Method and device for judging business risk based on user operation
1. A method for judging business risk based on user operation, the method is executed by a client, the client provides a plurality of service businesses, and the method comprises the following steps:
receiving a first operation aiming at a target service, wherein the target service is one of the plurality of service services, and the first operation is a predetermined operation before a service request of the target service is submitted to a server;
responding to the first operation, acquiring a historical operation sequence executed by a user through the client in a first execution link, inputting a characteristic sequence corresponding to the historical operation sequence into a pre-trained risk prediction model to obtain a risk score of the target service, and sending the risk score to the server;
in a second execution link executed in parallel with the first execution link, continuing to process the target service until submitting a service request of the target service to the server; and the server side judges whether the target service has the risk of a preset category or not according to the service request and the risk score.
2. The method of claim 1, wherein the target service belongs to a payment service, the first operation comprising one of: and starting the cashier desk, displaying the money receiving code and displaying the payment code.
3. The method of claim 1, wherein the historical sequence of operations includes operations for traffic other than the target traffic.
4. The method of claim 1, wherein the historical sequence of operations comprises:
the method comprises the steps of coarse-grained operation which can be perceived by the server and fine-grained operation which cannot be perceived by the server.
5. The method of claim 4, wherein the coarse grain operations comprise:
browsing, collecting or purchasing;
the fine-grained operations include:
click, slide, or expose.
6. The method of claim 1, wherein the sequence of features corresponds to a plurality of features; the risk prediction model includes a feature extraction network; the feature extraction network is used for aggregating the features corresponding to different features of the same operation in a convolution processing mode to obtain a fusion feature vector corresponding to the same operation.
7. The method of claim 6, wherein the plurality of features comprises at least one of:
visit page, page dwell time, time interval from current, absolute time, date.
8. The method of claim 6, wherein the risk prediction model further comprises an encoder and respective prediction networks corresponding to a plurality of risk prediction tasks;
the encoder is used for obtaining each encoding vector corresponding to each operation through convolution processing and a self-attention mechanism according to the fusion characterization vectors corresponding to each operation;
and any one of the prediction networks carries out weighted summation on each coding vector based on the weight of each coding vector and the corresponding risk prediction task to obtain a target domain characterization vector, and determines the risk score of the corresponding risk prediction task according to the target domain characterization vector.
9. The method of claim 8, wherein the risk prediction model is trained by:
pre-training the feature extraction network by adopting a self-supervision agent task;
fixing the parameters of the pre-trained feature extraction network, and training the encoder and the first prediction network by using the label of the first risk prediction task of the training sample; wherein the first risk prediction task is any one of the plurality of risk prediction tasks, and the first prediction network corresponds to the first risk prediction task.
10. The method of claim 9, wherein the self-supervision agent task comprises: and masking feature values corresponding to all features corresponding to the same operation in the feature sequence, and predicting the feature values of part or all of the masked features.
11. The method of claim 8, wherein the risk prediction model is trained by:
training the feature extraction network, the encoder and the first prediction network by using a label of a first risk prediction task of a training sample; wherein the first risk prediction task is any one of the plurality of risk prediction tasks, and the first prediction network corresponds to the first risk prediction task.
12. An apparatus for determining a business risk based on a user operation, the apparatus being provided at a client, the client providing a plurality of service businesses, the apparatus comprising:
a receiving unit, configured to receive a first operation for a target service, where the target service is one of the multiple service services, and the first operation is a predetermined operation before a service request of the target service is submitted to a server;
a first execution unit, configured to, in response to the first operation received by the receiving unit, acquire, in a first execution link, a historical operation sequence executed by a user through the client, input a feature sequence corresponding to the historical operation sequence into a risk prediction model trained in advance, obtain a risk score of the target service, and send the risk score to the server;
a second execution unit, configured to continue to process the target service in a second execution link that is executed in parallel with the first execution link until a service request of the target service is submitted to the server; and the server side judges whether the target service has the risk of a preset category or not according to the service request and the risk score.
13. The apparatus of claim 12, wherein the target service belongs to a payment service, the first operation comprising one of: and starting the cashier desk, displaying the money receiving code and displaying the payment code.
