An employee compliance abnormal behavior monitoring method based on big data analysis

By constructing a continuous performance behavior chain diagram for employees and using big data analysis, the problem of monitoring abnormal employee compliance behaviors across systems and processes was solved, enabling accurate location and tracing of abnormal behaviors and improving the accuracy and efficiency of monitoring.

CN122390486APending Publication Date: 2026-07-14FUJIAN ZHUOFONG INFORMATION TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
FUJIAN ZHUOFONG INFORMATION TECH CO LTD
Filing Date
2026-06-16
Publication Date
2026-07-14

Smart Images

  • Figure CN122390486A_ABST
    Figure CN122390486A_ABST
Patent Text Reader

Abstract

The application discloses a kind of staff compliance abnormal behavior monitoring method based on big data analysis, it is related to enterprise management data processing technical field.The staff compliance abnormal behavior monitoring method based on big data analysis, collect the staff business operation data in multiple business systems and post, right, process and compliance related data, generate behavior event record and build staff continuous job performance behavior link diagram;To the explicit compliance node of non-triggering compliance rule data is carried out implicit collaborative identification, deviates from comparison in combination with dynamic compliance behavior baseline, generates abnormal mark, risk level, responsibility node positioning result and disposal tracking information.The application builds staff continuous job performance behavior link diagram, identifies the implicit collaborative relationship between explicit compliance node, and deviates from judging in combination with dynamic compliance behavior baseline, can find abnormal job performance behavior that single operation compliance but there is risk after combination, improve compliance abnormal identification, trace and disposal tracking accuracy.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of enterprise management data processing technology, specifically to a method for monitoring abnormal employee compliance behavior based on big data analysis. Background Technology

[0002] As the number of enterprise business systems increases and internal management processes become more refined, employees' daily performance of duties is typically distributed across multiple business processes, including approvals, transactions, contracts, expenses, customer management, access control, and data access. Different positions have different responsibilities, operational permissions, process nodes, and risk boundaries. Furthermore, multiple operations performed by the same employee may form continuous relationships in terms of time sequence, business objects, and approval conditions. Traditional employee compliance monitoring methods often focus on verifying the results of individual operations, making it difficult to identify abnormal changes in employee performance from continuous business data across systems and processes.

[0003] The limitations of existing technologies include at least the following problems: Current employee compliance anomaly monitoring largely relies on post-event sampling and fixed rule judgments. During data processing, business operations such as employee approvals, transactions, contract processing, and permission calls are typically broken down into independent events for identification. This fails to form a continuous behavioral chain around job responsibilities, process nodes, permission boundaries, and operation triggering conditions. Consequently, when a single operation does not violate any rules, the abnormal performance risks formed by a combination of multiple seemingly compliant operations are difficult to detect. Because the monitored objects are broken down into discrete events, subsequent anomaly judgments often rely on historical sample summarization or manual experience thresholds, lacking integration with organizational structure, etc. The mechanism for synchronously correcting behavioral baselines based on changes in job responsibilities, business processes, and regulatory requirements is flawed. Boundary behaviors arising from normal business changes are easily misjudged as abnormal, and risky behaviors that slowly infiltrate over a long period may gradually be incorporated into the normal baseline, causing a deviation between monitoring results and actual compliance risks. Existing monitoring results usually remain at the level of simple alerts and records, making it difficult to reconstruct the evolution of abnormal behavior from early probing, actual execution to post-event concealment, and also difficult to accurately locate the responsible nodes, related personnel, and handling status corresponding to abnormal behaviors. This leads to a continuous accumulation of low-value alerts, dispersed verification resources, and difficulty in timely tracing and blocking high-risk abnormal behaviors. Summary of the Invention

[0004] To address the shortcomings of existing technologies, this invention provides a method for monitoring abnormal employee compliance behavior based on big data analysis. This method solves the problems in existing employee compliance monitoring, such as insufficient correlation between discrete business operations and continuous performance risks, which makes it difficult to identify implicit combined violations, abnormal judgments easily deviate from the actual business scenario, and the abnormal tracing and handling are not accurate enough.

[0005] To achieve the above objectives, this invention provides the following technical solution: a method for monitoring abnormal employee compliance behavior based on big data analysis, comprising the following steps: collecting employee business operation data, job responsibility data, permission configuration data, process node data, organizational structure change data, job authority change data, business process change data, and compliance rule data from multiple business systems; aligning and mapping the employee business operation data to generate behavior event records; based on job responsibility data, permission configuration data, process node data, and compliance rule data, associating the behavior event records with responsibilities, permissions, processes, and compliance rules to construct a continuous employee performance behavior link diagram, and marking nodes that have not triggered compliance rule data as explicit compliance nodes; and analyzing the temporal proximity and business relationships between explicit compliance nodes using an implicit collaborative identification algorithm. The system generates an implicit collaboration matrix and collaboration risk weights based on relationships such as aggregation, hierarchical permissions, and process bypass. It then generates a baseline for job compliance behavior based on job responsibility data, permission configuration data, process node data, and compliance rule data. This baseline is further refined using a drift correction algorithm to obtain a dynamic compliance behavior baseline by combining data on organizational structure changes, job responsibility changes, business process changes, and compliance rule data. Finally, it compares the deviations of behavioral event records and collaboration risk weights corresponding to explicit compliance nodes with the dynamic compliance behavior baseline to generate employee compliance anomaly behavior markers and employee compliance anomaly behavior risk levels. Based on these markers and risk levels, it traces back explicit compliance nodes along the employee's continuous performance behavior chain to identify early probing nodes, substantive execution nodes, post-event cover-up nodes, and responsibility nodes, generating handling tracking information.

[0006] Furthermore, the specific steps for aligning and mapping employee business operation data to generate behavior event records are as follows: Extract employee identifier, business system identifier, business object identifier, operation time, operation type, and operation result from the employee business operation data; establish field correspondence according to the business system identifier, and convert operation fields from different business systems into a unified field format; establish action mapping relationship according to operation type, mapping approval submission, approval approval, permission call, contract modification, fee submission, and data access to unified operation actions; write the unified field format and unified operation actions into the same behavior event record, and arrange the behavior event records according to employee identifier, business object identifier, and operation time; remove behavior event records that are missing employee identifier, business object identifier, or operation time to obtain standard behavior event records.

[0007] Furthermore, the specific steps for constructing the employee continuous performance behavior link diagram are as follows: Using standard behavior event records as nodes, determine the responsibility relationships, permission relationships, process relationships, and compliance rule relationships between standard behavior event records based on job responsibility data, permission configuration data, process node data, and compliance rule data; determine the process sequence relationship between standard behavior event records according to the same business object identifier and operation time; determine the permission dependency relationship between standard behavior event records according to permission configuration data and job responsibility data; connect the corresponding nodes with the process sequence relationship and permission dependency relationship as directed edges to form the employee continuous performance behavior link diagram; mark the nodes in the employee continuous performance behavior link diagram that have not triggered compliance rule data to obtain explicit compliance nodes.

