Disclosure of Invention
The application provides a bank system risk monitoring and early warning method and system based on artificial intelligence, which are used for improving timeliness of bank transaction risk behavior discovery.
The application provides a bank system risk monitoring and early warning method based on artificial intelligence, which is applied to a bank system risk monitoring and early warning system, and comprises the steps of constructing an account transaction network based on transaction data in a target time window, extracting transaction characteristics of each account node in the account transaction network, wherein each account is taken as a node by the account transaction network, and the transaction relationship among the accounts is taken as a directed edge; the method comprises the steps of obtaining flow direction characteristics of an account fund balance proportion relation, time association degree characteristics of an account and a transaction opponent and business combination mode characteristics of the account, calculating initial importance scores of the account according to the flow direction characteristics, the time association degree characteristics and the business combination mode characteristics, carrying out importance transfer according to the initial importance scores through a transaction relation among nodes, calculating transfer importance scores, calculating fund dispersity indexes and path coordination degree indexes based on a preface transaction path of a target account in an account transaction network, constructing link position characteristics of the account according to the fund dispersity indexes and the path coordination degree indexes, calculating final suspicious degree scores of the account according to the transfer importance scores and the link position characteristics, determining the account with the final suspicious degree score being larger than a preset score threshold as a suspicious account, and sending early warning information according to the transfer importance scores of the suspicious account, the link position characteristics and the structural positions in the account transaction network.
In the above embodiment, the initial importance score is calculated by constructing the account transaction network and extracting the transaction characteristics, combining the account fund flow direction, the time association and the service mode characteristics, and then the importance transfer is performed through the transaction relationship between the nodes. The system effectively identifies hidden risk behaviors such as multi-level account transfer and scattered transaction by analyzing the fund dispersity and the path synergy of the target account preamble transaction path, can better adapt to and discover novel risk forms, and improves the timeliness and accuracy of risk monitoring.
In combination with some embodiments of the first aspect, in some embodiments, the step of transmitting importance according to the initial importance score through a transaction relationship among nodes and calculating to obtain a transmitted importance score specifically includes setting a transaction scale threshold and a time interval threshold, screening node pairs meeting conditions in an account transaction network, acquiring a transaction amount proportion, a time attenuation coefficient and a transaction time sequence association degree between the node pairs, calculating an importance transmission value among nodes by combining the initial importance score of the nodes with the transaction amount proportion, the attenuation coefficient and the time sequence association degree, and performing iterative calculation on the account transaction network to obtain the transmitted importance score of each account node.
In the above embodiment, the transaction scale and the time interval threshold are set to screen node pairs, and the importance transfer value is calculated by comprehensively considering the factors such as the transaction amount proportion, the time attenuation coefficient, the transaction time sequence association degree and the like. Through the iterative computation process, the association degree and the risk transfer path between accounts are reflected more accurately in the risk transfer process, so that more accurate transfer importance scores of each account node are obtained, and more reliable basis is provided for subsequent risk assessment.
In some embodiments, the step of calculating a fund dispersion index and a path synergy index based on a preamble transaction path of a target account in the account transaction network and constructing a link position feature of the account according to the fund dispersion index and the path synergy index specifically comprises the steps of performing backward tracing on the account transaction network with the target account as a starting point to obtain a preamble transaction path within a preset layer number, calculating the fund dispersion index based on a fund circulation scale of the preamble transaction path, analyzing a time sequence combination feature of the preamble transaction path to obtain the path synergy index, and constructing the link position feature of the account according to the fund dispersion index and the path synergy index.
In the above embodiment, the target account is traced back to obtain the preamble transaction path, the funds circulation scale is analyzed to calculate the funds dispersion index, and the path synergy index is obtained by combining the time sequence combination characteristics of the paths. The multi-level path analysis method enables the system to comprehensively grasp the fund flow characteristics, effectively identify abnormal fund flow paths, and deeply characterize risk characteristics of accounts in the whole transaction network through construction of link position characteristics.
In combination with some embodiments of the first aspect, in some embodiments, the step of sending early warning information according to the transmission importance score of the suspicious account, the link location feature and the structure location in the account transaction network specifically includes performing risk classification on the suspicious account according to the transmission importance score of the suspicious account, setting a high, medium and low three-level early warning threshold, analyzing the role attribute of the suspicious account in a fund chain based on the link location feature of the suspicious account, judging whether the suspicious account is a fund collection node, a transit node or a dispersion node, if so, identifying an associated account group of the suspicious account according to the structure location feature of the account transaction network and determining a transaction mode inside the associated account group, and generating early warning information including basic information, risk level, location feature, role description and associated account group information of the suspicious account.
In the above embodiment, risk classification is performed on suspicious accounts, a hierarchical early warning threshold is set, role attributes of the accounts in the fund chain are analyzed based on link position features, and transaction modes of associated account groups are further identified. Through multidimensional image analysis of suspicious accounts, complete early warning information comprising basic information, risk level, position characteristics and the like is formed, accurate positioning and comprehensive depiction of the risk accounts are realized, and a more detailed and accurate early warning basis is provided for risk management and control.
In combination with some embodiments of the first aspect, in some embodiments, after the step of generating the early warning information including suspicious account basic information, risk level, location feature, role description and associated account group information, the method further includes setting a differential monitoring rule according to the risk level of the suspicious account, the monitoring rule including a daily maximum transaction amount, a single maximum transaction amount and an upper transaction cumulative number limit for the high risk account, and freezing a current transaction behavior of the suspicious account and pushing an abnormal reminder to a target client terminal when the current transaction behavior of the suspicious account triggers the monitoring rule.
In the above embodiment, the differentiated monitoring rule is set according to the risk level of the suspicious account, including the transaction amount, the limit and the upper limit of the number of times, and when the account triggers the monitoring rule, the transaction is frozen in time and the abnormal reminder is pushed. The differentiated monitoring rule and the real-time response mechanism enable the system to quickly take control measures after the risk is found, so that the continuous occurrence of abnormal transaction behaviors is effectively blocked, and the risk of fund loss is reduced.
