CN109919767B

Movatterモバイル変換

Info

Publication number: CN109919767B
Application number: CN201910170574.6A
Authority: CN
Inventors: 金洪波; 金欢
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2019-03-07
Filing date: 2019-03-07
Publication date: 2023-01-06
Anticipated expiration: 2039-03-07
Also published as: CN109919767A

Abstract

Description

Transaction risk management method, device and equipment

Technical Field

The embodiment of the application relates to the technical field of risk management, in particular to a transaction risk management method, a transaction risk management device and transaction risk management equipment.

Background

With the prevalence of mobile payment and electronic commerce, transactions conducted online are increasing, with the generation of a wide variety of malicious transactions. In order to avoid the loss caused by malicious transactions, the server needs to perform risk management on each transaction, so that when an abnormality is found, the transaction is intercepted in time to avoid the loss.

When the historical transaction data of the transaction subject does not exist before the target transaction starts, the transaction characteristics of the transaction subject cannot be judged, and the risk processing cannot be performed on the target transaction.

Disclosure of Invention

The embodiment of the application provides a transaction risk management method, a transaction risk management device and transaction risk management equipment, which are used for solving the problem that risk processing cannot be carried out on target transactions when historical transaction data do not exist in a transaction main body. The technical scheme is as follows:

in one aspect, a transaction risk management method is provided, the method comprising:

when a target transaction is carried out, acquiring first statistical data corresponding to the target transaction, wherein the first statistical data are data which are counted in a first time period and used for indicating transaction characteristics of a transaction main body of the target transaction, and the first time period is a time period before the target transaction starts;

carrying out first risk processing on the target transaction according to the first statistic data;

when the target transaction is rechecked at intervals of a second time period, second statistical data corresponding to the target transaction are obtained, wherein the second statistical data are counted in the second time period and are used for indicating data of transaction characteristics of the transaction main body;

and carrying out secondary risk processing on the target transaction according to the second statistical data.

In one aspect, there is provided a transaction risk management apparatus, the apparatus comprising:

the system comprises a first acquisition module, a second acquisition module and a third acquisition module, wherein the first acquisition module is used for acquiring first statistical data corresponding to a target transaction when the target transaction is carried out, the first statistical data are counted in a first time period and are used for indicating transaction characteristics of a transaction main body of the target transaction, and the first time period is a time period before the target transaction starts;

the first processing module is used for carrying out first risk processing on the target transaction according to the first statistic data obtained by the first obtaining module;

a second obtaining module, configured to obtain second statistical data corresponding to the target transaction when the target transaction is reviewed at a second time interval, where the second statistical data is data that is counted in the second time interval and is used to indicate a transaction characteristic of the transaction main body;

and the secondary processing module is used for carrying out secondary risk processing on the target transaction according to the second statistical data obtained by the second obtaining module.

In one aspect, a server is provided, the server including a processor and a memory, the memory having at least one instruction stored therein, the instruction being loaded and executed by the processor to implement the transaction risk management method as described above.

The technical scheme provided by the embodiment of the application has the beneficial effects that at least:

by carrying out first risk processing on the target transaction according to the first statistical data, because the first statistical data are data in a time period before the target transaction starts, if the first statistical data do not have data about transaction characteristics of a transaction main body of the target transaction in the time period before the target transaction starts, the first risk processing on the target transaction may be inaccurate, so that the target transaction can be rechecked after a second time interval, namely, the second risk processing is carried out on the target transaction according to the second statistical data in the second time period, and the accuracy of the transaction processing is improved.

Drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.

FIG. 1 is a block flow diagram illustrating a transaction risk management according to some exemplary embodiments;

FIG. 2 is a flow chart of a method of transaction risk management provided by one embodiment of the present application;

FIG. 3 is a flow chart of a method of transaction risk management according to another embodiment of the present application;

FIG. 4 is a diagram of a logical implementation of transaction risk management provided by another embodiment of the present application;

fig. 5 is a block diagram illustrating a transaction risk management apparatus according to an embodiment of the present application;

fig. 6 is a schematic structural diagram of a server according to still another embodiment of the present application.

Detailed Description

To make the objects, technical solutions and advantages of the embodiments of the present application clearer, the embodiments of the present application will be described in further detail below with reference to the accompanying drawings.

The following describes application scenarios related to the present application:

Among them, the types of malicious transactions are various, such as malicious swiping of marketing resources, fraudulent or stealing of virtual money (Q coins, point tickets, micro coins, etc.), stealing of phone cards, p2p (peer-to-peer) fraudulent credits, and so on. The following description will take malicious brushing of marketing resources as an example. The marketing resource may be a resource used by a merchant to perform marketing promotion, and includes virtual currency, cash voucher, and the like, which is not limited in this embodiment.

