Disclosure of Invention
Aiming at least one problem in the prior art, the application provides a method and a device for detecting the telecom fraud risk, which can improve the accuracy and the effectiveness of the telecom fraud risk detection, further can improve the reliability of telecom fraud interception and ensure the safety of a transaction process.
In order to solve the technical problems, the application provides the following technical scheme:
In a first aspect, the present application provides a telecommunications fraud risk detection method, comprising:
Receiving a transaction request for a target transaction, the transaction request comprising: a unique identification of the payer, a transaction amount, a transaction type, a transaction time, a transaction location, and a unique identification of a transaction opponent;
Determining transaction risk information corresponding to the target transaction according to the transaction request, wherein the transaction risk information comprises: account balance, whether transaction time identification is commonly used, whether transaction place identification is commonly used, whether transaction opponent identification is commonly used, risk level of transaction opponents and daily transaction number;
Determining a telecommunication fraud risk probability corresponding to the target transaction according to a preset telecommunication fraud detection model, the transaction amount, the transaction type and the transaction risk information, wherein the preset telecommunication fraud detection model is obtained by training a decision tree algorithm in advance based on historical transaction amount, historical transaction type, historical transaction risk information and actual telecommunication fraud risk probability of batch historical transactions;
and completing telecom fraud risk detection of the target transaction according to the telecom fraud risk probability.
In one embodiment, the telecommunication fraud risk detection method further includes:
acquiring risk grade evaluation information of the trade opponent according to the unique identification of the trade opponent;
determining the risk level of the trade opponent according to a preset risk level evaluation model and the risk level evaluation information, and storing the corresponding relation between the unique identification of the trade opponent and the risk level;
The preset risk level evaluation model is obtained by training classification algorithms in advance based on the risk level evaluation information of the batch historical clients and the corresponding actual risk levels thereof.
In one embodiment, the determining transaction risk information corresponding to the target transaction according to the transaction request includes:
Obtaining a plurality of historical transaction records within a preset time range according to the unique identifier of the payer, wherein each historical transaction record comprises: historical transaction time, historical transaction location, and unique identification of historical transaction opponents;
Judging whether the probability of occurrence of the transaction time in each historical transaction record as the historical transaction time is larger than a transaction time threshold value, if so, determining whether the common transaction time mark is a common transaction time mark;
determining that the distance between the historical transaction place and the transaction place in each historical transaction record is smaller than a distance threshold value as a record to be processed;
judging whether the ratio between the number of records to be processed and the number of historical transaction records is larger than a transaction place threshold value, if so, determining whether the common transaction place identifier is a common transaction place identifier;
Judging whether the probability that the unique identification of the transaction opponent is used as the unique identification of the historical transaction opponent to appear in each historical transaction record is larger than a transaction opponent threshold value, if so, determining whether the common transaction opponent identification is the common transaction opponent identification;
and obtaining the risk level and daily transaction number of the transaction opponent according to the corresponding relation between the pre-stored unique identification of the transaction opponent and the risk level and the unique identification of the transaction opponent.
In one embodiment, the telecommunication fraud risk detection method further includes:
obtaining a training dataset comprising: historical transaction amount, historical transaction type, historical transaction risk information and actual telecommunication fraud risk probability for a batch of historical transactions;
And training a decision tree algorithm by using the historical transaction amount, the historical transaction type, the historical transaction risk information and the actual telecom fraud risk probability of the batch of historical transactions to obtain the preset telecom fraud detection model.
In one embodiment, the telecommunication fraud risk detection method further includes:
Acquiring risk level evaluation information of batch historical clients and corresponding actual risk levels of the batch historical clients;
and training classification algorithms by applying the risk level evaluation information of the batch historical clients and the actual risk levels corresponding to the risk level evaluation information to obtain the preset risk level evaluation model.
In one embodiment, the telecommunications fraud risk detection for completing the target transaction according to the telecommunications fraud risk probability comprises:
determining a bank response processing mode according to the telecom fraud risk probability;
And completing the telecommunication fraud risk detection of the target transaction according to the bank response processing mode.
In one embodiment, before determining the telecommunication fraud risk probability corresponding to the target transaction according to the preset telecommunication fraud detection model, the transaction amount, the transaction type and the transaction risk information, the method further includes:
and carrying out feature normalization processing and feature dimension reduction processing on the transaction amount, the transaction type and the transaction risk information.