In combination with some embodiments of the first aspect, in some embodiments, after the step of sending out the early warning information according to the transmission importance score of the suspicious account, the link location feature and the structure location in the account transaction network, the method further includes statistically analyzing the triggering times of the suspicious account for triggering the monitoring rule within a preset time window, when the triggering times exceed a preset threshold, promoting the risk level of the suspicious account and adjusting the parameters of the monitoring rule, and recording the triggering history and the manual handling result of the monitoring rule.
In the above embodiment, the number of times that the suspicious account triggers the monitoring rule is statistically analyzed, and when the number exceeds a preset threshold, the risk level and the monitoring parameter are dynamically adjusted, and the triggering history and the treatment result are recorded. The dynamic risk level adjustment mechanism enhances the identification capability of the system on the persistent abnormal behavior, so that the monitoring rule can be adjusted in time according to the risk change, and the flexibility and adaptability of risk prevention and control are improved.
In combination with the embodiments of the first aspect, in some embodiments, after the step of recording the trigger history of the monitoring rule and the manual treatment result, the method further includes receiving a treatment result mark of the target client terminal on the early warning information, calculating an accuracy rate and a false alarm rate of the early warning rule according to the treatment result mark, wherein the treatment result mark includes three types of real risk, false alarm and to-be-observed, and adjusting a score threshold in the early warning rule when the accuracy rate is lower than a preset accuracy rate threshold or the false alarm rate is higher than a preset false alarm rate threshold.
In the above embodiment, the processing result marks of the target client terminal on the early warning information are received, the accuracy and the false alarm rate of the early warning rule are calculated according to the three types of marks including real risk, false alarm and to-be-observed, and when the accuracy or the false alarm rate exceeds the preset threshold, the score threshold in the early warning rule is automatically adjusted. The self-adaptive adjustment mechanism of the early warning rule enables the system to continuously optimize the early warning threshold value in the running process, continuously improves the early warning accuracy and reduces the false alarm rate.
In a second aspect, embodiments of the present application provide a bank system risk monitoring and early warning system comprising one or more processors and a memory coupled to the one or more processors, the memory for storing computer program code comprising computer instructions that are invoked by the one or more processors to cause the bank system risk monitoring and early warning system to perform a method as described in any one of the possible implementations of the first aspect and the first aspect.
In a third aspect, embodiments of the present application provide a computer program product comprising instructions that, when run on a banking system risk monitoring and early warning system, cause the banking system risk monitoring and early warning system to perform a method as described in the first aspect and any one of the possible implementations of the first aspect.
In a fourth aspect, embodiments of the present application provide a computer readable storage medium comprising instructions that, when executed on a banking system risk monitoring and early warning system, cause the banking system risk monitoring and early warning system to perform a method as described in the first aspect and any one of the possible implementations of the first aspect.
It will be appreciated that the banking system risk monitoring and early warning system provided in the second aspect, the computer program product provided in the third aspect and the computer storage medium provided in the fourth aspect are each configured to perform the method provided by the embodiment of the present application. Therefore, the advantages achieved by the method can be referred to as the advantages of the corresponding method, and will not be described herein.
One or more technical solutions provided in the embodiments of the present application at least have the following technical effects or advantages:
1. according to the application, an account transaction network is constructed, transaction characteristics are extracted, an initial importance score is calculated by combining account fund flow direction, time association and service mode characteristics, and importance transfer is performed through transaction relations among nodes. The system effectively identifies hidden risk behaviors such as multi-level account transfer and scattered transaction by analyzing the fund dispersity and the path synergy of the target account preamble transaction path, can better adapt to and discover novel risk forms, and improves the timeliness and accuracy of risk monitoring.
2. According to the application, node pairs are screened by setting transaction scale and time interval threshold values, and importance transfer values are calculated by comprehensively considering factors such as transaction amount proportion, time attenuation coefficient, transaction time sequence association degree and the like. Through the iterative computation process, the association degree and the risk transfer path between accounts are reflected more accurately in the risk transfer process, so that more accurate transfer importance scores of each account node are obtained, and more reliable basis is provided for subsequent risk assessment.
3. The application obtains the preface transaction path by carrying out backward tracing on the target account, analyzes the fund circulation scale to calculate the fund dispersity index, and combines the time sequence combination characteristic of the path to obtain the path cooperativity index. The multi-level path analysis method enables the system to comprehensively grasp the fund flow characteristics, effectively identify abnormal fund flow paths, and deeply characterize risk characteristics of accounts in the whole transaction network through construction of link position characteristics.
Detailed Description
The terminology used in the following embodiments of the application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in the specification of the present application, the singular forms "a", "an", "the" and "the" are intended to include the plural forms as well, unless the context clearly indicates to the contrary. It should also be understood that the term "and/or" as used in this disclosure is intended to encompass any or all possible combinations of one or more of the listed items.
The terms "first," "second," and the like, are used below for descriptive purposes only and are not to be construed as implying or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include one or more such feature, and in the description of embodiments of the application, unless otherwise indicated, the meaning of "a plurality" is two or more.
In order to facilitate understanding, an application scenario of the embodiment of the present application is described below.
In daily banking, the popularity of electronic payments and network transfers has led to a significant increase in transaction frequency and complexity. In a typical case, a merchant accumulates 157 pays for a week through internet banking, the amount varies from 500 to 3000 yuan, the transaction time is distributed in different time periods each day, and the transaction sites are distributed in multiple cities. These funds are transferred through 3 to 4 intermediate accounts, and the individual amounts and time intervals are carefully designed so that conventional transaction monitoring systems have difficulty determining whether they are in normal business contact. Particularly in the cross-bank transaction, the potential risk cannot be accurately identified by simply relying on simple characteristics such as transaction amount, frequency and the like due to incomplete information. The bank needs to establish a monitoring method capable of analyzing the transaction chain, identifying the flow direction of funds and evaluating the importance of nodes so as to accurately find abnormal transaction behaviors hidden in normal business.