14. The apparatus of claim 12, wherein the historical sequence of operations comprises operations for traffic other than the target traffic.
15. The apparatus of claim 12, wherein the historical sequence of operations comprises:
the method comprises the steps of coarse-grained operation which can be perceived by the server and fine-grained operation which cannot be perceived by the server.
16. The apparatus of claim 15, wherein the coarse grain operations comprise:
browsing, collecting or purchasing;
the fine-grained operations include:
click, slide, or expose.
17. The apparatus of claim 12, wherein the sequence of features corresponds to a plurality of features; the risk prediction model includes a feature extraction network; the feature extraction network is used for aggregating the features corresponding to different features of the same operation in a convolution processing mode to obtain a fusion feature vector corresponding to the same operation.
18. The apparatus of claim 17, wherein the plurality of features comprises at least one of:
visit page, page dwell time, time interval from current, absolute time, date.
19. The apparatus of claim 17, wherein the risk prediction model further comprises an encoder and respective prediction networks corresponding to a plurality of risk prediction tasks;
the encoder is used for obtaining each encoding vector corresponding to each operation through convolution processing and a self-attention mechanism according to the fusion characterization vectors corresponding to each operation;
and any one of the prediction networks carries out weighted summation on each coding vector based on the weight of each coding vector and the corresponding risk prediction task to obtain a target domain characterization vector, and determines the risk score of the corresponding risk prediction task according to the target domain characterization vector.
20. The apparatus of claim 19, wherein the risk prediction model is trained by:
pre-training the feature extraction network by adopting a self-supervision agent task;
fixing the parameters of the pre-trained feature extraction network, and training the encoder and the first prediction network by using the label of the first risk prediction task of the training sample; wherein the first risk prediction task is any one of the plurality of risk prediction tasks, and the first prediction network corresponds to the first risk prediction task.
21. The apparatus of claim 20, wherein the self-supervision agent task comprises: and masking feature values corresponding to all features corresponding to the same operation in the feature sequence, and predicting the feature values of part or all of the masked features.
22. The apparatus of claim 19, wherein the risk prediction model is trained by:
training the feature extraction network, the encoder and the first prediction network by using a label of a first risk prediction task of a training sample; wherein the first risk prediction task is any one of the plurality of risk prediction tasks, and the first prediction network corresponds to the first risk prediction task.
23. A computer-readable storage medium, on which a computer program is stored which, when executed in a computer, causes the computer to carry out the method of any one of claims 1-11.
24. A computing device comprising a memory having stored therein executable code and a processor that, when executing the executable code, implements the method of any of claims 1-11.
Background
Currently, a client and a server cooperate to provide service services for users. In the process of using the client, a series of user operations such as login, password modification, specific page browsing and the like are generated by a user, abnormal behavior in the user operations indicates a certain business risk, and the user operations can help to judge whether a target business has the business risk.
In the prior art, when a business risk is judged based on user operation, due to the limitation of the performance of a client, the business risk is generally judged by a server, and due to the fact that massive data cannot be returned in real time in the client, the data cannot be effectively utilized when whether a target business is at risk is judged, and therefore the accuracy rate of risk identification is low.
Therefore, an improved scheme is desired that can ensure high accuracy and low time consumption when determining a business risk based on a user operation.
Disclosure of Invention
One or more embodiments of the present specification describe a method and an apparatus for determining a business risk based on a user operation, which can ensure high accuracy and low consumption of time when determining a business risk based on a user operation.
In a first aspect, a method for determining a business risk based on user operations is provided, where the method is performed by a client, and the client provides multiple service businesses, and the method includes:
receiving a first operation aiming at a target service, wherein the target service is one of the plurality of service services, and the first operation is a predetermined operation before a service request of the target service is submitted to a server;
responding to the first operation, acquiring a historical operation sequence executed by a user through the client in a first execution link, inputting a characteristic sequence corresponding to the historical operation sequence into a pre-trained risk prediction model to obtain a risk score of the target service, and sending the risk score to the server;
in a second execution link executed in parallel with the first execution link, continuing to process the target service until submitting a service request of the target service to the server; and the server side judges whether the target service has the risk of a preset category or not according to the service request and the risk score.