In a second aspect, the present application provides a telecommunications fraud risk detection apparatus, comprising:
A receiving module, configured to receive a transaction request of a target transaction, where the transaction request includes: a unique identification of the payer, a transaction amount, a transaction type, a transaction time, a transaction location, and a unique identification of a transaction opponent;
The information determining module is configured to determine transaction risk information corresponding to the target transaction according to the transaction request, where the transaction risk information includes: account balance, whether transaction time identification is commonly used, whether transaction place identification is commonly used, whether transaction opponent identification is commonly used, risk level of transaction opponents and daily transaction number;
the risk probability determining module is used for determining a telecommunication fraud risk probability corresponding to the target transaction according to a preset telecommunication fraud detection model, the transaction amount, the transaction type and the transaction risk information, wherein the preset telecommunication fraud detection model is obtained by training a decision tree algorithm in advance based on historical transaction amount, historical transaction type, historical transaction risk information and actual telecommunication fraud risk probability of batch historical transactions;
And the detection module is used for completing the telecommunication fraud risk detection of the target transaction according to the telecommunication fraud risk probability.
In one embodiment, the telecommunication fraud risk detection apparatus further includes:
the evaluation information acquisition module is used for acquiring risk grade evaluation information of the trade opponent according to the unique identifier of the trade opponent;
The risk level determining module is used for determining the risk level of the trade opponent according to a preset risk level evaluation model and the risk level evaluation information and storing the corresponding relation between the unique identification of the trade opponent and the risk level;
The preset risk level evaluation model is obtained by training classification algorithms in advance based on the risk level evaluation information of the batch historical clients and the corresponding actual risk levels thereof.
In one embodiment, the information determining module includes:
A transaction record obtaining unit, configured to obtain, according to the unique identifier of the payer, a plurality of historical transaction records within a preset time range and account balance of the payer, where each historical transaction record includes: historical transaction time, historical transaction location, and unique identification of historical transaction opponents;
The first judging unit is used for judging whether the probability of occurrence of the transaction time in each historical transaction record as the historical transaction time is larger than a transaction time threshold value, if so, determining whether the common transaction time mark is a common transaction time mark;
a to-be-processed record determining unit, configured to determine that a distance between a historical transaction place and the transaction place in each historical transaction record is smaller than a distance threshold as a to-be-processed record;
The second judging unit is used for judging whether the ratio between the number of records to be processed and the number of historical transaction records is larger than a transaction place threshold value, if so, determining whether the common transaction place identifier is a common transaction place identifier;
The third judging unit is used for judging whether the probability that the unique identification of the transaction opponent is used as the unique identification of the historical transaction opponent to appear in each historical transaction record is larger than a transaction opponent threshold value, if so, determining whether the common transaction opponent identification is the common transaction opponent identification;
the risk level obtaining unit is used for obtaining the risk level and daily transaction number of the transaction opponent according to the corresponding relation between the pre-stored unique identification of the transaction opponent and the risk level and the unique identification of the transaction opponent.
In one embodiment, the telecommunication fraud risk detection apparatus further includes:
A first acquisition module for acquiring a training data set, the training data set comprising: historical transaction amount, historical transaction type, historical transaction risk information and actual telecommunication fraud risk probability for a batch of historical transactions;
The first training module is used for training the decision tree algorithm by applying the historical transaction amount, the historical transaction type, the historical transaction risk information and the actual telecom fraud risk probability of the batch historical transactions to obtain the preset telecom fraud detection model.
In one embodiment, the telecommunication fraud risk detection apparatus further includes:
the second acquisition module is used for acquiring the risk level evaluation information of the batch historical clients and the actual risk levels corresponding to the risk level evaluation information;
and the second training module is used for training a classification algorithm by applying the risk level evaluation information of the batch historical clients and the actual risk levels corresponding to the risk level evaluation information to obtain the preset risk level evaluation model.
In one embodiment, the detection module comprises:
The processing mode determining unit is used for determining a bank response processing mode according to the telecom fraud risk probability;
And the detection unit is used for completing the telecom fraud risk detection of the target transaction according to the bank response processing mode.
In one embodiment, the telecommunication fraud risk detection apparatus further includes:
and the preprocessing module is used for carrying out feature normalization processing and feature dimension reduction processing on the transaction amount, the transaction type and the transaction risk information.
In a third aspect, the present application provides an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the telecommunication fraud risk detection method when executing the program.
In a fourth aspect, the present application provides a computer readable storage medium having stored thereon computer instructions which, when executed by a processor, implement the telecommunications fraud risk detection method.