Current transaction monitoring relies primarily on preset business rules. If the transaction early warning rule is set, the single-day transfer exceeds 5 trigger early warning times, the single amount exceeds 1 ten thousand-yuan trigger early warning, the continuous 3-day transaction amount exceeds 3 ten thousand-yuan trigger early warning and the like. In one practical case, a small trading company's counter account is systematically marked as anomalous for each transfer 8000 yuan per day to 5 suppliers. And the normal payment is verified, so that invalid early warning is generated. In another case, an account avoids the monitoring threshold of 1 ten thousand yuan per stroke by transferring into 9000 yuan 3 times per day. The monitoring method based on the fixed rules cannot effectively analyze the relevance between accounts, and cannot dynamically adjust the monitoring standard according to different service scenes, so that a large number of false alarms and false omission situations occur.
After the scheme is used, the system can identify abnormal behaviors by analyzing the transaction network. In one practical case, the system detects that 7 accounts are transacted within 2 days, namely that firstly 3 accounts respectively make 5 deposits of 8000 yuan and then transfer to 4 intermediate accounts, each intermediate account transfers funds to 2-3 downstream accounts, and the funds are finally collected into one target account within 36 hours. The system discovers that the score of the target account reaches 0.75 through calculating the node transmission importance score, discovers that the fund dispersion degree is 0.62 through analyzing the link position characteristics, and determines that the path coordination degree is 0.58 as a fund collecting node. The system further identifies the transaction group consisting of the relevant 12 accounts, and finds that the transaction group presents a transaction mode of 'deposit-scatter-gather', and successfully gives out early warning. The method avoids misjudgment of normal business and accurately identifies structured abnormal transaction behavior.
For ease of understanding, the method provided in this embodiment is described in the following in conjunction with the above scenario. Referring to fig. 1, a schematic flow chart of a risk monitoring and early warning method for a banking system based on artificial intelligence in an embodiment of the application is shown.
S101, constructing an account transaction network based on transaction data in a target time window, extracting transaction characteristics of each account node in the account transaction network, wherein the account transaction network takes each account as a node, and the transaction relationship among the accounts is taken as a directed edge.
The target time window represents a specific time range for risk monitoring analysis, which can be fixed, such as a week or a month, or can be a sliding time window, the account transaction network is a graph theory-based network structure for describing transaction relations among accounts, transaction characteristics refer to various indexes capable of representing the transaction behavior modes of the accounts, including information such as transaction frequency, transaction amount, transaction opponents and the like, and directed edges represent the transaction directions of funds flowing from one account to the other account.
This step is typically performed when the system starts the risk monitoring process. Specifically, the system firstly acquires transaction data of all accounts in a target time window from a transaction database, maps each account to a node in a network, and establishes a connection relationship between the accounts according to the transaction records to form a complete transaction network structure. And then extracting the transaction behavior characteristics of each account node in the time window, wherein the transaction behavior characteristics comprise the information of the dimensions such as transaction total amount, transaction frequency, transaction opponent number and the like.
In some embodiments, the construction and feature extraction of the account transaction network may be achieved by optionally first preprocessing the raw transaction data, including data cleaning, outlier processing and standardization, then storing the account nodes and transaction relationships using a graph database, and finally computing the basic transaction features of the nodes, optionally parallel processing the large-scale transaction data using a distributed computing framework, constructing the account relationship network, and simultaneously extracting the multi-dimensional transaction features using feature engineering methods. It will be appreciated that network construction and feature extraction may also be implemented in other ways, not limited herein.
S102, obtaining flow direction characteristics of the account fund balance proportion relation, time association degree characteristics of the account and the transaction opponent and service combination mode characteristics of the account, and calculating an initial importance score of the account according to the flow direction characteristics, the time association degree characteristics and the service combination mode characteristics.
The flow direction characteristics reflect the proportional relation and the flow direction of the account fund balance, the time association degree characteristics represent the tightness degree of the transaction time sequence between the account and the transaction opponent, the service combination mode characteristics describe various service types related to the account and the combination characteristics thereof, and the initial importance score is an initial evaluation value for measuring the account abnormality degree.
This step is performed after the account transaction network construction is completed. Specifically, the system calculates feature values from three dimensions of the fund flow direction, the time association and the service combination based on the constructed transaction network. The three types of features are then combined by specific weights to calculate an initial importance score for each account, which reflects the potential risk level of the account.
In some embodiments, the feature calculation and score calculation may be implemented by optionally calculating the fund balance ratio, transaction time interval distribution, business type entropy value and other features of the account using a statistical method and obtaining an initial score by weighting and summing, or alternatively, non-linearly combining the multidimensional features using a machine learning model and obtaining an initial importance score of the account through model output. It will be appreciated that feature extraction and score calculation may also be implemented in other ways, not limited herein.
S103, importance transfer is carried out according to the initial importance score through the transaction relation among the nodes, and a transfer importance score is obtained through calculation.
The importance transfer is a process of spreading an initial importance score in a network according to a transaction relation among account nodes, the transferred importance score represents a final importance score obtained by the accounts after being spread through the network, the transaction relation among the nodes is a fund current-to-current connection relation among the accounts and comprises characteristics such as transaction amount, transaction frequency, time sequence and the like, the transaction amount proportion is used for representing the relative size of transaction scales among adjacent nodes, the time attenuation coefficient is used for representing the influence weight of transaction time on the importance transfer, and the transaction time sequence association degree is used for measuring the time correlation of transactions among the accounts.
This step is performed after obtaining the account initial importance score. Specifically, the system first sets screening thresholds for transaction size and time interval, and screens out valid account node pairs based on these thresholds. For each pair of connected nodes, a transaction amount duty cycle between them, a decay factor based on transaction time, and a correlation reflecting a transaction timing pattern are calculated. The initial importance score of the source node is then multiplied by these feature values to obtain the importance value that is passed to the target node. The system iterates this pass-through calculation process until the importance scores for all nodes in the network reach a steady state.