In a possible embodiment, the target service belongs to a payment service, and the first operation includes one of: and starting the cashier desk, displaying the money receiving code and displaying the payment code.
In one possible embodiment, the historical sequence of operations includes operations for traffic other than the target traffic.
In one possible implementation, the historical sequence of operations includes:
the method comprises the steps of coarse-grained operation which can be perceived by the server and fine-grained operation which cannot be perceived by the server.
Further, the coarse-grained operations include:
browsing, collecting or purchasing;
the fine-grained operations include:
click, slide, or expose.
In a possible embodiment, the sequence of features corresponds to a plurality of features; the risk prediction model includes a feature extraction network; the feature extraction network is used for aggregating the features corresponding to different features of the same operation in a convolution processing mode to obtain a fusion feature vector corresponding to the same operation.
Further, the plurality of features includes at least one of:
visit page, page dwell time, time interval from current, absolute time, date.
Further, the risk prediction model further comprises an encoder and prediction networks corresponding to the plurality of risk prediction tasks;
the encoder is used for obtaining each encoding vector corresponding to each operation through convolution processing and a self-attention mechanism according to the fusion characterization vectors corresponding to each operation;
and any one of the prediction networks carries out weighted summation on each coding vector based on the weight of each coding vector and the corresponding risk prediction task to obtain a target domain characterization vector, and determines the risk score of the corresponding risk prediction task according to the target domain characterization vector.
Further, the risk prediction model is trained as follows:
pre-training the feature extraction network by adopting a self-supervision agent task;
fixing the parameters of the pre-trained feature extraction network, and training the encoder and the first prediction network by using the label of the first risk prediction task of the training sample; wherein the first risk prediction task is any one of the plurality of risk prediction tasks, and the first prediction network corresponds to the first risk prediction task.
Further, the self-supervision agent task comprises: and masking feature values corresponding to all features corresponding to the same operation in the feature sequence, and predicting the feature values of part or all of the masked features.
Further, the risk prediction model is trained as follows:
training the feature extraction network, the encoder and the first prediction network by using a label of a first risk prediction task of a training sample; wherein the first risk prediction task is any one of the plurality of risk prediction tasks, and the first prediction network corresponds to the first risk prediction task.
In a second aspect, a device for determining a business risk based on a user operation is provided, where the device is disposed at a client, and the client provides multiple service businesses, and the device includes:
a receiving unit, configured to receive a first operation for a target service, where the target service is one of the multiple service services, and the first operation is a predetermined operation before a service request of the target service is submitted to a server;
a first execution unit, configured to, in response to the first operation received by the receiving unit, acquire, in a first execution link, a historical operation sequence executed by a user through the client, input a feature sequence corresponding to the historical operation sequence into a risk prediction model trained in advance, obtain a risk score of the target service, and send the risk score to the server;
a second execution unit, configured to continue to process the target service in a second execution link that is executed in parallel with the first execution link until a service request of the target service is submitted to the server; and the server side judges whether the target service has the risk of a preset category or not according to the service request and the risk score.
In a third aspect, there is provided a computer readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method of the first aspect.
In a fourth aspect, there is provided a computing device comprising a memory having stored therein executable code and a processor that, when executing the executable code, implements the method of the first aspect.
