementation, the case data includes the identifier of the involved party and the timestamp of the case; when the processor executes the computer program, it also performs the following steps: based on the identifier of the involved party corresponding to each of the multiple confirmed risk cases, it filters out the historical traffic behavior sequence corresponding to the involved parties of the multiple confirmed risk cases from the historical traffic behavior sequence of the involved parties at the subject dimension; based on the timestamp of the case corresponding to each of the multiple confirmed risk cases, it extracts the sequence before and after the time point of the case from the historical traffic behavior sequence corresponding to the involved parties of the multiple confirmed risk cases, as the historical traffic behavior sequence associated with each of the multiple confirmed risk cases.
[0136] In one possible implementation, the processor, when executing the computer program, further performs the following steps: based on the historical traffic behavior sequences associated with each of the multiple confirmed risk cases, obtain at least one high-risk historical traffic behavior sequence and at least one high-risk calling interface in the high-risk historical traffic behavior sequence; determine the calling order of at least one high-risk calling interface according to the at least one high-risk historical traffic behavior sequence; and combine the high-risk calling interfaces into a risk behavior sequence template according to the calling order.
[0137] In one possible implementation, the processor, when executing the computer program, also performs the following steps: obtaining sequence clustering features corresponding to the historical traffic behavior sequences associated with each of the multiple confirmed risk cases; based on the sequence clustering features, selecting at least one high-risk historical traffic behavior sequence from the historical traffic behavior sequences associated with each of the multiple confirmed risk cases; obtaining interface clustering features corresponding to the calling interfaces in the at least one high-risk historical traffic behavior sequence; and based on the interface clustering features, selecting at least one high-risk calling interface from the at least one high-risk historical traffic behavior sequence.
[0138] In one possible implementation, the sequence clustering feature includes sequence occurrence frequency and sequence occurrence count; the interface clustering feature includes interface call frequency and interface call count; when the processor executes the computer program, it further implements the following steps: from the historical traffic behavior sequences associated with multiple confirmed risk cases, select historical traffic behavior sequences whose sequence occurrence frequency is higher than a first preset frequency threshold and whose sequence occurrence count is higher than the first preset frequency threshold, as at least one high-risk historical traffic behavior sequence; from the at least one high-risk historical traffic sequence, select calling interfaces whose interface call frequency is higher than a second preset frequency threshold and whose interface call count is higher than the second preset frequency threshold, as at least one high-risk calling interface.
[0139] In one possible implementation, the processor, when executing the computer program, also performs the following steps: constructing an incremental traffic behavior sequence at the subject level based on the incremental application layer traffic passing through the application layer gateway; calculating the matching degree between the risk behavior sequence template and the incremental traffic behavior sequence at the subject level corresponding to the incremental application layer traffic; identifying incremental traffic behavior sequences with a matching degree higher than a preset matching degree threshold as suspicious incremental traffic behavior sequences; comparing and verifying the subjects of the suspicious incremental traffic behavior sequences with the subjects of potential risk cases; and performing risk control operations on the subjects of the verified suspicious incremental traffic behavior sequences.
[0140] This specification also provides a computer storage medium storing instructions that, when executed on a computer or processor, cause the computer or processor to perform one or more steps in the above embodiments. If the constituent modules of the above-described electronic device are implemented as software functional units and sold or used as independent products, they can be stored in the aforementioned computer storage medium.
[0141] This specification also provides a computer program product, including a computer program that, when executed by a processor, implements the steps in the above-described method embodiments.
[0142] In the above embodiments, implementation can be achieved, in whole or in part, through software, hardware, firmware, or any combination thereof. When implemented in software, it can be implemented, in whole or in part, as a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, all or part of the processes or functions described in the embodiments of this specification are generated. The computer can be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device. The computer instructions can be stored in or transmitted through a computer-readable storage medium. The computer instructions can be transmitted from one website, computer, server, or data center to another website, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) means. The computer-readable storage medium can be any available medium accessible to a computer or a data storage device such as a server or data center that integrates one or more available media. The available media may be magnetic media (e.g., floppy disks, hard disks, magnetic tapes), optical media (e.g., Digital Versatile Discs (DVDs)), or semiconductor media (e.g., Solid State Disks (SSDs)).
[0143] Those skilled in the art will understand that all or part of the processes in the methods of the above embodiments can be implemented by a computer program instructing related hardware. This program can be stored in a computer-readable storage medium, and when executed, it can include the processes of the embodiments of the methods described above. The aforementioned storage medium includes various media capable of storing program code, such as ROM, RAM, magnetic disks, or optical disks. Unless otherwise specified, the technical features of this embodiment and its implementation can be combined arbitrarily.
[0144] The embodiments described above are merely preferred embodiments of this specification and are not intended to limit the scope of this specification. Any modifications and improvements made by those skilled in the art to the technical solutions of this specification without departing from the spirit of this specification should fall within the protection scope defined by the claims.
[0145] It should be noted that the information, data and signals involved in the embodiments of this specification are all authorized by the user or fully authorized by all parties, and the collection, use and processing of related data must comply with the relevant laws, regulations and standards of the relevant countries and regions.
[0146] The foregoing has described specific embodiments of this specification. Other embodiments are within the scope of the appended claims. In some cases, the actions or steps recited in the claims may be performed in a different order than that shown in the embodiments and may still achieve the desired results. Furthermore, the processes depicted in the drawings do not necessarily require the specific or sequential order shown to achieve the desired results. In some embodiments, multitasking and parallel processing are possible or may be advantageous.