In some embodiments, the transmission calculation of the importance among the nodes can be realized in various modes, wherein the transmission calculation of the importance among the nodes is realized in a mode that the transmission calculation of the importance among the nodes is realized by constructing a transaction relation matrix, the characteristic weight among the node pairs is calculated, the transmission calculation of the importance is performed by using an iterative algorithm, and the final score is obtained by normalizing the transmission result. It will be appreciated that
The method specifically comprises the following steps:
setting a transaction scale threshold and a time interval threshold, and screening node pairs meeting the conditions in an account transaction network.
In the step, the transaction scale threshold value refers to a minimum transaction amount standard for screening effective transaction relations and is used for filtering tiny transactions, the time interval threshold value refers to a maximum time interval standard for judging transaction relevance and is used for filtering transactions with overlarge time spans, and the node pair refers to two account nodes with direct transaction relations in an account transaction network.
The system firstly sets basic screening standard that the transaction scale threshold is set to be not lower than 1 ten thousand yuan, and the time interval threshold is set to be not more than 30 days of the time interval of the adjacent transaction. Based on the two thresholds, the system screens all node pairs in the account transaction network by traversing each transaction edge in the network, extracting transaction amount and transaction time information, and judging whether the scale and time conditions are met at the same time. For node pairs that meet the condition, the transaction edges between node pairs that do not meet the condition will be removed, preserving their transaction relationship. Through this screening, the system builds a simplified network structure containing significant trade relationships.
And acquiring the transaction amount proportion, the time attenuation coefficient and the transaction time sequence association degree between the node pairs, and calculating an importance transfer value between the nodes by combining the initial importance score of the nodes with the transaction amount proportion, the attenuation coefficient and the time sequence association degree.
In the step, the transaction amount proportion refers to the proportion of the transaction amount between nodes to the total transaction amount of the source node, the time attenuation coefficient refers to a weight coefficient calculated based on a transaction time interval and used for reflecting a time attenuation effect, the transaction time sequence relevancy refers to the time mode similarity degree of the transaction between nodes, and the importance transfer value refers to the risk degree value transferred from one node to the adjacent node.
The system calculates three characteristic values for each pair of connected nodes, namely transaction amount proportion = transaction amount between nodes/total transaction amount of a source node, time attenuation coefficient = exp (-delta T/T), wherein delta T is a transaction time interval, T is a characteristic time scale (such as 30 days), and the transaction time sequence relativity is obtained by calculating correlation coefficients of transaction time sequences of the two nodes. The initial importance score of the source node is then weighted combined with the three eigenvalues, transfer value = initial score x (w1×amount scale+w2×attenuation coefficient+w3×association), where w1, w2, w3 are weight coefficients and w1+w2+w3=1 is satisfied.
And carrying out iterative computation on the account transaction network to obtain a transmission importance score of each account node.
In this step, iterative computation refers to the process of repeatedly performing importance transfer computation until the network reaches a steady state, and transfer importance scores refer to the final importance scores obtained by the nodes after transfer through the network.
The system updates the importance scores of the nodes in an iterative manner. In each iteration, for each node in the network, the importance values passed from all of its predecessor nodes are summarized, and a new node score is calculated. The specific calculation formula is new score = alpha× (sum of all incoming importance values) + (1-alpha) ×initial score, where alpha is the network transfer coefficient (0 < alpha < 1). The system repeatedly performs this updating process until the score variation of all nodes is less than a preset convergence threshold (e.g., 0.001), or the maximum number of iterations (e.g., 100) is reached. The final stability score is the transmission importance score of the node.
S104, calculating a fund dispersity index and a path cooperativity index based on a preamble transaction path of a target account in the account transaction network, and constructing a link position characteristic of the account according to the fund dispersity index and the path cooperativity index.
Wherein the preamble transaction path represents a funds inflow path obtained by reverse traceback; the fund dispersion index is used for measuring the dispersion or concentration degree of funds on inflow paths, the path coordination index represents the time sequence synchronicity of the fund flow on different paths, the link position characteristic refers to the structural characteristic of an account in the whole fund flow chain and reflects the role and importance of the account in the fund transfer process, and the fund flow scale refers to the amount of funds transferred on each path.
This step is performed after determining the target account to be analyzed. Specifically, the system performs backward tracing in the transaction network by taking the target account as a starting point to acquire all the preamble transaction paths in the preset layer number. And for the paths, calculating the fund circulation scale on each path, and analyzing the distribution condition of funds on different paths to obtain the fund dispersity index. And simultaneously, researching the time characteristics of the fund flowing on each path, and calculating the time sequence correlation among paths to obtain the path synergy index. And finally, combining the two indexes to construct a feature vector for representing the position feature of the account in the fund chain.
In some embodiments, the construction of the link position features can be achieved in a plurality of ways, wherein the method comprises the steps of optionally firstly obtaining a preamble transaction path by using a depth-first search algorithm, then calculating the fund flow distribution of each path, then analyzing the transaction time sequence mode on the path, and finally constructing a position feature vector by using a feature fusion method, and the method comprises the steps of optionally firstly obtaining a multi-layer transaction path by adopting breadth-first search, then calculating the fund dispersity by using an entropy method, then obtaining the path cooperativity by using a time sequence analysis, and finally obtaining the position features by using a multi-dimensional feature combination. It will be appreciated that extraction and construction of link features may also be accomplished in other ways, and is not limited herein.
The method specifically comprises the following steps:
And carrying out reverse tracing on the account transaction network by taking the target account as a starting point to obtain a preamble transaction path within a preset layer number.
In the step, the target account refers to a specific account needing risk analysis, the preface transaction path refers to all funds flowing chains of the funds flowing to the target account, the preset layer number points to the maximum layer number traced upwards and is used for limiting tracing depth, and the reverse tracing refers to the path searching from the target account along the reverse direction of the funds flowing.