According to the method and the device provided by the embodiment of the specification, firstly, a client receives a first operation aiming at a target service, wherein the target service is one of the multiple service services, and the first operation is a predetermined operation before a service request of the target service is submitted to a server; then responding to the first operation, acquiring a historical operation sequence executed by a user through the client in a first execution link, inputting a characteristic sequence corresponding to the historical operation sequence into a pre-trained risk prediction model to obtain a risk score of the target service, and sending the risk score to the server; in a second execution link executed in parallel with the first execution link, continuing to process the target service until submitting a service request of the target service to the server; and the server side judges whether the target service has the risk of a preset category or not according to the service request and the risk score. As can be seen from the above, in the embodiments of the present specification, since determining the risk score is performed by the client, a historical operation sequence performed by the user through the client may be effectively utilized, so that the determined risk score may ensure high accuracy, and before the client submits the service request of the target service to the server, the risk score may be determined, so that the risk score may be determined within the time difference by using the time difference between receiving the first operation and submitting the service request, and thus low time consumption may be ensured.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a schematic diagram illustrating an implementation scenario of an embodiment disclosed herein;
FIG. 2 illustrates a flow diagram of a method for determining business risk based on user actions, according to one embodiment;
FIG. 3 shows a schematic structural diagram of a feature extraction network according to one embodiment;
FIG. 4 shows a schematic block diagram of an encoder and prediction networks according to one embodiment;
FIG. 5 illustrates a two-phase training diagram according to one embodiment;
FIG. 6 illustrates an auto-supervised agent task diagram according to one embodiment;
FIG. 7 illustrates a dual lane parallel processing schematic according to one embodiment;
fig. 8 shows a schematic block diagram of an apparatus for determining business risk based on user operation according to an embodiment.
Detailed Description
The scheme provided by the specification is described below with reference to the accompanying drawings.
Fig. 1 is a schematic view of an implementation scenario of an embodiment disclosed in this specification. The implementation scenario relates to the judgment of business risks based on user operations, which is executed by a client, and it can be understood that a user can generate a series of user operations in the process of using the client, such as login, password modification, and specific page browsing. The operation behavior mode of the user is mastered, extra information gain can be obtained, and the experience and the wind control safety of the consumer are improved.
Referring to fig. 1, taking an example that a user operates to browse a specific page, the user sequentially browses a home page, a page 1, a page 2 and a page 3, wherein the page 1 is a credit consumption service page and can provide a service of first consumption and then payment, the page 2 is a global search page and provides a search service, and the page 3 is a small-amount debit page and can provide a non-interest debit service within a preset time limit of a certain amount. Through the browsing approach of the user shown in fig. 1, the user intention may be inferred, so as to determine whether the target service has a service risk, where the target service may be included in the service provided by the page browsed by the user, for example, the target service is provided by page 1, or the target service may not be included in the service provided by the page browsed by the user, for example, the target service is a payment service.
Fig. 2 is a flowchart illustrating a method for determining business risk based on user operation, which is performed by a client providing multiple service businesses according to an embodiment, and the method may be based on the implementation scenario illustrated in fig. 1. As shown in fig. 2, the method for determining business risk based on user operation in this embodiment includes the following steps: step 21, receiving a first operation for a target service, wherein the target service is one of the multiple service services, and the first operation is a predetermined operation before submitting a service request of the target service to a server; step 22, responding to the first operation, in a first execution link, acquiring a historical operation sequence executed by a user through the client, inputting a feature sequence corresponding to the historical operation sequence into a pre-trained risk prediction model to obtain a risk score of the target service, and sending the risk score to the server; step 23, in a second execution link executed in parallel with the first execution link, continuing to process the target service until submitting a service request of the target service to the server; and the server side judges whether the target service has the risk of a preset category or not according to the service request and the risk score. Specific execution modes of the above steps are described below.
First, in step 21, a first operation for a target service is received, where the target service is one of the multiple service services, and the first operation is a predetermined operation before a service request of the target service is submitted to a server. It will be appreciated that, typically, one or more predetermined operations are required before submitting a service request of a target service to the server, for example, opening the client, clicking an icon of the target service, entering a password, and so on.
In the embodiments of the present specification, the multiple service services may include, but are not limited to, a first consumption and then payment service, a search service, a interest-free borrowing service, a payment service, and the like, and the target service is any one of the multiple service services.
In one example, the target service belongs to a payment service, and the first operation includes one of: and starting the cashier desk, displaying the money receiving code and displaying the payment code.
Then, in step 22, in response to the first operation, in a first execution link, obtaining a historical operation sequence executed by the user through the client, inputting a feature sequence corresponding to the historical operation sequence into a risk prediction model trained in advance, obtaining a risk score of the target service, and sending the risk score to the server. It is understood that the plurality of operations included in the historical operation sequence are generally arranged in time series, and accordingly, the plurality of characteristic values included in the characteristic sequence are also arranged in time series.