When the target transaction is normally carried out, the user can register a transaction account number by utilizing the identity information of the user before the marketing activity of the merchant starts; when the marketing campaign begins, the user may use the transaction account number to receive a marketing resource from the merchant's server. A pickup action for a transaction account number is referred to herein as a target transaction. If the malicious party wants to maliciously swipe marketing resources, a batch of transaction accounts can be applied or purchased in batch before the marketing campaign starts; when the marketing campaign starts, the malicious party can use each transaction account number in the batch of transaction account numbers to receive the marketing resources once, so that other users cannot receive the marketing resources, the marketing resources are wasted, and the marketing campaign may fail.

In order to solve the above problem, the merchant needs to identify the risk of the transaction and manage the transaction according to the risk, and the two management methods are described below.

The first management mode is as follows: when the target transaction is carried out, the merchant acquires historical transaction data of a transaction main body of the target transaction, analyzes transaction characteristics of the transaction main body according to the historical transaction data, and determines the target transaction as a malicious transaction when the transaction characteristics are transaction characteristics of the malicious transaction, so that marketing resources are not distributed to the target transaction. The management mode can intercept malicious transactions in time and meet the timeliness requirement of the transactions. However, if the transaction subject of the target transaction does not perform the historical transaction when the target transaction is performed, it is impossible to determine whether the transaction characteristics of the transaction subject are those of the malicious transaction according to the historical transaction data, and thus the risk of the target transaction cannot be determined.

The second management mode is as follows: after all transactions are completed, the merchant analyzes all transaction data of this time, and when a certain transaction is found to be suspicious, the marketing resources allocated to the transaction are recovered, or the target transaction account number is signed, and the like, which is not limited in this embodiment. This management approach cannot intercept malicious transactions in real time and may also result in losses.

The application provides a transaction risk management method, a server can process transactions in real time according to historical transaction data, and then processes transactions secondarily according to all transaction data after the transactions are completed, namely, first risk identification and striking are conducted on the transactions firstly according to the historical transaction data (also called historical data), and then secondary risk identification and striking are conducted on the transactions according to the transaction data (also called post-transaction data) after the transactions are completed, so that the purposes of passing through normal transactions and intercepting abnormal transactions are achieved. Referring to the flow diagram of transaction risk management shown in fig. 1, the related transactions may include, but are not limited to: impersonation of relatives and friends, telephone arrearage, overdraft consumption of Unionpay cards, package mailing, online shopping, false winning, online phishing, money remitting and first aid, guessing who is guessing and counterfeit booking websites.

Referring to fig. 2, a flowchart of a transaction risk management method provided in an embodiment of the present application is shown, and the transaction risk management method may be applied to a server. The transaction risk management method comprises the following steps:

step 201, when a target transaction is performed, acquiring first statistical data corresponding to the target transaction, where the first statistical data is data counted in a first time period and used for indicating transaction characteristics of a transaction subject of the target transaction, and the first time period is a time period before the target transaction starts.

The transaction currently in progress is referred to as a target transaction in this embodiment.

The initiator of the targeted transaction, referred to as the transaction principal, may identify the transaction principal with transaction principal data. The transaction subject data may identify the transaction subject from multiple dimensions, for example, the transaction subject data may include a transaction account number, a transaction IP (Internet Protocol), a device identifier of a transaction device, and the like, which is not limited in this embodiment.

When the target transaction is carried out, the terminal can send target transaction data to the server, the target transaction data carries transaction main body data, the server can determine a transaction main body of the target transaction according to the transaction main body data, and then first statistic data are generated based on historical transactions carried out by the transaction main body in a first time period. For example, if the target transaction starts at 12 o 'clock in 2 months, 20 days, the server may generate the first statistical data from the historical transactions performed by the transaction subject by 12 o' clock in 2 months, 20 days.

Optionally, the server may use each transaction as a historical transaction after processing the transaction, and then correspondingly store the transaction main data and the historical transaction data of the historical transaction according to the transaction time in the historical transaction data. The historical transaction data may include a transaction amount, a transaction time, a transaction service type, and the like of the historical transaction, which is not limited in this embodiment. Subsequently, the server may obtain transaction subject data and historical transaction data of each historical transaction according to the transaction time, so as to generate the first statistical data, which will be described later, and the details of the generation process are not repeated here.

Andstep 202, carrying out first risk processing on the target transaction according to the first statistical data.

The server can determine the transaction risk of the target transaction according to the first statistic data, and intercept the target transaction when the transaction risk of the target transaction is higher; and when the transaction risk of the target transaction is low, performing release processing on the target transaction.