According to the technical scheme, the application provides a telecommunication fraud risk detection method and device. Wherein the method comprises the following steps: receiving a transaction request for a target transaction, the transaction request comprising: a unique identification of the payer, a transaction amount, a transaction type, a transaction time, a transaction location, and a unique identification of a transaction opponent; determining transaction risk information corresponding to the target transaction according to the transaction request, wherein the transaction risk information comprises: account balance, whether transaction time identification is commonly used, whether transaction place identification is commonly used, whether transaction opponent identification is commonly used, risk level of transaction opponents and daily transaction number; determining a telecommunication fraud risk probability corresponding to the target transaction according to a preset telecommunication fraud detection model, the transaction amount, the transaction type and the transaction risk information, wherein the preset telecommunication fraud detection model is obtained by training a decision tree algorithm in advance based on historical transaction amount, historical transaction type, historical transaction risk information and actual telecommunication fraud risk probability of batch historical transactions; according to the telecom fraud risk probability, the telecom fraud risk detection of the target transaction is completed, the accuracy and the effectiveness of the telecom fraud risk detection can be improved on the basis of guaranteeing the efficiency of the telecom fraud risk detection, the reliability of telecom fraud interception can be improved, and the safety of the transaction process is guaranteed; specifically, the influence of both the sender and the transaction opponent on the telecommunication fraud risk can be considered, so that the accuracy and the effectiveness of telecommunication fraud risk detection are improved; the machine learning technology is applied to establish a telecommunication fraud detection model, so that the internal risk management level of the bank can be improved, the business process and strategy can be optimized, the fraud rate and risk degree can be reduced, the fraud detection capacity and service quality of the bank can be improved, a more intelligent, safe and reliable bank service system can be constructed, and the overall competitiveness of the bank can be improved.
Detailed Description
In order to make the technical solutions in the present specification better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only some embodiments of the present application, but not all embodiments of the present application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
In order to facilitate understanding of the present solution, technical terms related to the present solution are described below.
Machine learning MACHINE LEARNING: machine learning is an artificial intelligence method that enables predictions of unknown data by analyzing and learning datasets to build predictive models.
Telecommunication fraud Telecom Fraud: criminal activities that use telephone or internet communication technology to conduct fraudulent activities include, but are not limited to, spoofing personal privacy information, transfer fraud, counterfeiting of banking sites, etc.
Automatic interception Auto-Blocking: the method is to integrate an interception system in a bank account, automatically detect whether fraud is present when a customer conducts a transaction, and if yes, stop the transaction and remind the customer.
The blacklist in the prior art is difficult to cover all telecommunication fraud behaviors, and the accuracy and the instantaneity of an audit result are difficult to ensure by manual audit. The risk assessment and ranking can be carried out according to the historical transaction behaviors of the clients and the real-time monitoring transaction behaviors, and interception and feedback are automatically carried out to the clients when abnormal behaviors are detected, so that the loss of telecommunication fraud to the clients is greatly reduced, and the satisfaction degree of the clients is improved.
It should be noted that the method and the device for detecting the telecom fraud risk disclosed by the application can be used in the technical field of finance, and can also be used in any field except the technical field of finance, and the application field of the method and the device for detecting the telecom fraud risk disclosed by the application is not limited. The technical proposal of the application accords with the relevant regulations of laws and regulations for data acquisition, storage, use, processing and the like.
The following examples are presented in detail.
In order to improve the accuracy and effectiveness of the telecom fraud risk detection, further improve the reliability of telecom fraud interception and ensure the security of the transaction process, the embodiment provides a telecom fraud risk detection method, the execution subject of which is a telecom fraud risk detection device, including but not limited to a server, as shown in fig. 1, the method specifically includes the following:
Step 101: receiving a transaction request for a target transaction, the transaction request comprising: the unique identification of the payer, the transaction amount, the transaction type, the transaction time, the transaction location, and the unique identification of the transaction opponent.
In particular, the telecommunication fraud risk detection apparatus may receive a transaction request of a target transaction sent from the front end by the payer. The unique identifier of the payer is used for distinguishing different payers and can be a character string consisting of numbers and/or letters, such as an identity card number or an account number and the like; the unique identification of the trade opponent is used for distinguishing different trade opponents, and can be a character string consisting of numbers and/or letters, such as an identity card number or an account number and the like; the transaction types may include: transfer, payment, buying and selling, deposit/withdrawal, settlement, financing, deposit and investment transactions, etc.; if the transaction type is a transfer transaction, the transaction opponent may be a payee.
Step 102: determining transaction risk information corresponding to the target transaction according to the transaction request, wherein the transaction risk information comprises: account balance, whether transaction time identification is commonly used, whether transaction place identification is commonly used, whether transaction opponent identification is commonly used, risk level of transaction opponents, and daily transaction count.
Specifically, the daily transaction count may represent the average daily transaction count of the transaction opponent in a preset time period, and the preset time period may be set according to practical situations, which is not limited in the present application.
Step 103: and determining a telecommunication fraud risk probability corresponding to the target transaction according to a preset telecommunication fraud detection model, the transaction amount, the transaction type and the transaction risk information, wherein the preset telecommunication fraud detection model is obtained by training a decision tree algorithm in advance based on historical transaction amount, historical transaction type, historical transaction risk information and actual telecommunication fraud risk probability of batch historical transactions.
Specifically, the 8 features of transaction amount, transaction type, account balance, whether to use the transaction time identifier, whether to use the transaction place identifier, whether to use the transaction opponent identifier, risk level of the transaction opponent and daily transaction number can be normalized, and the values of different features are mapped to the same range, so that the weights of the features are equal, and the situation that the transaction opponent is not led by a certain feature is avoided. For 5 characteristics of transaction amount, account balance, transaction type, risk level of transaction opponents and daily transaction amount, the current value can be divided by the historical maximum correct value to obtain a normalized result. The transaction amount, the transaction type and the transaction risk information can be input into the preset telecommunication fraud detection model, and the output result of the preset telecommunication fraud detection model is determined as the telecommunication fraud risk probability corresponding to the target transaction.