Claims
1. A risk control method, the method comprising: Based on historical application layer traffic passing through the application layer gateway, obtain the historical traffic behavior sequences associated with each of the multiple confirmed risk cases; Based on the historical traffic behavior sequences associated with each of the multiple confirmed risk cases, a risk behavior sequence template is generated. Based on the risk behavior sequence template, risk control is performed on incremental application layer traffic passing through the application layer gateway; The risk behavior sequence template is a template used to abstract commonalities of risk behaviors; the risk behavior sequence template includes multiple high-risk call interfaces arranged in the order of invocation.
2. The method as described in claim 1, wherein obtaining the historical traffic behavior sequence associated with each of the multiple confirmed risk cases based on historical application layer traffic passing through the application layer gateway includes: Based on historical application layer traffic passing through the application layer gateway, construct a historical traffic behavior sequence at the subject level; Based on the case data corresponding to each of the multiple confirmed risk cases, the historical traffic behavior sequences associated with each of the multiple confirmed risk cases are filtered out from the historical traffic behavior sequences of the subject dimension.
3. The method as described in claim 2, wherein the case data includes the identifier of the entity involved and the timestamp of the case. The step of filtering out the historical traffic behavior sequences associated with each of the multiple confirmed risk cases from the historical traffic behavior sequences of the subject dimension, based on the case data corresponding to each of the multiple confirmed risk cases, includes: Based on the entity identifiers corresponding to each of the multiple confirmed risk cases, the historical traffic behavior sequences corresponding to the entities involved in the multiple confirmed risk cases are filtered out from the historical traffic behavior sequences of the entity dimension; Based on the timestamps corresponding to the various confirmed risk cases, the sequence before and after the time point of the case is extracted from the historical traffic behavior sequence corresponding to the subjects involved in the various confirmed risk cases, and used as the historical traffic behavior sequence associated with each of the various confirmed risk cases.
4. The method as described in claim 1, wherein generating a risk behavior sequence template based on the historical traffic behavior sequences associated with each of the plurality of confirmed risk cases includes: Based on the historical traffic behavior sequences associated with each of the multiple confirmed risk cases, at least one high-risk historical traffic behavior sequence and at least one high-risk call interface in the high-risk historical traffic behavior sequence are obtained; The invocation order of the at least one high-risk call interface is determined based on the at least one high-risk historical traffic behavior sequence; According to the stated call order, the high-risk call interfaces are combined into the risk behavior sequence template.
5. The method as described in claim 4, wherein obtaining at least one high-risk historical traffic behavior sequence and at least one high-risk call interface from the high-risk historical traffic behavior sequence based on the historical traffic behavior sequences associated with each of the plurality of confirmed risk cases comprises: Obtain the sequence clustering features corresponding to the historical traffic behavior sequences associated with each of the multiple confirmed risk cases; Based on the aforementioned sequence clustering characteristics, at least one high-risk historical traffic behavior sequence is selected from the historical traffic behavior sequences associated with each of the multiple confirmed risk cases. Obtain the interface clustering characteristics corresponding to the called interfaces in the at least one high-risk historical traffic behavior sequence; Based on the interface clustering characteristics, at least one high-risk call interface is selected from the at least one high-risk historical traffic behavior sequence.
6. The method as described in claim 5, wherein the sequence clustering feature includes sequence occurrence frequency and sequence occurrence count; the interface clustering feature includes interface call frequency and interface call count; The step of selecting at least one high-risk historical traffic behavior sequence from the historical traffic behavior sequences associated with each of the multiple confirmed risk cases based on the sequence clustering characteristics includes: From the historical traffic behavior sequences associated with each of the multiple confirmed risk cases, the historical traffic behavior sequences in which the frequency of occurrence of the sequence reaches a first preset frequency threshold and the number of occurrences of the sequence reaches the first preset frequency threshold are selected as the at least one high-risk historical traffic behavior sequence. The step of selecting at least one high-risk call interface from the at least one high-risk historical traffic behavior sequence based on the interface clustering characteristics includes: From the at least one high-risk historical traffic sequence, select the calling interfaces whose interface call frequency reaches the second preset frequency threshold and whose interface call frequency reaches the second preset frequency threshold, and use them as the at least one high-risk calling interface.
7. The method of claim 1, wherein before performing risk control on incremental application layer traffic passing through the application layer gateway based on the risk behavior sequence template, the method further comprises: Based on the incremental application layer traffic passing through the application layer gateway, an incremental traffic behavior sequence is constructed at the subject level. The risk control of incremental application layer traffic passing through the application layer gateway based on the risk behavior sequence template includes: Calculate the matching degree between the risk behavior sequence template and the incremental traffic behavior sequence of the subject dimension corresponding to the incremental application layer traffic; Incremental traffic behavior sequences that reach a preset matching degree threshold are identified as suspicious incremental traffic behavior sequences. The subjects of the suspicious incremental traffic behavior sequences are compared and verified with the subjects of potential risk cases; Perform risk control operations on entities whose suspicious incremental traffic behavior sequences have been verified.
8. A risk control device, the device comprising: The acquisition module is used to obtain the historical traffic behavior sequences associated with each of the multiple confirmed risk cases based on the historical application layer traffic passing through the application layer gateway. The generation module is used to generate risk behavior sequence templates based on the historical traffic behavior sequences associated with each of the multiple confirmed risk cases; The control module is used to perform risk control on incremental application layer traffic passing through the application layer gateway based on the risk behavior sequence template.
9. An electronic device, comprising: Processor and memory; The memory stores a computer program, and when the processor executes the computer program, it implements the method steps of any one of claims 1-7.
10. A computer storage medium storing a plurality of instructions adapted for loading by a processor and executing the method steps as claimed in any one of claims 1-7.
11. A computer program product comprising a computer program that, when executed by a processor, implements the method steps of any one of claims 1-7.