In a possible implementation manner, the server may analyze the first statistical data according to an artificially formulated rule or a trained classification model to obtain a transaction risk of the target transaction. The classification model is a model capable of distinguishing normal transactions from malicious transactions, and may be implemented by a classification algorithm such as a decision tree, logistic regression, random forest, and the like, which is not limited in this embodiment.

Step 203, when the target transaction is rechecked at a second interval, acquiring second statistical data corresponding to the target transaction, wherein the second statistical data is counted in the second interval and is used for indicating the data of the transaction characteristics of the transaction main body.

The second period may be a preset period. Assuming that the second period is one day after the transaction time of the target transaction, and the transaction time of the target transaction is 12 o ' clock 20/2, the second period is 0 o ' clock to 24 o ' clock 21/2.

The server may generate second statistical data according to the transaction subject of the target transaction and based on the transaction performed by the transaction subject in the second time period, where the second statistical data is generated in the same manner as the first statistical data, which is described in detail below.

When data of a transaction performed by a transaction body before a target transaction is referred to as history data, data of the target transaction is referred to as real-time data, and data of a transaction performed by the transaction body after the target transaction is referred to as post-event data, with a transaction time of the target transaction as a boundary, first statistical data is generated from the history data and second statistical data is generated from the post-event data.

In this embodiment, the server may recheck all target transactions, or the server may recheck part of the target transactions, and at this time, the server further needs to select a target transaction to be rechecked. The process of selecting the target transaction to be reviewed by the server will be described below, and will not be described herein.

And step 204, carrying out secondary risk processing on the target transaction according to the second statistical data.

The server can determine the transaction risk of the target transaction according to the second statistical data, and intercept the target transaction when the transaction risk of the target transaction is higher; and when the transaction risk of the target transaction is low, performing release processing on the target transaction.

In a possible implementation manner, the server may analyze the second statistical data according to an artificially formulated rule or a trained classification model to obtain a transaction risk of the target transaction. The classification model is a model capable of distinguishing normal transactions from malicious transactions, and may be implemented by a classification algorithm such as a decision tree, logistic regression, random forest, and the like, which is not limited in this embodiment.

In summary, according to the transaction risk management method provided in the embodiment of the present application, the first risk processing is performed on the target transaction according to the first statistical data, and since the first statistical data is data in a time period before the target transaction starts, if there is no data about the transaction characteristics of the transaction subject of the target transaction in the time period before the target transaction starts, the first risk processing on the target transaction may be inaccurate, the target transaction may be rechecked after the second time interval, that is, the second risk processing is performed on the target transaction according to the second statistical data in the second time period, so that the accuracy of the transaction processing is improved.

Referring to fig. 3, a flowchart of a transaction risk management method provided in another embodiment of the present application is shown, where the transaction risk management method may be applied in a server. The transaction risk management method comprises the following steps:

instep 301, when a target transaction is performed, target transaction data of the target transaction is obtained, where the target transaction data includes at least one transaction main body data, and each transaction main body data is used to indicate a transaction main body of a dimension.

The initiator of the targeted transaction, referred to as the transaction principal, may identify the transaction principal with transaction principal data. The transaction subject data may identify the transaction subject from multiple dimensions, for example, the transaction subject data may include a transaction account number, a transaction IP, a device identifier of a transaction device, and the like, which is not limited in this embodiment.

When the target transaction is carried out, the terminal can send target transaction data to the server, the target transaction data carries transaction main body data, and the server can determine a transaction main body of the target transaction according to the transaction main body data.

Step 302, for each transaction subject data, searching historical transaction data corresponding to the transaction subject data in a historical transaction database, and generating a feature vector of the transaction subject according to the historical transaction data, wherein the historical transaction data is used for indicating transaction features of the transaction subject.

The server can take the transaction as a historical transaction when processing the transaction, and correspondingly store the transaction main body data and the historical transaction data of the historical transaction into the historical transaction database according to the transaction time in the historical transaction data. The historical transaction data may include a transaction amount, a transaction time, a transaction service type, and the like of the historical transaction, which is not limited in this embodiment.

In this embodiment, different transaction principals may correspond to different dimensions of historical transaction data. For example, the historical transaction data corresponding to the transaction account includes data of dimensions such as transaction time, a device identifier of a transaction device logged in by the transaction account, and the historical transaction data corresponding to the transaction IP includes data of dimensions such as a transaction service type, a transaction amount, and the transaction account logged in the transaction IP.

The server may generate a feature vector indicating transaction characteristics of each transaction agent based on historical transaction data corresponding to the transaction agent. Wherein the transaction characteristics are used to distinguish whether the target transaction is a malicious transaction. A plurality of transaction features related to the present embodiment will be explained below.