Step 104: and completing telecom fraud risk detection of the target transaction according to the telecom fraud risk probability.
In order to improve the accuracy and the intelligence degree of determining the risk level of the transaction opponent and further improve the reliability of the target transaction telecommunication fraud risk detection, as shown in fig. 2, in one embodiment, the telecommunication fraud risk detection method further includes:
Step 201: and obtaining risk grade evaluation information of the trade opponent according to the unique identification of the trade opponent.
Specifically, the telecom fraud risk detection device may store in advance a lot of unique customer identifiers and risk level evaluation information corresponding to the unique customer identifiers, and determine the risk level evaluation information corresponding to the transaction by using the corresponding unique customer identifiers as the risk level evaluation information of the unique identification of the transaction opponent. The risk level evaluation information may include: age, occupation, number of transactions per day, average amount per transaction, location, credit information, etc. of the counterparty.
Step 202: determining the risk level of the trade opponent according to a preset risk level evaluation model and the risk level evaluation information, and storing the corresponding relation between the unique identification of the trade opponent and the risk level; the preset risk level evaluation model is obtained by training classification algorithms in advance based on the risk level evaluation information of the batch historical clients and the corresponding actual risk levels thereof.
In particular, the correspondence between the unique identification of the transaction adversary and the risk level may be stored in a database local to the telecommunication fraud risk detection apparatus.
To improve the reliability of obtaining transaction risk information, as shown in FIG. 3, in one embodiment, step 102 includes:
Step 301: obtaining a plurality of historical transaction records within a preset time range according to the unique identifier of the payer, wherein each historical transaction record comprises: historical transaction time, historical transaction location, and unique identification of historical transaction opponents.
Specifically, the preset time range may be set according to actual needs, which is not limited by the present application. The telecom fraud risk detection device can locally store in advance a correspondence between a unique identifier of a payer, an account balance and a historical transaction record; the historical transaction time is the transaction time corresponding to the historical transaction record, the historical transaction location is the transaction location corresponding to the historical transaction record, and the unique identifier of the historical transaction opponent is the unique identifier of the transaction opponent corresponding to the historical transaction record.
Step 302: judging whether the probability of occurrence of the transaction time in each historical transaction record as the historical transaction time is larger than a transaction time threshold value, if so, determining whether the common transaction time mark is a common transaction time mark.
Step 303: and determining that the distance between the historical transaction place and the transaction place in each historical transaction record is smaller than a distance threshold value as a record to be processed.
Step 304: and judging whether the ratio between the number of records to be processed and the number of historical transaction records is larger than a transaction place threshold value, if so, determining whether the common transaction place identifier is a common transaction place identifier.
Step 305: judging whether the probability that the unique identification of the transaction opponent is used as the unique identification of the historical transaction opponent to appear in each historical transaction record is larger than a transaction opponent threshold value, if so, determining whether the common transaction opponent identification is the common transaction opponent identification.
Specifically, assuming that the number of the historical transaction records is N, if the historical transaction time in the m1 historical transaction records is the transaction time, determining that the probability of the transaction time as the historical transaction time in each historical transaction record is m1/N; if the number of records to be processed is m2, determining that the ratio between the number of records to be processed and the number of historical transaction records is m2/N; if the unique identification of the historical transaction opponent in the m3 historical transaction records is the unique identification of the transaction opponent, determining that the probability that the unique identification of the transaction opponent is used as the unique identification of the historical transaction opponent to appear in each historical transaction record is m3/N.
Step 306: and obtaining the risk level and daily transaction number of the transaction opponent according to the corresponding relation between the pre-stored unique identification of the transaction opponent and the risk level and the unique identification of the transaction opponent.
In order to improve the reliability of the training of the telecom fraud detection model and further improve the accuracy of the application of the telecom fraud detection model, as shown in fig. 4, in one embodiment, the telecom fraud risk detection method further includes:
Step 401: obtaining a training dataset comprising: historical transaction amount, historical transaction type, historical transaction risk information, and actual telecommunication fraud risk probability for a batch of historical transactions.
In one example, the training data set is shown in table 1:
TABLE 1
Step 402: and training a decision tree algorithm by using the training data set to obtain the preset telecommunication fraud detection model.
In particular, the decision tree algorithm may be a decision tree ID3 algorithm. Decision trees are a commonly used classification and prediction algorithm that facilitates rapid analysis and decision-making of data. The basic idea of the ID3 algorithm is: taking a decision tree as an information source, searching a field (attribute) with the maximum information quantity in a database by utilizing the information gain in the information theory, establishing a node of the decision tree, sequentially taking different values of the field as the expression state of a sink, and finding out the branch of the field with the maximum information quantity to establish the tree; and then repeating the process of establishing the lower nodes and branches of the tree in each branch subset, so as to establish the decision tree.