The system adopts breadth-first search algorithm to carry out reverse tracing. Starting from a target account, a primary upstream account directly transferring funds to the target account is firstly acquired, and a first-layer path is formed. And continuously tracing the fund source of each primary upstream account to obtain a secondary upstream account so as to form a second-layer path. The system repeats this trace back process until a preset trace back layer number (e.g., 3 layers) is reached. In the tracing process, the system records all account nodes, transaction amount and transaction time on each path to construct a complete fund circulation path set.
And calculating a fund dispersion index based on the fund circulation scale of the preamble transaction path.
In this step, the size of the funds circulation refers to the amount of funds transferred on each path, and the index of the funds dispersion indicates the uniformity of the funds distribution on different paths.
And the system calculates the fund dispersity of the acquired preamble transaction path set. First, the total amount of the funds circulation of each path is calculated, and all paths are ordered from big to small according to the funds scale. Then calculate the fund dispersion using the coefficient of kunning, g= (n+1-2× (Σ (n+1-i) ×yi/Y))/n, where n is the number of paths, yi is the amount of funds for the ith path, and Y is the sum of funds for all paths. A larger G value indicates a more concentrated fund distribution, and a smaller G value indicates a more dispersed fund distribution. For example, when funds are evenly distributed over all paths, G is near 0, and when funds are concentrated over a few paths, G is near 1.
Analyzing the time sequence combination characteristic of the preamble transaction path to obtain a path synergy index.
In this step, the time sequence combination characteristic refers to the time mode characteristic of the fund flowing on different paths, and the path coordination index represents the time synchronization degree of the fund flowing on a plurality of paths.
The system analyzes the time series characteristics of the transactions on each path. Firstly, the transaction time points of each path are constructed into a time sequence, and the statistical characteristics of the transaction time intervals inside the paths are calculated. And then calculating the time sequence correlation between different paths, and evaluating the synergy degree between the paths by adopting the Pearson correlation coefficient. The path co-ordination index is obtained by calculating the average of the correlation coefficients of all path pairs, c=2×Σcorr (Ti, tj)/(n× (n-1)), where Ti, tj are the time series of paths i and j and n is the number of paths.
And constructing the link position characteristic of the account according to the fund dispersity index and the path cooperativity index.
In this step, the link location feature refers to a feature vector that comprehensively reflects the location features of the account in the funds flow chain.
The system combines the fund dispersion index and the path coordination index to construct a link position feature vector. The method comprises the steps of carrying out standardization processing on two index values, converting the two index values into a [0,1] interval, and then constructing a two-dimensional feature vector F= (G ', C'), wherein G 'is the standardized fund dispersity, and C' is the standardized path cooperativity. This feature vector characterizes the structural location of the account in the funds-flow network, G 'reflects the extent of funds collection and C' reflects the synergy of funds flow. The system uses this feature vector for subsequent character recognition and risk assessment.
It is understood that step S104 may be performed after step S103 or after step S101, which is not limited herein.
S105, calculating to obtain a final suspicious score of the account according to the transmission importance score and the link position characteristic, and determining the account with the final suspicious score larger than a preset score threshold as the suspicious account.
The final suspicious degree score represents a risk assessment score obtained by comprehensively considering importance transfer and link position characteristics of an account in a network, the preset score threshold is a risk judgment limit set by a system and used for distinguishing a normal account from a suspicious account, the suspicious account is an account which is considered to have potential risk after risk assessment, the risk assessment index system is used for representing a multi-dimensional index set for assessing the risk degree of the account, and the scoring weight represents the importance degree of different risk characteristics in the final scoring.
This step is performed after the transfer importance score and link location characteristics of the account are obtained. Specifically, the system firstly builds a risk assessment index system, and performs standardized processing on the transmission importance scores and the link position characteristics. And then determining the scoring weight of each feature according to the historical data and expert experience, and calculating to obtain the final suspicion score of the account in a weighted combination mode. And comparing the score with a preset risk threshold value by the system, and if the score exceeds the threshold value, marking the account as a suspicious account and entering a subsequent early warning processing flow.
In some embodiments, calculation of the suspicion score and identification of the suspicious account can be achieved in various modes, wherein the method comprises the steps of optionally carrying out data normalization processing on the transmission importance score and the link characteristic, extracting key risk characteristics by using a principal component analysis method, determining characteristic weights by a hierarchical analysis method, finally calculating the comprehensive score and identifying the suspicious account by applying a threshold rule, optionally constructing a multi-layer neural network model, inputting the standardized characteristics into the model, calculating the risk score by the model, and finally judging the suspicious account based on a dynamic threshold strategy. It will be appreciated that the suspicion scoring and risk account identification may also be accomplished in other ways, not limited herein.
S106, sending out early warning information according to the transmission importance score of the suspicious account, the link position characteristic and the structure position in the account transaction network.
The method comprises the steps of obtaining a structural position of an account, obtaining a structural position of the account in a whole transaction network topological structure, obtaining early warning information, obtaining risk prompt information sent by a warning information display system, wherein the early warning information comprises risk grades, risk descriptions and the like, the role attribute is used for showing functional positioning of the account in a fund chain, the associated account group is an account set which has a tight transaction relation with a suspicious account, and the transaction mode shows fund flow characteristics inside the account group.
This step is performed immediately after the suspicious account is identified. Specifically, the system firstly divides the suspicious account into different risk levels according to the transmission importance scores of the suspicious account, and sets corresponding early warning levels. And then analyzing the role attribute of the account in the fund chain, and judging whether the account is a fund collection, transfer or dispersion node. For suspicious accounts with specific roles, the system further analyzes their structural location in the transaction network, identifies account groups closely related thereto, and studies transaction pattern features within the groups. And finally, integrating the information by the system to generate early warning information containing the contents such as risk level, role characteristics, association analysis and the like.