1) Whether the transaction subject is often involved in similar activities: when the transaction subject is not often involved in similar activities, the target transaction may be a malicious transaction; the target transaction may be a normal transaction when the transaction body is constantly engaged in similar activities.

2) Whether the transaction subject has other normal consumption behaviors: when the transaction body has no other normal consumption behaviors, the target transaction can be a malicious transaction; when the transaction body has other normal consumption behaviors, the target transaction may be a normal transaction.

3) Daily liveness of the transaction subject: wherein, the daily activity level is in positive correlation with the transaction frequency or times of the transaction main body. For example, the daily activity is the transaction frequency of the transaction subject in a time period, and if a transaction subject performs 20 transactions in a month, the daily activity of the transaction subject is considered to be higher, and the target transaction may be a normal transaction; assuming that a transaction subject performs 1 transaction in one month, the daily activity of the transaction subject is considered to be low, and the target transaction may be a malicious transaction.

4) Aggregation of transaction subjects: the aggregation level refers to the number of transaction accounts registered on one transaction device or one transaction IP. Assuming that 10 transaction account numbers are logged on one transaction device, the aggregation degree of the transaction main body is considered to be high, and the target transaction is possibly a malicious transaction; assuming that only 1 transaction account number is logged on one transaction device, the aggregation of the transaction main body is considered to be low, and the target transaction may be a normal transaction.

5) Transaction period of the transaction subject: when the transaction subject frequently transacts at night, the target transaction may be a malicious transaction; when the transaction body frequently transacts during the day, the target transaction may be a normal transaction.

Certainly, the transaction characteristics of the transaction main body may not be accurately described by one transaction characteristic, so the server may also obtain a plurality of transaction characteristics of the transaction main body and then use the plurality of transaction characteristics for judgment. Assuming that the transaction main body is an equipment identifier of the transaction equipment, historical transaction data corresponding to the transaction main body comprises dimensions of transaction time of 11 points, transaction amount, transaction service type, transaction account numbers logged on the transaction equipment, whether the transaction account numbers have transactions and the like, assuming that the historical transaction data performed by the transaction main body in one month is analyzed to obtain 1 transaction account number logged on the transaction equipment, and the transaction account numbers have transactions in 20 days, the server can obtain characteristic vectors of the transaction main body such as transactions in the daytime, higher daily liveness, lower aggregation and the like according to the historical transaction data.

Step 303, merging the feature vectors corresponding to all the transaction subject data to obtain first statistical data.

Wherein the first statistical data is data for indicating transaction characteristics of the transaction subject of the target transaction, counted during a first period, which is a period before the target transaction starts, as detailed instep 201.

The server can obtain the feature vectors corresponding to all the transaction subject data, and then combines all the feature vectors according to the preset sequence to obtain first statistical data. Assuming that the transaction account corresponds to the feature vector a, the transaction IP corresponds to the feature vector b, the device identifier of the transaction device corresponds to the feature vector c, and the preset sequence is the feature vector corresponding to the transaction account + the feature vector corresponding to the transaction IP + the feature vector corresponding to the device identifier of the transaction device, the first statistic data obtained by the server is the feature vector abc.

Step 304, calculating first risk information of the target transaction according to the first statistical data, wherein the first risk information is used for indicating the probability that the target transaction is a malicious transaction.

In a possible implementation manner, the server may analyze the first statistical data according to an artificially formulated rule or a trained classification model to obtain first risk information of the target transaction. The classification model is a model capable of distinguishing normal transactions from malicious transactions, and may be implemented by a classification algorithm such as a decision tree, logistic regression, random forest, and the like, which is not limited in this embodiment.

Optionally, the server may further calculate first risk information of the target transaction according to the first statistical data and the target transaction data of the target transaction, which is not limited in this embodiment.

It should be noted that the first risk information may be a probability value, or the first risk information may be a risk level corresponding to the probability value, and at this time, a corresponding relationship between a probability interval and the risk level is preset in the server.

And 305, when the first risk information is greater than or equal to the first threshold, intercepting the target transaction, and executing 307.

The server may set a first threshold according to the traffic demand. For example, when the business requirement is to intercept malicious transactions as accurately as possible, the server may set a smaller first threshold; when the service requirement is to pass through normal transactions as accurately as possible, the server may set a larger first threshold, which is not limited in this embodiment.

When the business is the release of the marketing resource, the server may intercept the target transaction without releasing the marketing resource to the transaction subject.

And step 306, when the first risk information is smaller than the first threshold, performing release processing on the target transaction, and executingstep 307.