In the embodiment of the present specification, since the first operation is a predetermined operation before submitting the service request of the target service to the server, the feature sequence includes event information, which is data generated when an event occurs, so that the accuracy of the risk score is higher.
In one example, the historical sequence of operations includes operations for traffic other than the target traffic.
It can be understood that the client provides a plurality of service services, and in this example, not only the operation for the target service but also the operation for services other than the target service are acquired, so that the acquired information is more comprehensive.
In one example, the historical sequence of operations includes:
the method comprises the steps of coarse-grained operation which can be perceived by the server and fine-grained operation which cannot be perceived by the server.
Further, the coarse-grained operations include:
browsing, collecting or purchasing;
the fine-grained operations include:
click, slide, or expose.
It can be understood that, compared with the case that the service end determines the business risk based on the user operation, in this example, the client determines the business risk based on the user operation, so that various types of user operations can be fully utilized, including fine-grained operations that the service end cannot sense, and the user intention can be sensed in an all-around manner, thereby enabling the accuracy of the risk score to be higher.
In one example, the sequence of features corresponds to a plurality of features; the risk prediction model includes a feature extraction network; the feature extraction network is used for aggregating the features corresponding to different features of the same operation in a convolution processing mode to obtain a fusion feature vector corresponding to the same operation. The convolution process may be implemented by a Convolutional Neural Network (CNN), that is, the feature extraction network may be based on the CNN.
Fig. 3 shows a schematic structural diagram of a feature extraction network according to one embodiment. Referring to fig. 3, S1 represents a feature sequence in which the historical operation sequence corresponds to feature 1, S2 represents a feature sequence in which the historical operation sequence corresponds to feature 2, and S3 represents a feature sequence in which the historical operation sequence corresponds to feature 3, it can be understood that the historical operation sequence includes a plurality of operations, the feature sequence is formed by respective feature values corresponding to the respective operations, initial token vectors corresponding to the respective feature values are searched for, then the initial token vectors corresponding to the same operation are spliced to obtain spliced vectors corresponding to the respective operations, and then, fused token vectors corresponding to the respective operations are obtained through CNN.
Further, the plurality of features includes at least one of:
visit page, page dwell time, time interval from current, absolute time, date.
The characteristic value corresponding to the access page can be determined based on the corresponding page code and the service code, for example, the page code and the service code are spliced and then subjected to hashing before modulo taking. The feature value corresponding to absolute time may be in the order of hours. The characteristic value of the date can have two values for indicating whether the target service is executed on the current day.
In the embodiment of the present disclosure, the above feature sequence may be generated by selecting a time length and a sequence length, for example, selecting data within approximately 7 days and a maximum sequence length of 300, truncating a portion beyond 300 when the sequence length is greater than 300, and making the sequence length reach 300 by zero padding when the sequence length is less than 300.
In the embodiment of the present specification, a multi-feature fusion mode is adopted, and multi-dimensional features such as access page types, page dwell times, distance payment time differences, absolute time, dates, and the like are considered at the same time, which is different from direct addition processing of corresponding features of the multi-dimensional features, and features corresponding to different features of the same operation are aggregated through CNN, so that a fusion feature vector is obtained.
Further, the risk prediction model further comprises an encoder and prediction networks corresponding to the plurality of risk prediction tasks;
the encoder is used for obtaining each encoding vector corresponding to each operation through convolution processing and a self-attention mechanism according to the fusion characterization vectors corresponding to each operation;
and any one of the prediction networks carries out weighted summation on each coding vector based on the weight of each coding vector and the corresponding risk prediction task to obtain a target domain characterization vector, and determines the risk score of the corresponding risk prediction task according to the target domain characterization vector.
In the embodiments of the present description, the risk prediction model may predict a plurality of risk prediction tasks at the same time, for example, the plurality of risk prediction tasks may be respectively used to predict a fraud risk, a false transaction risk, and the like.