In some embodiments, the generation and transmission of the early warning information can be achieved in a plurality of modes, wherein the method comprises the steps of optionally designing a risk classification rule based on the transmission importance score, identifying an associated account group through a community discovery algorithm, analyzing a transaction behavior mode in the group, generating structured early warning information and pushing through multiple channels, optionally firstly establishing a risk early warning template library, selecting a proper early warning template according to a role analysis result, filling account characteristics and risk description information, and finally carrying out classified pushing through the early warning platform. It will be appreciated that the processing and sending of the risk early warning information may also be implemented in other ways, which are not limited herein.
The method specifically comprises the following steps:
and carrying out risk classification on the suspicious account according to the transmission importance score of the suspicious account, and setting high, medium and low three-level early warning thresholds.
In the step, the transmission importance score refers to an account risk score obtained through network transmission calculation, the risk level refers to a risk level divided according to the score, and the early warning threshold refers to a score limit value for triggering early warning of different levels.
The system performs a hierarchical process on the transfer importance scores of the suspicious accounts. Firstly, three early warning thresholds are determined, wherein the high risk early warning threshold is set to 0.8, the middle risk early warning threshold is set to 0.6, and the low risk early warning threshold is set to 0.4. Based on these thresholds, the system classifies accounts into different risk classes, accounts with scores greater than 0.8 are classified as high risk, accounts with scores between 0.6 and 0.8 are classified as medium risk, and accounts with scores between 0.4 and 0.6 are classified as low risk. The system configures a corresponding monitoring policy and treatment for each risk level.
And analyzing the role attribute of the suspicious account in the fund chain based on the link position characteristic of the suspicious account, and judging whether the suspicious account is a fund collection node, a transit node or a dispersion node.
In this step, the character attribute refers to the functional location assumed by the account in the funds flow, the funds collection node refers to the account receiving funds from multiple sources, the transfer node refers to the account receiving funds of similar size to the transfer out of funds, and the dispersion node refers to the node dispersing funds out to multiple accounts.
The system performs role recognition based on the link location characteristics of the account. The decision rule is adopted for judging that the fund collection node is judged when the fund dispersity index is smaller than 0.3 and the income degree is larger than the income degree, the fund dispersion node is judged when the fund dispersity index is larger than 0.7 and the income degree is larger than the income degree, and the fund transfer node is judged when the ratio of the income degree to the income degree is between 0.8 and 1.2 and the ratio of the inflow and outflow amount of the fund is between 0.9 and 1.1. The system records the role determination result of each account for subsequent risk analysis.
If yes, identifying the associated account group of the suspicious account according to the structural position characteristics of the account transaction network and determining the transaction mode in the associated account group.
In this step, the associated account group refers to an account set having close trade relationship with the target account, the trade pattern refers to the fund exchange characteristics between the accounts inside the group, and the structural position characteristics refer to the position characteristics of the accounts in the trade network topology.
The system identifies the associated account group using a community discovery algorithm. First, the association strength between accounts is calculated, which comprises three dimensions of transaction frequency, amount ratio and time correlation. And then, community division is carried out by using a Louvain algorithm, and the association strength is used as an edge weight to divide the closely connected account groups. For each group, the system analyzes the transaction modes in the group, namely, calculates indexes such as transaction density, fund circulation rate, transaction time sequence characteristics and the like in the group, and identifies typical transaction modes such as chain transmission, annular circulation, star dispersion and the like.
When the account does not belong to the funds collection node, the transfer node or the dispersion node, the system executes the following processing flow:
First, the system marks the account as a general transaction node, indicating that it has no special functional positioning in the funds chain. For a general transaction node, the system still records basic transaction characteristics of the system, including information such as transaction total amount, transaction frequency, number of transaction opponents and the like, but does not conduct identification of an associated account group and analysis of transaction patterns. Such nodes typically exhibit a small ingress and egress (e.g., less than 3), a mismatch in the size of the funds inflow and outflow (ratio less than 0.8 or greater than 1.2), and a medium level of funds dispersion index (between 0.3 and 0.7).
The system adopts a simplified monitoring strategy for the nodes, wherein the transaction behavior of the nodes is continuously recorded, but the group analysis flow is not triggered, and the role attribute of the nodes is reevaluated only when the transaction characteristics of the nodes are obviously changed (such as transaction frequency or monetary value increase in a short period). The processing mode avoids unnecessary deep analysis on the common transaction node, and improves the operation efficiency of the system.
In the early warning information generation link, the system only outputs basic risk information, including account information, risk level and basic transaction characteristics, to the nodes, and does not contain group analysis and transaction mode related content. The differentiated information generation strategy ensures the accuracy and practicability of the early warning information.
Generating early warning information comprising suspicious account basic information, risk level, location characteristics, role descriptions and associated account group information.
In this step, the early warning information refers to risk prompt information generated by the system, and includes risk feature descriptions of multiple dimensions.
The system generates early warning information according to a standard format. The early warning information comprises the following fields of account basic information (account number, account opening name, account opening time and the like), risk level (high, medium and low risks and corresponding score values), location feature (specific numerical values of fund dispersion degree and path coordination degree), role description (node type and main risk feature), and associated account information (group scale, important node list and typical transaction mode description). The system organizes the information according to a structured format to form a complete early warning report, and the complete early warning report is pushed to related processing personnel through an early warning platform.
The method provided in this embodiment will be described in more detail. Fig. 2 is a schematic flow chart of an artificial intelligence-based risk monitoring and early warning method for a banking system according to an embodiment of the application.
S201, setting a differential monitoring rule according to the risk level of the suspicious account, wherein the monitoring rule comprises a daily maximum transaction limit of the high-risk account, a single maximum transaction limit and an upper limit of transaction accumulation times.
The differential monitoring rule indicates targeted transaction limiting conditions set according to different risk levels, the daily maximum transaction limit refers to the maximum total transaction amount allowed by a single account in a natural day, the single maximum transaction limit refers to the maximum amount allowed by a single transaction, and the upper limit of transaction accumulation times refers to the maximum transaction number allowed by the single account in a specific time period.