When the business is the release of the marketing resource, the release of the target transaction by the server may be the release of the marketing resource to the transaction subject.

It should be noted that, the precision of the classification model has a trade-off between the recall rate and the accuracy rate of the malicious transactions, that is, sometimes, the normal transactions are inevitably mistakenly blocked for recalling more malicious transactions, and sometimes, a certain proportion of malicious transactions are inevitably left for reducing the accidental injury of the normal transactions, so that the target transactions can be rechecked, and the accuracy of the transaction processing can be improved.

In this embodiment, the server may recheck all target transactions, or the server may recheck part of the target transactions, and at this time, the server also needs to select a transaction type for rechecking. In a possible implementation manner, the server may select the re-checked transaction type according to the configuration information, at this time, the server obtains the configuration information, where the configuration information is used to indicate the re-checked transaction type; when the transaction type indicated by the configuration information is an interception processing type and the first risk processing of the target transaction is interception processing, determining to recheck the target transaction; and when the transaction type indicated by the configuration information is a release processing type and the first risk processing of the target transaction is release processing, determining to recheck the target transaction.

During configuration, when the first threshold is smaller (for example, smaller than a certain value), it may be determined that there are more target transactions subjected to the interception processing, so as to indicate that the type of the re-checked transaction is the type of the interception processing, so as to avoid accidental injury to normal transactions; when the first threshold is larger (for example, larger than a certain value), it is determined that more target transactions are subjected to release processing, so that the type of the re-checked transaction is indicated as a release processing type, thereby avoiding release of malicious transactions, and realizing flexible configuration.

Step 307, when the target transaction is reviewed at the second time interval, obtaining second statistical data corresponding to the target transaction, wherein the second statistical data is data which is counted in the second time interval and is used for indicating transaction characteristics of a transaction main body.

The server may generate the second statistical data according to the transaction main body of the target transaction and based on the transaction performed by the transaction main body in the second time period, where a generation manner of the second statistical data is the same as a generation manner of the first statistical data, and is not described herein again.

And 308, calculating second risk information of the target transaction according to the first risk information and the second statistical data, wherein the second risk information is used for indicating the probability that the target transaction is a malicious transaction.

In a possible implementation manner, the server may analyze the first risk information and the second statistical data according to an artificially formulated rule or a trained classification model to obtain second risk information of the target transaction. The classification model is a model capable of distinguishing normal transactions from malicious transactions, and may be implemented by a classification algorithm such as a decision tree, logistic regression, random forest, and the like, which is not limited in this embodiment.

The second risk information may be a probability value, or the second risk information may be a risk level corresponding to the probability value, and at this time, a corresponding relationship between the probability interval and the risk level is preset in the server.

In a possible application scenario, a malicious molecule starts a batch of new transaction equipment in the transaction, so that the new transaction equipment does not have first statistical data (namely historical data) when performing target transaction, and the first risk processing is influenced, and the abnormality of the batch of transaction equipment can be obviously found by using second statistical data (namely after-event data) through the aggregation of transaction account numbers on the transaction equipment, so that the target transaction is determined to be malicious.

And 309, intercepting the target transaction when the second risk information is greater than or equal to a second threshold and the first risk processing is release processing.

Taking the issue of marketing resources as an example, the processing of intercepting the target transaction as described herein may be: the marketing resources allocated to the transaction subject are reclaimed.

It should be noted that, when the second risk information is greater than or equal to the second threshold and the first risk processing is the interception processing, the second risk processing is not performed on the target transaction, and the process is ended.

And step 310, when the second risk information is smaller than a second threshold value and the first risk processing is interception processing, performing release processing on the target transaction.

Taking the issue of marketing resources as an example, the intercepting process of the target transaction may be: and reissuing marketing resources for the transaction subject.

It should be noted that, when the second risk information is smaller than the second threshold and the first risk processing is release processing, the second risk processing is not performed on the target transaction, and the process is ended.

In brief, if a certain service requirement is to intercept more malicious transactions, the first threshold may be configured to be lower, that is, the first risk information exceeds the first lower threshold, that is, the interception is performed in real time, and meanwhile, in consideration of possible accidental injury to normal transactions, the triggered reissue operation may be triggered by a server automatically or by a misdirected normal user complaint, and the reissue operation may be implemented according to the second risk information, for example, reissuing marketing resources. If a certain business requirement is that normal transactions are accidentally injured as little as possible, a first threshold value can be configured to be higher, namely that the first risk information exceeds the first threshold value, namely real-time interception is performed, meanwhile, in consideration of the fact that a certain proportion of malicious transactions are released, and then a subsidy operation is performed on the malicious transactions according to second risk information, such as marketing resource recovery, wherein the subsidy operation is generally automatically triggered by a server. Through the flexible configuration and the joint judgment of the transaction risks of the two times, malicious transactions can be completely attacked, and the effectiveness of normal transactions can be ensured.