For example, let a table be composed of an object set U, and there are t attributes (A1, A2, …, aj, …, at), where the attribute Aj has w values { Aj1, aj2, …, ajw }, which can differentiate the object set U into: { Uj1, uj2, …, ujw }.
If the objective of instance learning is to form n classifications, where Pj represents the probability of occurrence of information of the j-th class (1. Ltoreq.j. Ltoreq.n) (approximated by the relative frequency in ID 3), then the expected information amount H (U) = - Σ Pjlog 2P j. If the differentiation { Uj1, uj2, …, ujw } of the object set U by the attribute Aj is used as a sink, the post information amount is: h (u|aj) =Σp (Ujm) H (Ujm), the information gain is: i (U, aj) =h (U) -H (u|aj); the method comprises the steps of enabling the attribute Aj of I (U, aj) =max [ I (U, aj) ] to contain the maximum information, enabling the information to be the root of a decision tree, and circularly using other attributes of each branch to obtain the decision tree.
In order to improve the reliability of the training of the risk level evaluation model and further improve the reliability of the application of the risk level evaluation model, in one embodiment, the telecom fraud risk detection method further includes: acquiring risk level evaluation information of batch historical clients and corresponding actual risk levels of the batch historical clients; step 502: and training classification algorithms by applying the risk level evaluation information of the batch historical clients and the actual risk levels corresponding to the risk level evaluation information to obtain the preset risk level evaluation model.
To achieve timely response of the telecommunication fraud risk, in one embodiment, step 104 comprises: determining a bank response processing mode according to the telecom fraud risk probability; and completing the telecommunication fraud risk detection of the target transaction according to the bank response processing mode.
The correspondence between the telecommunication fraud risk probability and the bank response handling means may be pre-stored locally to the telecommunication fraud risk detection means. For example, the correspondence between the telecom fraud risk probability and the bank response processing manner is shown in table 2:
TABLE 2
| Telecommunication fraud probability | Bank response processing |
| 0-10% | No treatment |
| 10-50% | Alerting customers that the transaction may be telecommunication fraud |
| 50-70% | Reminding the customer that the transaction may be telecommunication fraud requires the customer to wait 15 minutes before proceeding with the transaction |
| 70-90% | Forced interception of the transaction requires remote teller verification confirmation, high risk transaction verification confirmation by the remote teller |
| 90-100% | Forcibly intercept the transaction, require manual handling to the counter, and high risk transaction verification confirmation by the teller |
To improve the efficiency of the telecommunication fraud risk detection, in one embodiment, before step 103, further comprises: and carrying out feature normalization processing and feature dimension reduction processing on the transaction amount, the transaction type and the transaction risk information.
In order to further explain the scheme, as shown in fig. 5, the application also provides an application example of the telecom fraud risk detection method, which is specifically described as follows:
Step 1: and (5) data acquisition and processing.
Specifically, the collecting information includes: personal information of the customer, transaction information and telecommunication fraud information. The bank transaction system is provided with historical transaction data of the client of the bank and personal data information of the client, the security system comprises telecom fraud case information which occurs in the history of the client of the bank, the information collected from the bank transaction system and the security system is collected and combined after the information is collected, and finally 9 characteristic information are collected: customer number, transaction amount, account balance, transaction type (deposit: 1, withdrawal: 3, transfer: 2, transfer: 4), transaction time, transaction location, whether usual opponents (transactions occur more than 3 months per month), opponent risk level (risk level can be queried by bank wind control system), whether telecommunication fraud.
Step 2: and (5) extracting characteristics.
(1) And (3) feature selection: according to the characteristics of telecommunication fraud, 8 characteristics of transaction amount, account balance, transaction type, whether transaction time is commonly used, whether transaction place is commonly used, whether transaction opponents are commonly used, transaction opponent risk level and daily transaction count are preliminarily selected.
(2) Feature normalization: after the features are selected, the values of different features are mapped into the same range through normalization, so that the weights of the features are equal, and the features are prevented from being led by one feature. For 5 characteristics of transaction amount, account balance, transaction type, transaction opponent risk level and daily transaction number, dividing the current value by the historical maximum correct value, and normalizing.
(3) Feature dimension reduction: the feature dimension reduction method is adopted, the feature dimension is reduced, the time and space complexity of model training and prediction is reduced, and the model efficiency is improved. The feature of "whether to use the trade time" is similar to that of "whether to use the trade place", and the feature of "whether to use the trade opponent" is similar to that of "trade opponent risk level". Finally, the following 5 features were obtained after normalization: transaction amount, account balance, transaction type, whether transaction time and place are commonly used, whether transaction opponents are commonly used, and transaction opponent risk level, daily transaction count.