And setting corresponding monitoring rules for different levels according to the suspicious account risk levels obtained by the previous calculation. For high risk accounts, setting the most strict limit conditions, such as the total daily transaction amount is not more than 10 ten thousand yuan, the single transaction amount is not more than 2 ten thousand yuan, the daily transaction number is not more than 5 times, for medium risk accounts, the limit is properly relaxed, such as the total daily transaction amount is not more than 50 ten thousand yuan, the single transaction amount is not more than 10 ten thousand yuan, the daily transaction number is not more than 20 times, for low risk accounts, the relatively loose limit is adopted, such as the total daily transaction amount is not more than 100 ten thousand yuan, the single transaction amount is not more than 20 ten thousand yuan, and the daily transaction number is not more than 50 times. Meanwhile, the system sets different limits for different service types, such as setting different limit standards for public accounts and personal accounts respectively, so as to ensure the rationality and effectiveness of the monitoring rules.
S202, when the current transaction behavior of the suspicious account triggers the monitoring rule, freezing the current transaction behavior and pushing an abnormal reminder to the target client terminal.
The method comprises the steps of carrying out a transaction operation on an account, freezing, suspending execution of the transaction, enabling a target client terminal to be an operation terminal used by a bank staff, and enabling an abnormal reminding system to generate risk prompt information.
When an account initiates a transaction, the system checks in real time whether the transaction meets the monitoring rules. When the system detects that the transaction triggers the monitoring rules, freezing measures are immediately taken. For example, an 8 ten thousand yuan transaction has occurred on the day for a high risk account, and when a3 ten thousand yuan transfer is initiated again, the system automatically intercepts the transaction by exceeding the upper 10 ten thousand yuan per day transaction limit. Meanwhile, the system pushes abnormal transaction reminding to the bank management terminal, and the reminding information comprises account basic information, current transaction amount, accumulated transaction amount, trigger rule type and other contents. After receiving the reminding, the bank staff can check the detailed transaction information and the risk analysis report, and perform manual auditing and disposal.
S203, counting and analyzing the triggering times of triggering the monitoring rule of the suspicious account in a preset time window.
The preset time window refers to a fixed time period for statistical analysis, the triggering times refer to the accumulated times of account triggering monitoring rules, and the statistical analysis refers to summarizing and analyzing triggering data.
The system counts how many times each suspicious account triggers the monitoring rules within a fixed time window (e.g., one week or one month). The statistical content comprises the total triggering times, the triggering times distribution of different rules, the triggering time distribution and the like. For example, statistics show that an account co-triggers the monitoring rules 15 times during the past week, with 8 times over the daily transaction limit, 5 times over the single limit, 2 times over the limit of the number of transactions, and focusing primarily on the afternoon hours of the workday. The system records these statistics for subsequent risk level adjustment and monitoring rule optimization. Meanwhile, the system performs classification analysis on the trigger behaviors, identifies an abnormal trigger mode, and if the abnormal trigger mode is the abnormal trigger mode, whether an attempt for avoiding monitoring exists, whether obvious regularity is shown or not and the like.
And S204, when the triggering times exceed a preset threshold value, the risk level of the suspicious account is increased, and the monitoring rule parameters are adjusted.
The method comprises the steps of presetting a threshold value, wherein the threshold value refers to an alarm value of triggering times and is used for judging whether the risk level needs to be improved, the risk level improvement refers to adjusting the risk rating of an account to a higher level, and the monitoring rule parameter refers to controlling specific numerical values of transaction limits, including limit, time limit and the like.
The system executes a risk level dynamic adjustment mechanism to update risk management and control measures by continuously monitoring abnormal behaviors of the account. When the triggering times of the account in the appointed time window reach a preset threshold value (for example, the triggering times of the account exceed 10 times in one week), the system automatically increases the risk level of the account by one step. Meanwhile, the monitoring rule parameters of the account are adjusted, for example, the original daily transaction limit is reduced by 50%, the single transaction limit is reduced by 30%, and the upper limit of the transaction times is reduced by 40%. For accounts with medium risk up-regulated to high risk, the system also adds additional monitoring dimensions, such as requiring large transactions to provide supplementary materials, adding transaction delay auditing mechanisms, and the like. The dynamic adjustment ensures timeliness and effectiveness of monitoring measures, and improves accuracy of risk prevention and control.
S205, recording the trigger history and the manual treatment result of the monitoring rule.
The trigger history refers to a detailed record of triggered monitoring rules and comprises information such as trigger time, trigger type and the like, the manual treatment result refers to the auditing and processing conditions of a bank staff on a trigger event, and the history refers to the storage and management of the information.
The system establishes a complete monitoring record storage mechanism and carries out detailed record on each rule triggering event. The recorded content comprises basic information such as trigger time, trigger account information, trigger rule type, transaction amount, accumulated trigger times and the like, and processing information such as manual auditors, audit time, audit conclusion, disposal measures and the like. For each treatment result, the system records detailed information of treatment type (e.g., release, rejection, manual verification, etc.), treatment basis, supplementary materials, etc. Meanwhile, the system performs classified storage and index management on the records, establishes a multidimensional query interface, supports retrieval according to conditions such as time, account, rule type and the like, and facilitates subsequent analysis and traceability.
S206, receiving a treatment result mark of the target client terminal on the early warning information, and calculating the accuracy and the false alarm rate of the early warning rule according to the treatment result mark, wherein the treatment result mark comprises three types of real risks, false alarms and to-be-observed.
The handling result mark refers to a judgment result mark made after a bank personnel examines the early warning information and is divided into three types, namely real risk (confirming that risk behaviors exist), false alarm (confirming normal transaction) and to be observed (needing to continue monitoring), wherein the accuracy rate represents the proportion of the real risk confirmed in a risk account of the early warning system, the false alarm rate represents the proportion of the false alarm confirmed in the risk account of the early warning system, and the target client terminal refers to operation terminal equipment for processing the early warning information by a bank wind control personnel.