In this embodiment, the transaction data may be logically divided into historical data, real-time data and post-event data, and the server may be divided into a decision layer and a processing layer, where the decision layer includes a statistical subsystem, a real-time subsystem and an auditing subsystem, and the processing layer includes a strike configuration module, a first strike module and a second strike module. The statistical subsystem is used for carrying out statistics on the historical data to obtain first statistical data and outputting the first statistical data to the real-time subsystem; the real-time subsystem generates first risk information according to the first statistical data and the real-time data, and outputs the first risk information to the first striking module and the auditing subsystem respectively; the first striking module strikes the target transaction for the first time according to the configuration of the striking configuration module; the auditing subsystem generates second risk information according to the first risk information and the post data and outputs the second risk information to the secondary striking module; the secondary striking module performs secondary striking on the target transaction according to the configuration of the striking configuration module.

In summary, according to the transaction risk management method provided in the embodiment of the present application, the first risk processing is performed on the target transaction according to the first statistical data, and since the first statistical data is data in a time period before the target transaction starts, if there is no data about transaction characteristics of a transaction subject of the target transaction in the time period before the target transaction starts, the first risk processing on the target transaction may be inaccurate, the target transaction may be rechecked after a second time period, that is, the second risk processing is performed on the target transaction according to the second statistical data in the second time period, so that the accuracy of the transaction processing is improved.

When the first threshold is smaller (such as smaller than a certain value), more target transactions subjected to interception processing are determined, so that the checked transaction type is indicated as an interception processing type, and the normal transactions are prevented from being accidentally injured; when the first threshold is larger (for example, larger than a certain value), it is determined that more target transactions are subjected to release processing, so that the type of the re-checked transaction is indicated as a release processing type, thereby avoiding release of malicious transactions, and realizing flexible configuration.

Referring to fig. 5, a block diagram of a transaction risk management device according to an embodiment of the present application is shown, where the transaction risk management device may be applied to a server. The transaction risk management device comprises:

a first obtainingmodule 510, configured to obtain first statistical data corresponding to a target transaction when the target transaction is performed, where the first statistical data is counted in a first time period and is used to indicate data of a transaction characteristic of a transaction subject of the target transaction, and the first time period is a time period before the target transaction starts;

afirst processing module 520, configured to perform first risk processing on the target transaction according to the first statistical data obtained by the first obtainingmodule 510;

a second obtainingmodule 530, configured to obtain second statistical data corresponding to the target transaction when the target transaction is reviewed at a second time interval, where the second statistical data is counted in the second time interval and is used for indicating data of transaction characteristics of a transaction main body;

and asecondary processing module 540, configured to perform secondary risk processing on the target transaction according to the second statistical data obtained by the second obtainingmodule 530.

Optionally, the first risk processing is interception processing or release processing, and before acquiring the second statistical data corresponding to the target transaction, the apparatus further includes:

the third acquisition module is used for acquiring configuration information, and the configuration information is used for indicating the transaction type of the recheck;

the first determining module is used for determining to recheck the target transaction when the transaction type indicated by the configuration information obtained by the third obtaining module is an interception processing type and the first risk processing of the target transaction is interception processing;

and the second determining module is used for determining to recheck the target transaction when the transaction type indicated by the configuration information obtained by the third obtaining module is a release processing type and the first risk processing of the target transaction is release processing.

Optionally, the first risk processing is interception processing or release processing, and thefirst processing module 520 is further configured to:

calculating first risk information of the target transaction according to the first statistic data, wherein the first risk information is used for indicating the probability that the target transaction is a malicious transaction;

when the first risk information is larger than or equal to a first threshold value, intercepting the target transaction;

and when the first risk information is smaller than a first threshold value, performing release processing on the target transaction.

Optionally, the secondary risk processing is interception processing or release processing, and thesecondary processing module 540 is further configured to:

calculating second risk information of the target transaction according to the first risk information and the second statistical data, wherein the second risk information is used for indicating the probability that the target transaction is a malicious transaction;

when the second risk information is larger than or equal to a second threshold value and the first risk processing is release processing, intercepting the target transaction;

and when the second risk information is smaller than a second threshold value and the first risk processing is interception processing, releasing the target transaction.

Optionally, the first obtainingmodule 510 is further configured to:

acquiring target transaction data of a target transaction, wherein the target transaction data comprises at least one transaction main body data, and each transaction main body data is used for indicating a transaction main body of one dimension;

for each transaction subject data, searching historical transaction data corresponding to the transaction subject data in a historical transaction database, and generating a feature vector of the transaction subject according to the historical transaction data, wherein the historical transaction data is used for indicating transaction features of the transaction subject;

and combining the characteristic vectors corresponding to all the transaction main body data to obtain first statistical data.