[0008] Furthermore, the specific steps for analyzing the temporal proximity, business object aggregation, permission progression, and process detour relationships among explicit compliance nodes using the implicit collaboration identification algorithm are as follows: Temporal proximity relationships are generated based on the operation time differences corresponding to explicit compliance nodes; business object aggregation relationships are generated based on the number of times the business object identifiers of explicit compliance nodes overlap; permission progression relationships are generated based on the order of changes in permission configuration data corresponding to explicit compliance nodes; process detour relationships are generated based on the degree of offset between the process node data of explicit compliance nodes and the standard process order; the collaboration relationship values ​​between explicit compliance nodes are obtained by fusing the temporal proximity, business object aggregation, permission progression, and process detour relationships, and these collaboration relationship values ​​are then filled into the corresponding positions in the implicit collaboration relationship matrix.

[0009] Furthermore, the specific steps for generating collaborative risk weights based on the implicit collaborative relationship matrix are as follows: Read the matrix elements between each explicit compliance node and other explicit compliance nodes in the implicit collaborative relationship matrix; calculate the business aggregation intensity of explicit compliance nodes based on temporal proximity and business object aggregation relationships; calculate the evasion transmission intensity of explicit compliance nodes based on permission progression and process bypass relationships; weight and fuse the business aggregation intensity and evasion transmission intensity according to the node position of the corresponding explicit compliance node in the employee's continuous performance behavior link diagram to obtain the collaborative risk weight of the explicit compliance node; sort the explicit compliance nodes from high to low according to the collaborative risk weight to obtain a set of high-risk explicit compliance nodes.

[0010] Furthermore, the specific steps for obtaining the dynamic compliance behavior baseline using the drift correction algorithm are as follows: A job compliance behavior baseline is generated based on job responsibility data, permission configuration data, process node data, and compliance rule data; the job affiliation change coefficient is calculated based on organizational structure change data; the duty boundary change coefficient is calculated based on job responsibility change data and business process change data; the rule constraint change coefficient is calculated based on rule update content in the compliance rule data; and the job compliance behavior baseline is corrected by combining the job affiliation change coefficient, duty boundary change coefficient, and rule constraint change coefficient to obtain the dynamic compliance behavior baseline.

[0011] Furthermore, the specific steps for comparing the deviations of the behavioral event records and collaborative risk weights corresponding to explicit compliance nodes with the dynamic compliance behavior baseline are as follows: Extract baseline features of the corresponding positions, process nodes, and authority boundaries from the dynamic compliance behavior baseline; match the behavioral event records corresponding to explicit compliance nodes with the baseline features to obtain node behavior deviation values; fuse the collaborative risk weights corresponding to explicit compliance nodes with the node behavior deviation values ​​to obtain a comprehensive node deviation value; calculate the link transmission deviation value based on the comprehensive node deviation values ​​of adjacent explicit compliance nodes in the employee's continuous performance behavior link diagram; and generate employee compliance abnormal behavior markers based on the comprehensive node deviation value and the link transmission deviation value.

[0012] Furthermore, the specific steps for generating the risk level of employee compliance anomalies are as follows: obtain the number of explicit compliance nodes, collaborative risk weights, and link transmission deviation values ​​corresponding to the employee compliance anomaly markers; determine the anomaly coverage value based on the number of explicit compliance nodes; determine the implicit combined risk value based on the collaborative risk weights; determine the anomaly propagation risk value based on the link transmission deviation value; and integrate the anomaly coverage value, implicit combined risk value, and anomaly propagation risk value to generate the employee compliance anomaly risk level.

[0013] Furthermore, the specific steps for tracing back explicit compliance nodes along the employee's continuous performance behavior chain diagram to locate early probing nodes, substantive execution nodes, post-event cover-up nodes, and responsibility nodes are as follows: Use the set of high-risk explicit compliance nodes as the tracing object; trace forward along the directed edges of the employee's continuous performance behavior chain diagram to identify the explicit compliance node where the collaborative risk weight first increases as the early probing node; locate the explicit compliance node with the highest comprehensive deviation value along the directed edges of the employee's continuous performance behavior chain diagram to identify the substantive execution node; trace backward along the directed edges of the employee's continuous performance behavior chain diagram to identify the explicit compliance node where process rollback, permission revocation, or business object modification occurs as the post-event cover-up node; and lock the responsibility node based on the employee identifier, job responsibility data, and permission configuration data corresponding to the early probing node, substantive execution node, and post-event cover-up node.

[0014] Furthermore, the specific steps for generating handling tracking information are as follows: Mark employee compliance anomalies, risk levels of employee compliance anomalies, early probing nodes, substantive execution nodes, post-incident concealment nodes, and responsibility nodes into the handling tracking information; configure verification priorities for the handling tracking information according to the risk levels of employee compliance anomalies; determine handling flow nodes based on the job responsibility data and process node data corresponding to the responsibility nodes; receive the verification results and handling status returned by the handling flow nodes, and write the verification results and handling status into the handling tracking information; update the collaborative risk weights corresponding to explicit compliance nodes based on the verification results, forming feedback data for subsequent monitoring of employee compliance anomalies.

[0015] The present invention has the following beneficial effects:

[0016] (1) This big data analysis-based method for monitoring abnormal employee compliance behavior converts employee business operation data scattered across multiple business systems into behavioral event records. It then combines job responsibility data, permission configuration data, process node data, and compliance rule data to construct a continuous employee performance behavior chain diagram. This allows operations such as approval, contracts, expenses, permission calls, and data access to be presented continuously according to job positions, permissions, and process relationships. Nodes that do not trigger compliance rule data are marked as explicit compliance nodes. The implicit collaboration identification algorithm analyzes the temporal proximity relationship, business object aggregation relationship, permission progression relationship, and process bypass relationship between explicit compliance nodes to generate an implicit collaboration relationship matrix and collaboration risk weights. This enables the system to identify performance risks where a single operation appears compliant, but multiple operations combined result in process bypass, permission progression, or abnormal aggregation of business objects, reducing the omission of combined abnormal behaviors by traditional single-point rule judgment.

[0017] (2) The employee compliance abnormal behavior monitoring method based on big data analysis generates a job compliance behavior baseline based on job responsibility data, permission configuration data, process node data and compliance rule data, and performs drift correction by combining organizational structure change data, job authority change data, business process change data and compliance rule data, so that compliance judgment no longer relies on fixed thresholds or old samples in the long term. During the drift correction process, the job affiliation change coefficient, the job performance boundary change coefficient and the rule constraint change coefficient are calculated respectively, and the job compliance behavior baseline is corrected by the above coefficients to obtain a dynamic compliance behavior baseline. This allows normal organizational adjustments, job responsibility changes and business process changes to be reflected in the judgment reference, reducing the possibility of normal business changes being misjudged as abnormal, and avoiding the inclusion of slowly penetrating risk behaviors into the normal baseline due to long-term mixing with historical behavior data, thereby improving the fit between the judgment of employee compliance abnormal behavior and the actual business scenario.