Step 3: and (5) model training.
The decision tree generation process, namely a tree node selection process, comprises the following specific steps:
(1) Calculating information gain of all the attributes, and selecting the attribute with the maximum information gain as a root node;
① The entropy of the original system is as follows:
H(S)=-ΣPjlog2Pj,(j=1,2,…,20)
② Entropy after selecting a certain attribute (e.g., trade partner risk level) is:
H(U|Ai)=ΣP(Uim)H(Uim)
③ The entropy gain is:
I(U,Ai)=H(U)-H(U|Ai)
④ Calculating an entropy gain rate:
Gain(A)=I(U,Ai)/H(S)
(2) Selecting the attribute transaction opponent risk level with the maximum entropy gain rate as the root node of the tree;
(3) The two steps are repeated by using the sample subset of the node, and the attribute with the maximum information gain rate is still selected as the child node for the subset of each branch until all the subsets contain the data of the same category, namely the data are classified to the leaves.
Constructing a telecom fraud prediction decision tree from the step (1) to the step (3), and applying the telecom fraud prediction decision tree to predict the telecom fraud probability of the customer transaction, wherein the function realized by the telecom fraud prediction decision tree can be equivalent to the function realized by the telecom fraud detection model. In one example, 30 customers' information may be randomly extracted for training to generate a decision tree with 5 characteristic attributes of the extracted transaction amount, account balance, transaction type, transaction opponent risk level, daily transaction count.
Step 4: abnormality detection and automatic interception.
After receiving a new transaction initiated by a customer, the bank transaction system inputs characteristic information of the new transaction into a telecom fraud detection model to detect the transaction, and the output result of the telecom fraud detection model is the probability of telecom fraud, and according to the probability, the bank transaction system responds to processing, and the function realized by the bank transaction system can be equivalent to the function realized by the telecom fraud risk detection device.
In order to improve the accuracy and effectiveness of the telecommunication fraud risk detection and further improve the reliability of telecommunication fraud interception and ensure the security of the transaction process, the application provides an embodiment of a telecommunication fraud risk detection device for realizing all or part of the content in the telecommunication fraud risk detection method, see fig. 6, wherein the telecommunication fraud risk detection device specifically comprises the following contents:
A receiving module 01, configured to receive a transaction request of a target transaction, where the transaction request includes: a unique identification of the payer, a transaction amount, a transaction type, a transaction time, a transaction location, and a unique identification of a transaction opponent;
An information determining module 02, configured to determine, according to the transaction request, transaction risk information corresponding to the target transaction, where the transaction risk information includes: account balance, whether transaction time identification is commonly used, whether transaction place identification is commonly used, whether transaction opponent identification is commonly used, risk level of transaction opponents and daily transaction number;
The risk probability determining module 03 is configured to determine a telecommunication fraud risk probability corresponding to the target transaction according to a preset telecommunication fraud detection model, the transaction amount, the transaction type and the transaction risk information, where the preset telecommunication fraud detection model is obtained by pre-training a decision tree algorithm based on a historical transaction amount, a historical transaction type, historical transaction risk information and an actual telecommunication fraud risk probability of a batch of historical transactions;
And the detection module 04 is used for completing the telecommunication fraud risk detection of the target transaction according to the telecommunication fraud risk probability.
In one embodiment, the telecommunication fraud risk detection apparatus further includes:
the evaluation information acquisition module is used for acquiring risk grade evaluation information of the trade opponent according to the unique identifier of the trade opponent;
The risk level determining module is used for determining the risk level of the trade opponent according to a preset risk level evaluation model and the risk level evaluation information and storing the corresponding relation between the unique identification of the trade opponent and the risk level;
The preset risk level evaluation model is obtained by training classification algorithms in advance based on the risk level evaluation information of the batch historical clients and the corresponding actual risk levels thereof.
In one embodiment, the information determining module includes:
A transaction record obtaining unit, configured to obtain, according to the unique identifier of the payer, a plurality of historical transaction records within a preset time range and account balance of the payer, where each historical transaction record includes: historical transaction time, historical transaction location, and unique identification of historical transaction opponents;
The first judging unit is used for judging whether the probability of occurrence of the transaction time in each historical transaction record as the historical transaction time is larger than a transaction time threshold value, if so, determining whether the common transaction time mark is a common transaction time mark;
a to-be-processed record determining unit, configured to determine that a distance between a historical transaction place and the transaction place in each historical transaction record is smaller than a distance threshold as a to-be-processed record;
The second judging unit is used for judging whether the ratio between the number of records to be processed and the number of historical transaction records is larger than a transaction place threshold value, if so, determining whether the common transaction place identifier is a common transaction place identifier;
The third judging unit is used for judging whether the probability that the unique identification of the transaction opponent is used as the unique identification of the historical transaction opponent to appear in each historical transaction record is larger than a transaction opponent threshold value, if so, determining whether the common transaction opponent identification is the common transaction opponent identification;
the risk level obtaining unit is used for obtaining the risk level and daily transaction number of the transaction opponent according to the corresponding relation between the pre-stored unique identification of the transaction opponent and the risk level and the unique identification of the transaction opponent.