In summary, according to the transaction risk management apparatus provided in the embodiment of the present application, the first risk processing is performed on the target transaction according to the first statistical data, because the first statistical data is data in a time period before the target transaction starts, if there is no data about the transaction characteristics of the transaction subject of the target transaction in the time period before the target transaction starts, the first risk processing on the target transaction may be inaccurate, and therefore, the target transaction can be rechecked after the second time period, that is, the second risk processing is performed on the target transaction according to the second statistical data in the second time period, so that the accuracy of the transaction processing is improved.

The application also provides a server, which comprises a processor and a memory, wherein at least one instruction is stored in the memory, and the at least one instruction is loaded and executed by the processor to realize the transaction risk management method provided by the above method embodiments. It should be noted that the server may be a server as provided in fig. 6 below.

Referring to fig. 6, a schematic structural diagram of a server according to an exemplary embodiment of the present application is shown. Specifically, the method comprises the following steps: theserver 600 includes a Central Processing Unit (CPU) 601, asystem memory 604 including a Random Access Memory (RAM) 602 and a Read Only Memory (ROM) 603, and asystem bus 605 connecting thesystem memory 604 and thecentral processing unit 601. Theserver 600 also includes a basic input/output system (I/O system) 606, which facilitates the transfer of information between devices within the computer, and a mass storage device 607, which stores anoperating system 613,application programs 614, and other program modules 615.

The basic input/output system 606 includes adisplay 608 for displaying information and aninput device 609 such as a mouse, keyboard, etc. for a user to input information. Wherein thedisplay 608 and theinput device 609 are connected to thecentral processing unit 601 through aninput output controller 610 connected to thesystem bus 605. The basic input/output system 606 may also include an input/output controller 610 for receiving and processing input from a number of other devices, such as a keyboard, mouse, or electronic stylus. Similarly, input/output controller 610 may also provide output to a display screen, a printer, or other type of output device.

The mass storage device 607 is connected to thecentral processing unit 601 through a mass storage controller (not shown) connected to thesystem bus 605. The mass storage device 607 and its associated computer-readable storage media provide non-volatile storage for theserver 600. That is, the mass storage device 607 may include a computer-readable storage medium (not shown) such as a hard disk or a CD-ROI drive.

Without loss of generality, the computer-readable storage media may include computer storage media and communication media. Computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. Computer storage media includes RAM, ROM, EPROM, EEPROM, flash memory or other solid state memory technology, CD-ROM, DVD, or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices. Of course, those skilled in the art will appreciate that the computer storage media is not limited to the foregoing. Thesystem memory 604 and mass storage device 607 described above may be collectively referred to as memory.

The memory stores one or more programs configured to be executed by the one or morecentral processing units 601, the one or more programs containing instructions for implementing the transaction risk management methods described above, and thecentral processing unit 601 executes the one or more programs to implement the transaction risk management methods provided by the various method embodiments described above.

Theserver 600 may also operate as a remote computer connected to a network via a network, such as the internet, in accordance with various embodiments of the present invention. That is, theserver 600 may be connected to thenetwork 612 through thenetwork interface unit 611 connected to thesystem bus 605, or may be connected to other types of networks or remote computer systems (not shown) using thenetwork interface unit 611.

The memory further comprises one or more programs, the one or more programs are stored in the memory, and the one or more programs comprise steps executed by the server for performing the transaction risk management method provided by the embodiment of the invention.

Embodiments of the present application also provide a computer-readable storage medium, in which at least one instruction, at least one program, a set of codes, or a set of instructions is stored, and the at least one instruction, the at least one program, the set of codes, or the set of instructions is loaded and executed by theprocessor 610 to implement the transaction risk management method as described above.

The present application further provides a computer program product, which when run on a computer, causes the computer to execute the transaction risk management method provided by the above method embodiments.

One embodiment of the present application provides a computer-readable storage medium having at least one instruction, at least one program, set of codes, or set of instructions stored therein, which is loaded and executed by a processor to implement a transaction risk management method as described above.

One embodiment of the present application provides a server comprising a processor and a memory, wherein the memory stores at least one instruction, and the instruction is loaded and executed by the processor to implement the transaction risk management method as described above.