[0018] (3) This big data analysis-based method for monitoring abnormal employee compliance behavior generates abnormal employee compliance behavior markers and risk levels by comparing the deviations of behavioral event records, collaborative risk weights, and dynamic compliance behavior baselines corresponding to explicit compliance nodes. After identifying the abnormality, it traces back the explicit compliance nodes along the employee's continuous performance behavior chain diagram to locate early probing nodes, substantive execution nodes, post-event concealment nodes, and responsibility nodes. This ensures that the abnormal results are no longer limited to a single alarm record. It can link behaviors such as increased collaborative risk weights, prominent node comprehensive deviation values, process rollback, permission revocation, and business object modification, and restore the change process of abnormal behavior from probing, execution to concealment, and generate handling tracking information. The subsequent verification results can also be used to update the collaborative risk weights corresponding to explicit compliance nodes, so that subsequent monitoring can absorb handling feedback and reduce the interference of repeated low-value alarms on the verification work.

[0019] Of course, any product implementing this invention does not necessarily need to achieve all of the advantages described above at the same time. Attached Figure Description

[0020] Figure 1 This is a flowchart of a method for monitoring abnormal employee compliance behavior based on big data analysis according to the present invention.

[0021] Figure 2 This is a flowchart illustrating the specific steps involved in constructing a continuous performance behavior chain diagram for employees in a method for monitoring abnormal employee compliance behavior based on big data analysis, as described in this invention.

[0022] Figure 3 This is a flowchart illustrating the specific steps involved in the deviation comparison between the behavioral event records corresponding to explicit compliance nodes, collaborative risk weights, and dynamic compliance behavior baselines in the employee compliance anomaly monitoring method based on big data analysis of the present invention. Detailed Implementation

[0023] Please see Figure 1This invention provides a technical solution: a method for monitoring abnormal employee compliance behavior based on big data analysis, comprising the following steps: collecting employee business operation data, job responsibility data, permission configuration data, process node data, organizational structure change data, job authority change data, business process change data, and compliance rule data from multiple business systems; aligning and mapping the employee business operation data to generate behavior event records; based on the job responsibility data, permission configuration data, process node data, and compliance rule data, associating the behavior event records with responsibilities, permissions, processes, and compliance rules to construct a continuous employee performance behavior link diagram, and marking nodes that have not triggered compliance rule data as explicit compliance nodes; and analyzing the temporal proximity relationship and business object aggregation relationship between explicit compliance nodes using an implicit collaborative recognition algorithm. The system generates an implicit collaboration matrix and collaboration risk weights based on hierarchical relationships, hierarchical permissions, and process bypass relationships. A baseline for job compliance behavior is generated based on job responsibility data, permission configuration data, process node data, and compliance rule data. A dynamic compliance behavior baseline is obtained by combining organizational structure change data, job responsibility change data, business process change data, and compliance rule data through a drift correction algorithm. Deviations are compared between the behavioral event records and collaboration risk weights corresponding to explicit compliance nodes and the dynamic compliance behavior baseline to generate employee compliance anomaly behavior markers and employee compliance anomaly behavior risk levels. Based on these markers and risk levels, explicit compliance nodes are traced back along the employee's continuous performance behavior chain diagram to identify early probing nodes, substantive execution nodes, post-event cover-up nodes, and responsibility nodes, generating handling tracking information.

[0024] Specifically, the steps for aligning and mapping employee business operation data to generate behavioral event records are as follows: Extract the employee identifier, business system identifier, business object identifier, operation time, operation type, and operation result from the employee's business operation data, specifically as follows: By accessing the raw operation log data from multiple business systems of an enterprise, standardizing the parsing and extracting the key fields corresponding to each operation, the responsible party, data source, business object, operation time, behavior type and execution status are determined, resulting in structured field data; In one implementation, the enterprise's multiple business systems include an approval system, a transaction system, a contract management system, an expense reimbursement system, a customer management system, a permission management system, and a data access system. Employee identification uses the enterprise's unique employee ID, business system identification uses the corresponding code of each business system, business object identification uses the unique number of various business documents and files, operation time uses a timestamp, operation type records the behavior category categorized by the system, and operation result distinguishes between success, failure, withdrawal, and save statuses.

[0025] Establish field mappings based on business system identifiers, and convert operation fields from different business systems into a unified field format, specifically as follows: Based on the identification codes of different business systems, a cross-system field mapping table is established to unify and standardize the different field names, data formats, time formats, and storage dimensions of each system, thereby reducing the impact of field differences between different business systems on subsequent association processing. In one implementation, the differentiated fields such as the approval operation time field of the approval system, the access time field of the data access system, and the contract operation time field of the contract management system are unified into a standard time field format, and the data storage structure is standardized.

[0026] An action mapping relationship is established according to the operation type, mapping approval submission, approval approval, permission access, contract modification, fee submission, and data access to a unified operation action, specifically as follows: Establish operation action mapping rules to map similar operations in different business systems to preset unified operation actions; In one implementation, the approval system's initiation and submission of approvals are uniformly mapped to the approval submission action; the permission system's permission query, permission application, and permission activation are uniformly mapped to the permission call action; and the contract addition, contract editing, and contract modification are uniformly mapped to the contract modification action.

[0027] Write standardized field formats and standardized operation actions into the corresponding behavior event records, and sort the behavior event records according to employee ID, business object ID, and operation time, as follows: After the standardized data has been rectified and mapped to actions, each item is encapsulated into a corresponding behavioral event record. Using employee ID and business object ID as the association dimension and the operation time as the sorting basis, all operation records of the same employee and the same business object are sorted in chronological order to form a set of behavioral event records arranged by time. In one implementation, for the same expense document processed by the same employee, the submit, modify, cancel, and resubmit operations performed sequentially are arranged in chronological order to form an operation sequence chain.

[0028] After removing behavioral event records with missing employee identifiers, business object identifiers, or operation times, the standard behavioral event records are obtained, which are as follows: All generated behavioral event records are cleaned to remove invalid data with missing key fields, and only valid records with complete fields that can be used for correlation and time series analysis are retained to obtain standard behavioral event records. In one implementation, invalid data that lacks an employee ID and cannot locate the operator, lacks a business object number and cannot be associated with a business scenario, or lacks a timestamp and cannot be used to sort out the operation sequence is removed.