In one embodiment, the telecommunication fraud risk detection apparatus further includes:
A first acquisition module for acquiring a training data set, the training data set comprising: historical transaction amount, historical transaction type, historical transaction risk information and actual telecommunication fraud risk probability for a batch of historical transactions;
The first training module is used for training the decision tree algorithm by applying the historical transaction amount, the historical transaction type, the historical transaction risk information and the actual telecom fraud risk probability of the batch historical transactions to obtain the preset telecom fraud detection model.
In one embodiment, the telecommunication fraud risk detection apparatus further includes:
the second acquisition module is used for acquiring the risk level evaluation information of the batch historical clients and the actual risk levels corresponding to the risk level evaluation information;
and the second training module is used for training a classification algorithm by applying the risk level evaluation information of the batch historical clients and the actual risk levels corresponding to the risk level evaluation information to obtain the preset risk level evaluation model.
In one embodiment, the detection module comprises:
The processing mode determining unit is used for determining a bank response processing mode according to the telecom fraud risk probability;
And the detection unit is used for completing the telecom fraud risk detection of the target transaction according to the bank response processing mode.
In one embodiment, the telecommunication fraud risk detection apparatus further includes:
and the preprocessing module is used for carrying out feature normalization processing and feature dimension reduction processing on the transaction amount, the transaction type and the transaction risk information.
The embodiments of the telecom fraud risk detection apparatus provided in the present disclosure may be specifically used to execute the processing flow of the embodiments of the telecom fraud risk detection method, and the functions thereof are not described herein, and reference may be made to the detailed description of the embodiments of the telecom fraud risk detection method.
In order to improve accuracy and effectiveness of telecommunication fraud risk detection and further improve reliability of telecommunication fraud interception and ensure safety of a transaction process, the application provides an embodiment of an electronic device for realizing all or part of contents in a telecommunication fraud risk detection method, wherein the electronic device specifically comprises the following contents:
A processor (processor), a memory (memory), a communication interface (Communications Interface), and a bus; the processor, the memory and the communication interface complete communication with each other through the bus; the communication interface is used for realizing information transmission between the telecommunication fraud risk detection device and related equipment such as a user terminal; the electronic device may be a desktop computer, a tablet computer, a mobile terminal, etc., and the embodiment is not limited thereto. In this embodiment, the electronic device may be implemented with reference to an embodiment for implementing the telecommunications fraud risk detection method and an embodiment for implementing the telecommunications fraud risk detection apparatus, and the contents thereof are incorporated herein and are not repeated here.
Fig. 7 is a schematic block diagram of a system configuration of an electronic device 9600 according to an embodiment of the present application. As shown in fig. 7, the electronic device 9600 may include a central processor 9100 and a memory 9140; the memory 9140 is coupled to the central processor 9100. Notably, this fig. 7 is exemplary; other types of structures may also be used in addition to or in place of the structures to implement telecommunications functions or other functions.
In one or more embodiments of the application, the telecommunication fraud risk detection function may be integrated into the central processor 9100. The central processor 9100 may be configured to perform the following control:
Step 101: receiving a transaction request for a target transaction, the transaction request comprising: a unique identification of the payer, a transaction amount, a transaction type, a transaction time, a transaction location, and a unique identification of a transaction opponent;
Step 102: determining transaction risk information corresponding to the target transaction according to the transaction request, wherein the transaction risk information comprises: account balance, whether transaction time identification is commonly used, whether transaction place identification is commonly used, whether transaction opponent identification is commonly used, risk level of transaction opponents and daily transaction number;
Step 103: determining a telecommunication fraud risk probability corresponding to the target transaction according to a preset telecommunication fraud detection model, the transaction amount, the transaction type and the transaction risk information, wherein the preset telecommunication fraud detection model is obtained by training a decision tree algorithm in advance based on historical transaction amount, historical transaction type, historical transaction risk information and actual telecommunication fraud risk probability of batch historical transactions;
Step 104: and completing telecom fraud risk detection of the target transaction according to the telecom fraud risk probability.
From the above description, it can be seen that the electronic device provided by the embodiment of the application can improve the accuracy and effectiveness of telecommunication fraud risk detection, further improve the reliability of telecommunication fraud interception and ensure the security of the transaction process.
In another embodiment, the telecommunication fraud risk detection apparatus may be configured separately from the central processor 9100, for example, the telecommunication fraud risk detection apparatus may be configured as a chip connected to the central processor 9100, and the telecommunication fraud risk detection function is implemented through control of the central processor.