It should be noted that: in the above embodiment, when the transaction risk management device performs the transaction risk management, only the division of the functional modules is illustrated, and in practical applications, the function distribution may be completed by different functional modules according to needs, that is, the internal structure of the transaction risk management device is divided into different functional modules to complete all or part of the above-described functions. In addition, the transaction risk management device and the transaction risk management method provided by the above embodiments belong to the same concept, and specific implementation processes thereof are detailed in the method embodiments and are not described herein again.

It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, where the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.

The above description should not be taken as limiting the embodiments of the present application, and any modifications, equivalents, improvements, etc. made within the spirit and principle of the embodiments of the present application should be included in the scope of the embodiments of the present application.

Claims

1. A transaction risk management method, the method comprising:

when a target transaction is carried out, acquiring first statistical data corresponding to the target transaction, wherein the first statistical data are data which are counted in a first time period and used for indicating transaction characteristics of a transaction main body of the target transaction, and the first time period is a time period before the target transaction starts; the initiator of the target transaction is the transaction main body, the transaction main body is identified by transaction main body data, and the transaction main body data comprises one or more of a transaction account number, a transaction Internet Protocol (IP) and a device identifier of transaction equipment; the first statistical data is obtained by combining the characteristic vectors corresponding to the transaction subject data according to a preset sequence;

performing first risk processing on the target transaction according to the first statistic data, wherein the first risk processing is interception processing or release processing;

acquiring configuration information, wherein the configuration information is used for indicating the transaction type of the rechecking;

when the transaction type indicated by the configuration information is an interception processing type and the first risk processing of the target transaction is interception processing, determining to recheck the target transaction;

when the transaction type indicated by the configuration information is a release processing type and the first risk processing of the target transaction is release processing, determining to recheck the target transaction;

2. The method of claim 1, wherein the first risk processing is interception processing or release processing, and wherein the first risk processing of the target transaction according to the first statistic data comprises:

when the first risk information is larger than or equal to a first threshold value, the interception processing is carried out on the target transaction;

and when the first risk information is smaller than a first threshold value, performing the releasing processing on the target transaction.

3. The method of claim 2, wherein the secondary risk processing is interception processing or release processing, and wherein the secondary risk processing of the target transaction according to the second statistical data comprises:

when the second risk information is larger than or equal to a second threshold value and the first risk processing is release processing, the interception processing is carried out on the target transaction;

and when the second risk information is smaller than a second threshold value and the first risk processing is interception processing, performing the release processing on the target transaction.

4. The method of any of claims 1 to 3, wherein said obtaining first statistical data corresponding to said target transaction comprises:

acquiring target transaction data of the target transaction, wherein the target transaction data comprises at least one transaction main body data, and each transaction main body data is used for indicating a transaction main body of one dimension;

and combining the feature vectors corresponding to all transaction main body data to obtain the first statistical data.

5. A transaction risk management apparatus, the apparatus comprising:

the system comprises a first acquisition module, a second acquisition module and a third acquisition module, wherein the first acquisition module is used for acquiring first statistical data corresponding to a target transaction when the target transaction is carried out, the first statistical data are counted in a first time period and are used for indicating transaction characteristics of a transaction main body of the target transaction, and the first time period is a time period before the target transaction starts; the initiator of the target transaction is the transaction main body, the transaction main body is identified by transaction main body data, and the transaction main body data comprises one or more of a transaction account number, a transaction Internet Protocol (IP) and a device identifier of transaction equipment; the first statistical data is obtained by combining the characteristic vectors corresponding to the transaction subject data according to a preset sequence;

the first processing module is used for carrying out first risk processing on the target transaction according to the first statistic data obtained by the first obtaining module, wherein the first risk processing is interception processing or release processing;

the third acquisition module is used for acquiring configuration information, and the configuration information is used for indicating the transaction type of the rechecking;

a first determining module, configured to determine to recheck the target transaction when the transaction type indicated by the configuration information obtained by the third obtaining module is an interception processing type and the first risk processing of the target transaction is interception processing;

a second determining module, configured to determine to recheck the target transaction when the transaction type indicated by the configuration information obtained by the third obtaining module is a release processing type and the first risk processing of the target transaction is release processing;

6. The apparatus of claim 5, wherein the first risk process is an intercept process or a release process, and wherein the first process module is further configured to:

7. The apparatus of claim 6, wherein the secondary risk process is an intercept process or a release process, and wherein the secondary processing module is further configured to:

8. The apparatus of any one of claims 5 to 7, wherein the first obtaining module is further configured to:

9. A server, comprising a processor and a memory, wherein the memory has stored therein at least one instruction that is loaded and executed by the processor to implement the transaction risk management method of any of claims 1 to 4.

10. A computer-readable storage medium, wherein at least one program is stored in the storage medium, and the at least one program is loaded and executed by a processor to implement the transaction risk management method according to any one of claims 1 to 4.