[0029] like Figure 2 As shown, the specific steps for constructing an employee continuous performance behavior chain diagram are as follows: Using standard behavioral event records as nodes, the relationships between these records—namely, the relationships between responsibilities, permissions, processes, and compliance rules—are determined based on job responsibility data, permission configuration data, process node data, and compliance rule data. Specifically: Each cleaned standard behavior event record is used as an independent behavior node. Combined with job responsibility data, permission configuration data, process node data and compliance rule data, the relationship and constraint between different behavior nodes are established for subsequent link association. In one implementation, for each contract modification operation node, the corresponding job's contract management responsibilities, contract operation permissions, contract process nodes, and contract compliance constraints are matched to establish a multi-dimensional relationship between that node and other related operation nodes.

[0030] The process sequence relationship between standard behavioral event records is determined based on the same business object identifier and operation time, specifically as follows: Collect the behavioral nodes corresponding to the same business object, and sort out the execution order of employees' operations on a single business object according to the order of operation time of each node, forming the business process sequence relationship; In one implementation, for the same expense reimbursement form, the complete process sequence of form submission, attachment modification, approval rejection, and resubmission is sorted according to the order of operation time.

[0031] The permission dependencies between standard behavioral event records are determined based on permission configuration data and job responsibility data, specifically as follows: Based on the enterprise's preset job authority levels, authority and responsibility boundaries, and preconditions for operation, determine the authority prerequisites, hierarchical dependencies, and authority constraints between different behavioral nodes, and obtain the authority transmission relationship between each operation; In one implementation, advanced approval operations depend on prior ordinary review operations, and data export operations depend on prior permission application operations, forming a clear permission dependency chain.

[0032] By connecting the corresponding nodes with directed edges representing process sequence relationships and permission dependencies, a continuous employee performance behavior link graph is formed, which is as follows: Connect the corresponding nodes according to the process sequence and permission dependency, and connect the related behavior nodes through the directed association edges to integrate the discrete nodes into a continuous employee performance behavior link diagram. In one implementation, directed edges are used to connect all nodes of the same business process, including querying, applying, modifying, submitting, and approving, to form a link diagram of continuous employee performance behavior.

[0033] Nodes in the employee's continuous performance behavior chain diagram that have not triggered compliance rule data are marked to obtain explicit compliance nodes, which are as follows: Each behavior node in the link graph is matched and verified against compliance rules. Nodes that do not trigger the corresponding violation judgment conditions in the compliance rule data are marked. These nodes are used as the analysis objects of the subsequent implicit collaborative identification algorithm. In one implementation, an employee's single normal query of customer data or single normal viewing of contract information does not trigger the violation judgment conditions and is marked as an explicit compliance node.

[0034] In this implementation plan, by associating behavioral event records with job responsibility data, permission configuration data, process node data, and compliance rule data, a continuous performance behavior link diagram of employees is constructed. This enables employees' scattered operations in different business systems to be processed in series according to the same business object, operation sequence, and permission dependency relationship, avoiding the isolated judgment of a single operation record. This provides a link foundation for subsequent identification of abnormal performance behaviors formed by multiple node combinations.

[0035] Specifically, the steps for analyzing the temporal proximity, business object aggregation, permission progression, and process bypass relationships among explicit compliance nodes using implicit collaboration identification algorithms are as follows: The time proximity relationship is generated based on the operation time difference corresponding to the explicit compliance node, specifically as follows: Calculate the time interval between any two explicit compliance nodes for the same employee, and determine the degree of operational compactness between nodes based on the length of the time interval. The shorter the time interval, the higher the corresponding value of the time proximity relationship. In one implementation, employees continuously complete multiple dispersed compliance queries, previews, and download preparation operations within a preset time window. The time interval between node operations is relatively short, which is determined to be a high value of time proximity.

[0036] The business object aggregation relationship is generated based on the number of times the business object identifiers corresponding to the explicit compliance nodes overlap. Specifically: The frequency of overlapping operations of different explicit compliance nodes on the same business object is counted. The higher the number of overlapping operations, the higher the value of the aggregation relationship of the business object. In one implementation, if an employee repeatedly performs compliant operations such as viewing, previewing, permission verification, and page access on the same contract document, and the number of overlapping business objects is high, it is determined that the aggregation relationship value of the business objects is high.

[0037] The permission hierarchy is generated according to the order of changes in permission configuration data corresponding to explicit compliance nodes, specifically as follows: By analyzing the hierarchical changes in permission calls at continuous explicit compliance nodes, we can identify the pattern of gradual progression from low to high permissions and from basic operation permissions to preset high-permission operations, thus forming a progressive relationship of permissions. In one implementation, employees sequentially perform hierarchical permission operations such as normal query, permission verification, data preview, and limited export, with the permission level gradually increasing to form a progressive permission relationship.

[0038] The process detour relationship is generated based on the degree of offset between the process node data corresponding to the explicit compliance node and the standard process sequence, specifically as follows: By comparing the execution order of the actual work nodes performed by employees with the order of nodes in the enterprise's standard business process, the degree of deviation of skipping, reversing, prepositioning, postpositioning, and adding redundant nodes in the process is quantified, and process detour relationships are generated. In one implementation, the standard process is to submit after review, but employees bypass the review process and submit directly, creating a process bypass relationship.

[0039] By integrating temporal proximity, business object aggregation, permission progression, and process bypass relationships, explicit compliance node collaboration values ​​are obtained. These collaboration values ​​are then filled into the corresponding positions in the implicit collaboration matrix. Specifically: The relationships of temporal proximity, business object aggregation, permission progression, and process bypass are comprehensively weighted and quantified. The degree of implicit collaborative association between any two explicit compliance nodes is calculated to obtain a unified quantified collaborative relationship value. The matrix is ​​then filled according to the corresponding positions of the nodes' rows and columns to construct an implicit collaborative relationship matrix. The relationships in each dimension can be quantified: The temporal proximity relationship can be calculated based on the ratio of the operation time interval to the preset time window; The aggregation relationship of business objects can be calculated based on the number of times the same business object identifier overlaps or the similarity. The hierarchical relationship of permissions can be calculated based on the difference in permission levels between two explicit compliance nodes; The process detour relationship can be calculated based on the number of missing nodes, the number of sequence offsets, or the number of detour nodes between the actual process path and the standard process path; In one implementation, the above-mentioned relationships are weighted and fused to output normalized collaborative relationship values ​​and complete matrix assignment.

[0040] The specific steps for generating collaborative risk weights based on the implicit collaborative relationship matrix are as follows: Read the matrix elements of each explicit compliance node in the implicit collaboration relationship matrix, specifically the relationships between each explicit compliance node and other explicit compliance nodes: Traverse the rows and columns of the implicit collaboration relationship matrix, extract the collaboration association values ​​between a single explicit compliance node and other nodes in the link, and obtain the set of matrix elements corresponding to the explicit compliance node. In one implementation, for a target explicit compliance node, the collaborative relationship values ​​between it and its preceding and following associated operation nodes are read in batches to form associated data.