The system receives the treatment result mark of the wind control personnel on each piece of early warning information through the early warning processing platform. For each early warning account, the wind control personnel need to select corresponding treatment result types after verifying transaction information and analyzing risk characteristics. The system calculates accuracy indexes of the early warning rules based on accumulated treatment result data, wherein the accuracy rate=real risk early warning number/total early warning number, and the false alarm rate=false alarm early warning number/total early warning number. For example, in the last 100 early warning, 60 are marked as real risks, 30 are marked as false positives, 10 are marked as to-be-observed, and the accuracy is 60% and the false alarm rate is 30%. The system updates the statistical indexes in real time for evaluating the effectiveness of the early warning rules.
S207, when the accuracy is lower than a preset accuracy threshold or the false alarm rate is higher than a preset false alarm rate threshold, adjusting a score threshold in the early warning rule.
The preset accuracy threshold value refers to the minimum accuracy standard required by the system and is used for judging whether the early warning rule needs to be optimized or not, the preset false alarm rate threshold value refers to the maximum false alarm rate upper limit allowed by the system, and the score threshold value refers to the score standard value used for judging whether the account is a suspicious account or not.
The system continuously monitors the accuracy and false alarm rate index of the early warning rule. When the accuracy is lower than a preset threshold (such as lower than 50%) or the false alarm rate is higher than a preset threshold (such as higher than 40%), the system automatically triggers an early warning rule optimization mechanism. The specific adjustment mode is that when the accuracy rate is too low, the judgment score threshold value of the suspicious account is improved, so that the system screens the risk account more strictly, for example, the score threshold value is improved from 0.7 to 0.8, and when the false alarm rate is too high, the score threshold value is reduced, so that the system judges the risk account more loosely, for example, the score threshold value is reduced from 0.7 to 0.6. And the change trend of the accuracy and the false alarm rate is comprehensively considered during adjustment, a progressive adjustment strategy is adopted, the adjustment amplitude is controlled within 10% each time, and the stability of system early warning is ensured. And continuously tracking new accuracy and false alarm rate indexes after adjustment, and verifying the adjustment effect.
The following describes a bank system risk monitoring and early warning system from the perspective of hardware processing, please refer to fig. 3, which is a schematic diagram of an entity device of the bank system risk monitoring and early warning system in the embodiment of the present application.
It should be noted that the structure of the risk monitoring and early warning system of the banking system shown in fig. 3 is only an example, and should not impose any limitation on the functions and application scope of the embodiments of the present invention.
As shown in fig. 3, the bank system risk monitoring and early warning system includes a central processing unit (Central Processing Unit, CPU) 301 that can perform various appropriate actions and processes, such as performing the methods described in the above embodiments, according to a program stored in a Read-Only Memory (ROM) 302 or a program loaded from a storage portion 308 into a random access Memory (Random Access Memory, RAM) 303. In the RAM 303, various programs and data required for the system operation are also stored. The CPU 301, ROM 302, and RAM 303 are connected to each other through a bus 304. An Input/Output (I/O) interface 305 is also connected to bus 304.
Connected to the I/O interface 305 are an input section 306 including an audio input device, a push button switch, and the like, an output section 307 including a Liquid crystal display (Liquid CRYSTAL DISPLAY, LCD) and an audio output device, an indicator lamp, and the like, a storage section 308 including a hard disk, and the like, and a communication section 309 including a network interface card such as a LAN (Local Area Network) card, a modem, and the like. The communication section 309 performs communication processing via a network such as the internet. The drive 310 is also connected to the I/O interface 305 as needed. A removable medium 311 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is installed on the drive 310 as needed, so that a computer program read therefrom is installed into the storage section 308 as needed.
In particular, according to embodiments of the present invention, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present invention include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising a computer program for performing the method shown in the flowchart. In such an embodiment, the computer program may be downloaded and installed from a network via the communication portion 309, and/or installed from the removable medium 311. When the computer program is executed by a Central Processing Unit (CPU) 301, various functions defined in the present invention are performed.
Specific examples of a computer-readable storage medium include, but are not limited to, an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-Only Memory (ROM), an erasable programmable read-Only Memory (Erasable Programmable Read Only Memory, EPROM), a flash Memory, an optical fiber, a portable compact disc read-Only Memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. Where each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures.
Specifically, the bank system risk monitoring and early warning system of the embodiment includes a processor and a memory, wherein a computer program is stored in the memory, and when the computer program is executed by the processor, the bank system risk monitoring and early warning method based on artificial intelligence provided by the embodiment is realized.
In another aspect, the present invention also provides a computer readable storage medium, which may be included in the risk monitoring and early warning system of the banking system described in the above embodiment, or may exist alone, and not be assembled into the risk monitoring and early warning system of the banking system. The storage medium carries one or more computer programs which, when executed by a processor of the bank system risk monitoring and early warning system, cause the bank system risk monitoring and early warning system to implement the artificial intelligence based bank system risk monitoring and early warning method provided in the above embodiments.
While the application has been described in detail with reference to the foregoing embodiments, it will be understood by those skilled in the art that the foregoing embodiments may be modified or equivalents may be substituted for some of the features thereof, and that the modifications or substitutions do not depart from the spirit of the embodiments.
As used in the above embodiments, the term "when..is interpreted as meaning" if..or "after..or" in response to determining..or "in response to detecting..is" depending on the context. Similarly, the phrase "when determining..or" if (a stated condition or event) is detected "may be interpreted to mean" if determined.+ -. "or" in response to determining.+ -. "or" when (a stated condition or event) is detected "or" in response to (a stated condition or event) "depending on the context.
Those of ordinary skill in the art will appreciate that implementing all or part of the above-described method embodiments may be accomplished by a computer program to instruct related hardware, the program may be stored in a computer readable storage medium, and the program may include the above-described method embodiments when executed. The storage medium includes a ROM or a random access memory RAM, a magnetic disk or an optical disk, and other various media capable of storing program codes.