As shown in fig. 7, the electronic device 9600 may further include: a communication module 9110, an input unit 9120, an audio processor 9130, a display 9160, and a power supply 9170. It is noted that the electronic device 9600 need not include all of the components shown in fig. 7; in addition, the electronic device 9600 may further include components not shown in fig. 7, and reference may be made to the related art.
As shown in fig. 7, the central processor 9100, sometimes referred to as a controller or operational control, may include a microprocessor or other processor device and/or logic device, which central processor 9100 receives inputs and controls the operation of the various components of the electronic device 9600.
The memory 9140 may be, for example, one or more of a buffer, a flash memory, a hard drive, a removable media, a volatile memory, a non-volatile memory, or other suitable device. The information about failure may be stored, and a program for executing the information may be stored. And the central processor 9100 can execute the program stored in the memory 9140 to realize information storage or processing, and the like.
The input unit 9120 provides input to the central processor 9100. The input unit 9120 is, for example, a key or a touch input device. The power supply 9170 is used to provide power to the electronic device 9600. The display 9160 is used for displaying display objects such as images and characters. The display may be, for example, but not limited to, an LCD display.
The memory 9140 may be a solid state memory such as Read Only Memory (ROM), random Access Memory (RAM), SIM card, etc. But also a memory which holds information even when powered down, can be selectively erased and provided with further data, an example of which is sometimes referred to as EPROM or the like. The memory 9140 may also be some other type of device. The memory 9140 includes a buffer memory 9141 (sometimes referred to as a buffer). The memory 9140 may include an application/function storage portion 9142, the application/function storage portion 9142 storing application programs and function programs or a flow for executing operations of the electronic device 9600 by the central processor 9100.
The memory 9140 may also include a data store 9143, the data store 9143 for storing data, such as contacts, digital data, pictures, sounds, and/or any other data used by an electronic device. The driver storage portion 9144 of the memory 9140 may include various drivers of the electronic device for communication functions and/or for performing other functions of the electronic device (e.g., messaging applications, address book applications, etc.).
The communication module 9110 is a transmitter/receiver 9110 that transmits and receives signals via an antenna 9111. A communication module (transmitter/receiver) 9110 is coupled to the central processor 9100 to provide input signals and receive output signals, as in the case of conventional mobile communication terminals.
Based on different communication technologies, a plurality of communication modules 9110, such as a cellular network module, a bluetooth module, and/or a wireless local area network module, etc., may be provided in the same electronic device. The communication module (transmitter/receiver) 9110 is also coupled to a speaker 9131 and a microphone 9132 via an audio processor 9130 to provide audio output via the speaker 9131 and to receive audio input from the microphone 9132 to implement usual telecommunications functions. The audio processor 9130 can include any suitable buffers, decoders, amplifiers and so forth. In addition, the audio processor 9130 is also coupled to the central processor 9100 so that sound can be recorded locally through the microphone 9132 and sound stored locally can be played through the speaker 9131.
As can be seen from the above description, the electronic device provided by the embodiment of the application can improve the accuracy and effectiveness of telecommunication fraud risk detection, further improve the reliability of telecommunication fraud interception and ensure the security of the transaction process.
An embodiment of the present application further provides a computer-readable storage medium capable of implementing all steps of the telecommunication fraud risk detection method in the above embodiment, the computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements all steps of the telecommunication fraud risk detection method in the above embodiment, for example, the processor implementing the following steps when executing the computer program:
Step 101: receiving a transaction request for a target transaction, the transaction request comprising: a unique identification of the payer, a transaction amount, a transaction type, a transaction time, a transaction location, and a unique identification of a transaction opponent;
Step 102: determining transaction risk information corresponding to the target transaction according to the transaction request, wherein the transaction risk information comprises: account balance, whether transaction time identification is commonly used, whether transaction place identification is commonly used, whether transaction opponent identification is commonly used, risk level of transaction opponents and daily transaction number;
Step 103: determining a telecommunication fraud risk probability corresponding to the target transaction according to a preset telecommunication fraud detection model, the transaction amount, the transaction type and the transaction risk information, wherein the preset telecommunication fraud detection model is obtained by training a decision tree algorithm in advance based on historical transaction amount, historical transaction type, historical transaction risk information and actual telecommunication fraud risk probability of batch historical transactions;
Step 104: and completing telecom fraud risk detection of the target transaction according to the telecom fraud risk probability.
As can be seen from the above description, the computer readable storage medium provided by the embodiments of the present application can improve the accuracy and effectiveness of telecommunication fraud risk detection, further improve the reliability of telecommunication fraud interception, and ensure the security of the transaction process.
The embodiments of the method of the present application are described in a progressive manner, and the same and similar parts of the embodiments are all referred to each other, and each embodiment mainly describes differences from other embodiments. For relevance, see the description of the method embodiments.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The principles and embodiments of the present application have been described in detail with reference to specific examples, which are provided to facilitate understanding of the method and core ideas of the present application; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in accordance with the ideas of the present application, the present description should not be construed as limiting the present application in view of the above.