[0041] The business clustering strength of explicit compliance nodes is calculated based on temporal proximity and business object aggregation relationships, specifically as follows: Based on the compactness of operation time between nodes and the density of overlap of business objects, the intensity of concentrated operations by employees on a single business object is quantified. The more concentrated the operations and the higher the frequency, the greater the intensity of business aggregation. In one implementation, multiple compliance operations are performed intensively on the same preset key business within a short period of time, resulting in an increased intensity of business aggregation.

[0042] The strength of circumvention propagation for explicit compliance nodes is calculated based on the hierarchical relationship of permissions and the process bypass relationship, specifically as follows: The intensity of circumvention transmission is determined based on the degree of deviation and the progressive difference, and the level of risk transmission of employees circumventing standard processes and gradually breaking through compliance boundaries is quantified. In one implementation, employees escalate their permissions step by step and continuously bypass standard review nodes, resulting in a high level of circumvention.

[0043] The intensity of business aggregation and the intensity of avoidance transmission are weighted and integrated according to the node position of the corresponding explicit compliance node in the employee's continuous performance behavior chain diagram to obtain the collaborative risk weight of each explicit compliance node, which is as follows: Based on the difference in the front and back positions of nodes in the link, the weight coefficients are configured differently. Front-end probing nodes are weighted with an emphasis on avoidance strength, while mid- and back-end execution nodes are weighted with an emphasis on aggregation strength. The collaborative risk weight is obtained by weighting the business aggregation intensity, avoidance transmission intensity, and node position weight. The node position weight is determined based on the temporal position, number of incoming edges, and number of outgoing edges of the explicit compliance node in the employee's continuous performance behavior link graph, specifically satisfying: Collaborative risk weight = Business aggregation intensity × First weight + Avoidance transmission intensity × Second weight + Node location weight × Third weight; The first weight, second weight, and third weight can be preset according to the job risk level or business scenario, and the sum of the first weight, second weight, and third weight is 1. In one implementation, the initial probing node of the link mainly avoids weights, while the centralized operation node in the middle of the link mainly focuses on business aggregation weights to complete differentiated value assignment.

[0044] The explicit compliance nodes are sorted from high to low according to their collaborative risk weights, resulting in a set of high-risk explicit compliance nodes, which are as follows: The collaborative risk weights of all explicit compliance nodes are uniformly sorted, and nodes with weight values ​​higher than the system's preset risk threshold are selected and aggregated into a set of high-risk explicit compliance nodes, which are used as key targets for source tracing analysis. In one implementation, explicit compliance nodes whose collaborative risk weight exceeds a preset threshold are included in the set of high-risk explicit compliance nodes.

[0045] In this implementation plan, the implicit collaboration identification algorithm does not directly perform single-point anomaly judgment on all behavioral nodes. Instead, it performs relationship analysis on explicit compliance nodes that have not triggered compliance rule data. This allows node combinations that appear to be compliant in a single operation but have collaborative avoidance characteristics in terms of time, business objects, permissions, and processes to be identified. This enables nodes that have not triggered compliance rule data individually to still enter the combination relationship analysis process.

[0046] Specifically, the steps for obtaining the dynamic compliance behavior baseline using the drift correction algorithm are as follows: A baseline for compliance behavior is generated based on job responsibility data, permission configuration data, process node data, and compliance rule data. Specifically: By combining the scope of duties, authority boundaries, standard procedures and compliance constraints of each position, we statistically analyze the behavioral characteristics of positions in the long-term normal performance of duties, and construct a baseline of compliance behavior for each position as a basis for compliance judgment. The baseline for job-specific compliance behavior and the baseline for dynamic compliance behavior both include the set of permitted operation types, the scope of permitted operation objects, the standard process path, the characteristics of the permission boundary, the frequency range of operation, and the list of prohibited behaviors for the corresponding job. In one implementation, based on the responsibilities, authority, and process rules of the financial audit position, a standard baseline range is defined for the daily operation frequency, scope of authority, and process execution sequence of the position.

[0047] The job affiliation change coefficient is calculated based on organizational structure change data, specifically as follows: Monitor organizational structure changes such as departmental adjustments, job transfers, and changes in affiliation; quantify the magnitude of changes in job affiliation, jurisdiction, and hierarchical relationships; and generate corresponding job affiliation change coefficients. In one implementation, when a position is transferred from department A to department B and the scope of business under the position's jurisdiction is expanded, a positive attribution change coefficient is generated accordingly.

[0048] The duty boundary variation coefficient is calculated based on the data on changes in job responsibilities and business processes, as follows: Based on changes such as the addition or reduction of job responsibilities, adjustment of authority, addition or reduction of business process nodes, and adjustment of approval levels, the magnitude of changes in job performance boundaries is quantified, and a performance boundary change coefficient is generated. In one implementation, the job position gains initial contract review authority, and the business process removes secondary review nodes, with the corresponding update of the duty boundary change coefficient.

[0049] The rule constraint change coefficient is calculated based on the rule update content in the compliance rule data, specifically as follows: Track the updates and iterations of internal compliance systems and industry regulatory rules, quantify the extent of rule additions and deletions, adjustments to constraint intensity, and changes in regulatory scope, and generate rule constraint change coefficients; In one implementation, new compliance clauses for accessing sensitive data are added, and fee approval rules are tightened, with corresponding rule constraint variation coefficients generated.

[0050] By combining the coefficients for changes in job affiliation, job scope, and rule constraints, the baseline for job compliance behavior is revised to obtain the dynamic baseline for compliance behavior, which is as follows: The baseline for compliance behavior is iteratively revised using three types of variation coefficients to adapt to dynamic changes in the company's organization, responsibilities, processes, and rules, generating a dynamic compliance baseline that fits the current business scenario. Among these, the job affiliation variation coefficient is used to adjust the scope of the business objects corresponding to the job. The duty boundary variation coefficient is used to adjust the set of permitted operation types and permission boundaries; the rule constraint variation coefficient is used to adjust the list of prohibited behaviors and risk thresholds. In one implementation, the baseline standard range for the corresponding positions is simultaneously broadened or tightened based on three types of changes: organizational restructuring, expansion of authority, and implementation of new regulations.

[0051] In this implementation plan, the dynamic compliance behavior baseline is revised according to changes in organizational structure, job responsibilities, business processes, and compliance rules. This allows the basis for job compliance judgments to be adjusted in line with changes in the actual business environment, reducing the misjudgment of normal performance of duties due to job adjustments, changes in authority, or process updates. It also reduces the possibility that long-term risky behaviors will be mixed into the historical baseline and treated as normal behaviors.

[0052] Specifically, such as Figure 3 As shown, the specific steps for comparing the deviations of the behavioral event records and collaborative risk weights corresponding to explicit compliance nodes with the dynamic compliance behavior baseline are as follows: The baseline features corresponding to the positions, process nodes, and authority boundaries of explicit compliance nodes are extracted from the dynamic compliance behavior baseline. Specifically, these features are as follows: Based on the employee position, business process, and access permissions corresponding to the explicit compliance nodes, the standard operation characteristics, process standard characteristics, and permission boundary characteristics corresponding to the dynamic compliance behavior baseline are matched to obtain the comparison basis; In one implementation, the standard operation frequency, standard process sequence, and standard permission scope of the review position are extracted as baseline comparison features.

[0053] The behavioral event records corresponding to explicit compliance nodes are matched with baseline features to obtain the node behavior deviation value, which is as follows: The actual operation time, frequency, process flow, scope of authority, and operation content of each node are compared with the baseline standard one by one to quantify the deviation of the actual operation from the compliance standard range and generate an independent behavior deviation value for each node. In one implementation, when the number of visits to a job position exceeds the corresponding operation frequency range, the corresponding positive behavior deviation value is calculated.

[0054] The collaborative risk weight corresponding to the explicit compliance node is combined with the node behavior deviation value to obtain the node comprehensive deviation value, which is as follows: Using the collaborative risk weight as the implicit risk correction coefficient, the explicit behavior deviation value is weighted and corrected. At the same time, explicit operational deviation and implicit collaborative risk are included and merged to obtain the node comprehensive deviation value. In one implementation, under the same behavioral deviation, the higher the collaborative risk weight, the greater the overall deviation value of the node.

[0055] The link transmission deviation value is calculated based on the comprehensive deviation value of adjacent explicit compliance nodes in the employee's continuous performance behavior link diagram. Specifically: Traverse the adjacent nodes before and after the performance link, statistically analyze the transmission, superposition, and amplification trend of the comprehensive deviation value, quantify the degree of diffusion of abnormal risks in the entire business link, and generate the link transmission deviation value. Among them, the node behavior deviation value is calculated from the operation type deviation, business object deviation, permission boundary deviation and process node deviation; The overall node deviation value is obtained by fusing the node behavior deviation value and the collaborative risk weight; The link transmission deviation value is calculated from the difference of the combined deviation values ​​of adjacent explicit compliant nodes, the number of consecutive increases, or the cumulative deviation value; In one implementation, if the preceding node deviates slightly, the deviation of the subsequent node continues to increase, and the overall link exhibits risk transmission characteristics, resulting in a higher link transmission deviation value.

[0056] Employee compliance anomaly markers are generated based on the node's overall deviation value and the link's transmission deviation value. Specifically: By combining the degree of deviation at a single point with the degree of risk diffusion throughout the entire chain, behavioral chains with deviations, risk transmission, and abnormal collaboration are classified and marked, generating different types of compliance anomaly marking results; In one implementation, anomaly markers are generated corresponding to single-point deviation, node collaboration, and link diffusion.

[0057] In this implementation plan, the marking of abnormal employee compliance behavior is not determined solely by the deviation of a single explicit compliance node, but is generated by combining the node behavior deviation value, collaborative risk weight, and link transmission deviation value. This allows the judgment result to simultaneously reflect single-point operational deviations, implicit collaborations between nodes, and the spread of risks along the performance link, making it easier to distinguish between ordinary operational deviations and multi-node combined anomalies.

[0058] Specifically, the steps for generating an employee's compliance anomaly risk level are as follows: Obtain the number of explicit compliance nodes, collaborative risk weights, and deviation values ​​in the transmission chain corresponding to the employee's abnormal compliance behavior markers, specifically as follows: Identify the performance links that have been marked as abnormal, count the total number of high-risk explicit nodes involved in the link, extract the average risk weight of node collaboration and the transmission deviation value of the entire link, and obtain the data required for risk classification. In one implementation, the abnormal link includes multiple high-risk explicit nodes, their corresponding weight averages, and the overall diffusion deviation data of the link.

[0059] The anomaly coverage range is determined based on the number of explicit compliance nodes, specifically as follows: Based on the number of abnormal nodes, the breadth of business processes and operational steps covered by abnormal behavior is quantified. The more nodes there are, the wider the abnormal coverage area is, and the higher the corresponding coverage value is. In one implementation, the coverage value of anomalies involving multiple process nodes is higher than that of local single-node anomalies.

[0060] The implicit portfolio risk value is determined based on the collaborative risk weights, specifically as follows: The average collaborative risk weight of abnormal nodes is used as the basis for judgment. The higher the weight, the higher the degree of implicit collaborative violation association between nodes, and the implicit combined risk value is generated quantitatively. In one implementation, multiple nodes are associated with high weights, which generates a high implicit combined risk value.

[0061] The risk value of abnormal spread is determined based on the deviation value of the link transmission, specifically as follows: Based on the magnitude of the deviation value in the transmission link, the ability of abnormal risks to spread, the amplification trend, and the degree of subsequent harm in the business link are quantified. The higher the deviation value, the stronger the spread risk. In one implementation, the risk is amplified and continuously propagated along the link, resulting in the generation of a high anomaly spread risk value.

[0062] By integrating the abnormal coverage value, implicit combined risk value, and abnormal diffusion risk value, an employee compliance abnormal behavior risk level is generated, which is as follows: The risk level of abnormal employee compliance behavior is determined by weighting and integrating the breadth of coverage, the intensity of hidden risks, and the degree of spread and harm. In one implementation, the risk levels are divided into high, medium, and low risk levels, each corresponding to different degrees of implicit collaborative violations or operational deviations.

[0063] In this implementation plan, the risk level of an employee's compliance anomaly behavior is obtained by integrating the anomaly coverage value, the implicit combined risk value, and the anomaly diffusion risk value. This ensures that the risk level does not only depend on whether a single operation is abnormal, but also reflects the scope of nodes involved in the anomaly, the degree of coordination between nodes, and the transmission of risk in the business chain. This provides a more accurate basis for subsequent verification priorities and handling processes that align with the risks in the chain.

[0064] Specifically, the steps for tracing back explicit compliance nodes along the employee's continuous performance behavior chain diagram to identify early probing nodes, substantive execution nodes, post-event cover-up nodes, and responsibility nodes are as follows: The set of high-risk explicit compliance nodes obtained by ranking based on collaborative risk weights is used as the backtracking object, specifically: The set of high-risk explicit compliance nodes that have been screened was selected as the basic sample for source tracing, and source tracing analysis was carried out focusing on high-risk explicit compliance nodes; In one implementation, link backtracking is performed only on the set of high-risk, explicitly compliant nodes whose weights exceed the threshold.

[0065] By tracing back along the directed edges of the employee's continuous performance behavior chain graph, the explicit compliance node where the collaborative risk weight first increases is identified as the early trial node, specifically: Tracing the risk chain backward along the business timeline, we can identify the starting point of the first collaborative risk weight increase in the entire risk chain. This node is the starting point of the employee's exploratory operation. Among them, the increase in collaborative risk weight means that the collaborative risk weight of the current explicit compliance node is higher than that of the previous explicit compliance node, or higher than the risk reference value in the dynamic compliance behavior baseline of the corresponding position. In one implementation, the first time an employee previews permissions beyond the scope commonly used by their job, or the first time they view business data beyond the scope commonly used by their job, is identified as an early trial node.

[0066] The explicit compliance node with the highest comprehensive deviation value along the directed edges of the employee's continuous performance behavior chain graph is identified as the substantive execution node. Specifically: Iterate through the comprehensive deviation values ​​of the set of high-risk explicit compliance nodes, select the core node corresponding to the peak deviation value, and this node is the execution node for completing the key abnormal operation; In one implementation, the core operation nodes that complete the key data organization, key parameter modification, and key information collection are identified as the actual execution nodes.

[0067] Tracing back along the directed edges of the employee's continuous performance behavior chain diagram, we identify explicit compliance nodes where process rollback, authorization revocation, or business object modification occurs as post-event cover-up nodes. Specifically: In the subsequent links of the actual execution node, trace the subsequent nodes that have process withdrawal, permission cancellation, data modification, and operation trace adjustment. These nodes are used to represent the masking operations after the abnormal behavior occurs. In one implementation, nodes that actively withdraw the process, revoke temporary permissions, or modify the operation log after the operation is completed are identified as post-event cover-up nodes.

[0068] The responsible nodes are identified based on the employee identifiers, job responsibility data, and permission configuration data corresponding to the early probing nodes, the actual execution nodes, and the post-event cover-up nodes. Specifically: Associate the operational entity information, job responsibilities information, and authority information of the three types of abnormal nodes, distinguish between direct operational responsibility and process supervision responsibility, and identify the responsible nodes corresponding to the abnormal links; In one implementation, the nodes for direct operation employees, direct review and supervision nodes, and access control responsibility nodes are locked.

[0069] Specifically, the steps for generating disposal tracking information are as follows: The employee compliance anomaly marker, risk level of the employee compliance anomaly, early probing points, substantive implementation points, post-event cover-up points, and responsibility points will be written into the handling tracking information, specifically as follows: Summarize the characteristic data of abnormal behavior, including abnormal type, risk level, location of abnormal evolution node and information on responsible node, and integrate them to generate abnormal behavior tracing file as the basis for handling; In one implementation, the information of the starting node, execution node, concealment node, and corresponding responsible persons of the entire abnormal link is uniformly archived into the abnormal behavior tracing file.

[0070] The priority of verification for handling and tracking information is configured according to the risk level of employees' abnormal compliance behavior, specifically as follows: The corresponding verification order and handling method shall be determined according to the risk level; In one implementation, high-risk anomalies are configured with higher verification priority, medium-risk anomalies are configured with normal verification priority, and low-risk anomalies are configured with delayed verification priority.

[0071] The disposal and transfer nodes are determined based on the job responsibility data and process node data corresponding to the responsibility nodes, specifically as follows: Based on the scope of authority and responsibilities of the responsible positions and the business processing procedures, match the corresponding verification, review, and supervision positions, and determine the standard handling flow path and corresponding flow nodes for abnormal issues; In one implementation, financial anomalies are transferred to the financial compliance department for review, while data anomalies are transferred to the data security department for review.

[0072] Receive the verification results and processing status returned by the processing flow nodes, and write the verification results and processing status into the processing tracking information, specifically as follows: Collect verification feedback from each process node, including whether the verification is valid, the cause of the problem, the rectification measures, the progress of the handling, and the completion status, and update it to the handling tracking information; In one implementation, the system receives and archives status information such as verification completion, rectification completion, and disposal completion from the review staff.

[0073] Based on the verification results, the collaborative risk weights corresponding to explicit compliance nodes are updated to generate feedback data for subsequent monitoring of employee compliance anomalies, specifically: Adjust the collaborative risk weights corresponding to explicit compliance nodes based on whether the verification is successful or unsuccessful. In one implementation, the collaborative risk weights are continuously adjusted for explicit compliance nodes that have been verified multiple times.

[0074] In this implementation plan, the handling tracking information will record the anomaly marker, risk level, early probing node, substantive execution node, post-event cover-up node, and responsibility node together. The collaborative risk weight corresponding to the explicit compliance node will be updated according to the verification results, so that the anomaly identification results, responsibility positioning results, and handling feedback can form a continuous record. When similar performance links are encountered in the future, the collaborative risk judgment can be adjusted based on the existing verification results.

[0075] Although preferred embodiments of the invention have been described, those skilled in the art, upon learning the basic inventive concept, can make other changes and modifications to these embodiments. Therefore, the appended claims are intended to be interpreted as including both the preferred embodiments and all changes and modifications falling within the scope of the invention.

[0076] Obviously, those skilled in the art can make various modifications and variations to this invention without departing from its spirit and scope. Therefore, if these modifications and variations fall within the scope of the claims of this invention and their equivalents, this invention also intends to include these modifications and variations.

Claims

1. A method for monitoring abnormal employee compliance behavior based on big data analysis, characterized in that, Includes the following steps: Collect employee business operation data, job responsibility data, permission configuration data, process node data, organizational structure change data, job authority change data, business process change data, and compliance rule data from multiple business systems, align and map the employee business operation data, and generate behavior event records; Based on job responsibility data, permission configuration data, process node data, and compliance rule data, the behavioral event records are associated with responsibilities, permissions, processes, and compliance rules to construct a continuous performance behavior chain diagram for employees, and nodes that do not trigger compliance rule data are marked as explicit compliance nodes. By analyzing the temporal proximity, business object aggregation, permission progression, and process bypass relationships among explicit compliance nodes using implicit collaboration identification algorithms, an implicit collaboration relationship matrix and collaboration risk weights are generated. Based on job responsibility data, permission configuration data, process node data, and compliance rule data, a job compliance behavior baseline is generated. Combined with organizational structure change data, job authority and responsibility change data, business process change data, and compliance rule data, a drift correction algorithm is used to obtain a dynamic compliance behavior baseline. By comparing the deviations of the behavioral event records and collaborative risk weights corresponding to explicit compliance nodes with the dynamic compliance behavior baseline, an employee compliance abnormal behavior marker and employee compliance abnormal behavior risk level are generated. Based on the employee compliance anomaly markers and the risk levels of employee compliance anomalies, the explicit compliance nodes are traced back along the employee's continuous performance behavior chain diagram to locate early probing nodes, substantive execution nodes, post-event cover-up nodes, and responsibility nodes, and to generate handling tracking information.

2. The method for monitoring abnormal employee compliance behavior based on big data analysis according to claim 1, characterized in that, The specific steps for aligning and mapping employee business operation data to generate behavioral event records are as follows: Extract employee identifier, business system identifier, business object identifier, operation time, operation type, and operation result from employee business operation data; Establish field mapping relationships based on business system identifiers, and convert operation fields from different business systems into a unified field format; Establish action mapping relationships according to operation types, and map approval submission, approval approval, permission access, contract modification, fee submission and data access to unified operation actions; Write the same field format and operation action into the same behavior event record, and arrange the behavior event records according to employee ID, business object ID and operation time; Remove behavioral event records that lack employee identification, business object identification, or operation time to obtain standard behavioral event records.

3. The method for monitoring abnormal employee compliance behavior based on big data analysis according to claim 2, characterized in that, The specific steps for constructing an employee continuous performance behavior chain diagram are as follows: Using standard behavior event records as nodes, the relationship between standard behavior event records is determined based on job responsibility data, permission configuration data, process node data, and compliance rule data, including the relationships between responsibilities, permissions, processes, and compliance rules. Determine the sequential relationship of standard behavioral event records based on the same business object identifier and operation time; Determine the permission dependencies between standard behavior event records based on permission configuration data and job responsibility data; By connecting the process sequence and permission dependency relationships as directed edges to the corresponding nodes, a link diagram of the employee's continuous performance behavior is formed. Nodes that do not trigger compliance rules in the employee's continuous performance behavior chain diagram are marked to obtain explicit compliance nodes.

4. The method for monitoring abnormal employee compliance behavior based on big data analysis according to claim 1, characterized in that, The specific steps for analyzing the temporal proximity, business object aggregation, permission progression, and process bypass relationships among explicit compliance nodes using implicit collaborative identification algorithms are as follows: Generate time proximity relationships based on the operation time difference corresponding to explicit compliance nodes; Generate business object aggregation relationships based on the number of times the business object identifiers corresponding to explicit compliance nodes overlap; Generate a permission progression relationship according to the order of changes in permission configuration data corresponding to explicit compliance nodes; The process detour relationship is generated based on the degree of offset between the process node data corresponding to the explicit compliance node and the standard process sequence; By integrating temporal proximity, business object aggregation, permission progression, and process bypass relationships, explicit collaboration relationship values ​​between compliance nodes are obtained, and these collaboration relationship values ​​are filled into the corresponding positions in the implicit collaboration relationship matrix.

5. The method for monitoring abnormal employee compliance behavior based on big data analysis according to claim 4, characterized in that, The specific steps for generating collaborative risk weights based on the implicit collaborative relationship matrix are as follows: Read the matrix elements between each explicit compliance node and other explicit compliance nodes in the implicit collaboration relationship matrix; Calculate the business clustering intensity of explicit compliance nodes based on temporal proximity and business object aggregation relationships; Calculate the circumvention strength of explicit compliance nodes based on the hierarchical relationship of permissions and the process bypass relationship; The intensity of business aggregation and the intensity of avoidance transmission are weighted and integrated according to the node position of the corresponding explicit compliance node in the employee's continuous performance behavior link diagram to obtain the collaborative risk weight of the explicit compliance node. The explicit compliance nodes are sorted from high to low according to the collaborative risk weight to obtain the set of high-risk explicit compliance nodes.

6. The method for monitoring abnormal employee compliance behavior based on big data analysis according to claim 1, characterized in that, The specific steps for obtaining a dynamic compliance behavior baseline using the drift correction algorithm are as follows: A baseline for compliance behavior is generated based on job responsibility data, permission configuration data, process node data, and compliance rule data. Calculate the job affiliation change coefficient based on organizational structure change data; Calculate the duty boundary change coefficient based on job responsibility change data and business process change data. Calculate the rule constraint change coefficient based on the rule update content in the compliance rule data; By combining the job affiliation change coefficient, the job performance boundary change coefficient, and the rule constraint change coefficient, the job compliance behavior baseline is revised to obtain the dynamic compliance behavior baseline.

7. The method for monitoring abnormal employee compliance behavior based on big data analysis according to claim 1, characterized in that, The specific steps for comparing the deviations of the behavioral event records and collaborative risk weights corresponding to explicit compliance nodes with the dynamic compliance behavior baseline are as follows: Extract baseline features of explicit compliance nodes corresponding to job positions, process nodes, and authority boundaries from the dynamic compliance behavior baseline; The behavioral event records corresponding to explicit compliance nodes are matched with baseline features to obtain the node behavior deviation value; The collaborative risk weights corresponding to explicit compliance nodes are combined with the node behavior deviation values ​​to obtain the node comprehensive deviation value; The link transmission deviation value is calculated based on the comprehensive deviation value of adjacent explicit compliance nodes in the employee's continuous performance behavior link diagram; Employee compliance anomaly markers are generated based on node comprehensive deviation value and link transmission deviation value.

8. The method for monitoring abnormal employee compliance behavior based on big data analysis according to claim 1, characterized in that, The specific steps for generating a risk level for employee compliance anomalies are as follows: Obtain the number of explicit compliance nodes, collaborative risk weights, and deviation values ​​in the transmission chain corresponding to the employee's abnormal compliance behavior markers; The anomaly coverage range value is determined based on the number of explicit compliance nodes; The implicit portfolio risk value is determined based on the collaborative risk weights; Determine the risk value of abnormal spread based on the deviation value of the link transmission; By integrating the abnormal coverage value, the implicit combined risk value, and the abnormal diffusion risk value, a risk level for abnormal employee compliance behavior is generated.

9. The method for monitoring abnormal employee compliance behavior based on big data analysis according to claim 5, characterized in that, The specific steps for tracing back to explicit compliance nodes along the employee's continuous performance behavior chain diagram, and identifying early probing nodes, substantive execution nodes, post-event cover-up nodes, and accountability nodes, are as follows: The set of high-risk explicit compliance nodes is used as the backtracking object; By tracing back along the directed edges of the employee's continuous performance behavior chain graph, the first explicit compliance node where the collaborative risk weight increases is identified as an early exploratory node. The explicit compliance node with the highest comprehensive deviation value is located along the directed edge of the employee's continuous performance behavior link graph and identified as the substantive execution node. Backtrack along the directed edges of the employee's continuous performance behavior chain diagram to identify explicit compliance nodes where process rollback, permission revocation, or business object modification occurs as ex-post cover-up nodes. The responsible nodes are identified based on the employee identifiers, job responsibility data, and permission configuration data corresponding to the early probing nodes, actual execution nodes, and post-event cover-up nodes.

10. The method for monitoring abnormal employee compliance behavior based on big data analysis according to claim 1, characterized in that, The specific steps for generating disposal tracking information are as follows: The employee compliance anomaly marker, the risk level of the employee compliance anomaly, the early probing point, the actual execution point, the subsequent cover-up point, and the responsibility point are written into the handling tracking information; Prioritize the verification of handling and tracking information based on the risk level of employees' abnormal compliance behavior; The disposal and transfer nodes are determined based on the job responsibility data and process node data corresponding to the responsibility nodes; Receive the verification results and processing status returned by the processing flow nodes, and write the verification results and processing status into the processing tracking information; Based on the verification results, the collaborative risk weights corresponding to explicit compliance nodes are updated to generate feedback data for subsequent monitoring of abnormal employee compliance behavior.