Fig. 4 shows a schematic structural diagram of an encoder and prediction networks according to an embodiment. Referring to fig. 4, E1, E2, E3, E4, E5, and E6 represent fused token vectors corresponding to respective operations, and a historical operation sequence includes 6 operations as an example, and the number of actual operations is usually more, where the source of the fused token vector may be an output of the aforementioned feature extraction network, and the encoder obtains intermediate vectors, i.e., C1, C2, C3, C4, C5, and C6, by performing convolution processing on the fused token vectors corresponding to respective operations, and obtains encoded vectors, i.e., a1, a2, A3, a4, a5, and A6, corresponding to respective operations, by using a self-attention mechanism. Prediction network 1 corresponds to risk prediction task 1, including attention layer 1 and Deep Neural Networks (DNNs) 1; prediction network 2 corresponds to risk prediction task 2, including attention layer 2 and DNN 2; predictive network 3 corresponds to risk prediction task 3, including attention layer 3 and DNN 3; taking 3 risk prediction tasks as an example, the number of actual risk prediction tasks may be 2, 4, or 5, etc., an attention mechanism is utilized in each prediction network, and each encoding vector may be weighted and summed based on the weight of each encoding vector and its corresponding risk prediction task in any prediction network to obtain a target domain characterization vector, and then a risk score of its corresponding risk prediction task is determined by DNN according to the target domain characterization vector. In addition, the average value pooling can be performed on each coding vector to obtain an output vector, and then the risk scores corresponding to each risk prediction task and the output vector can be sent to the service end together, so that the service end can comprehensively judge whether the target service has the risk of the preset category.
In the embodiments of the present specification, a plurality of risk prediction tasks are associated with a plurality of risk domains, for example, a risk prediction task for determining whether there is a fraud risk is associated with a theft domain, and a risk prediction task for determining whether there is a fraud risk is associated with a fraud domain.
Because there are multiple risk domains, but the resource and model time consumption limitations on the client are limited, if multiple models are deployed at the same time, serious resource consumption is brought, which is a great challenge to the performance of the terminal device where the client is located, and it is very likely that the computation overtime cannot obtain the risk score in real time, so the embodiments of the present specification combine the models of multiple domains, and avoid the overtime caused by serial computation.
In order to better consider the performance of each domain, the embodiment of the specification adopts a multi-task learning mode to train the model, and in addition, in order to better utilize massive client data, the model can be pre-trained first and then the model after pre-training is continuously trained.
Wherein, multitask learning: multiple related tasks are put together to learn, and multiple tasks are learned simultaneously.
Further, the risk prediction model is trained as follows:
pre-training the feature extraction network by adopting a self-supervision agent task;
fixing the parameters of the pre-trained feature extraction network, and training the encoder and the first prediction network by using the label of the first risk prediction task of the training sample; wherein the first risk prediction task is any one of the plurality of risk prediction tasks, and the first prediction network corresponds to the first risk prediction task.
It is understood that the self-supervised agent task is an agent task in self-supervised learning. Wherein, the self-supervision learning: the process of adjusting the parameters of the classifier to achieve the required performance using a set of samples of known classes is also known as supervised training or teachers learning. And (3) proxy tasks: the method is a target for designing the neural network model through self-supervision learning, and the neural network model is generally designed in a self-defined mode.
FIG. 5 illustrates a two-phase training diagram according to one embodiment. Referring to fig. 5, a risk prediction model, which includes a feature extraction network, an encoder, and a plurality of prediction networks, is trained through stage one and stage two. Step one, pre-training a feature extraction network by adopting a self-supervision agent task; continuously training an encoder and a plurality of prediction networks of a risk prediction model in a multi-task learning mode, fixing parameters of the pre-trained feature extraction network, and training the encoder and the first prediction networks by using labels of a first risk prediction task of a training sample; the first risk prediction task is any one of the multiple risk prediction tasks, the first prediction network corresponds to the first risk prediction task, it is understood that the first prediction network may be prediction network 1 or prediction network 2 in fig. 5, only 2 prediction networks are shown in the figure, in practice, there may be more prediction networks, that is, there may be more risk prediction tasks, and furthermore, one training sample may have labels corresponding to the multiple risk prediction tasks, for example, one training sample may have both a label corresponding to risk prediction task 1 and a label corresponding to risk prediction task 2.
In the embodiment of the present specification, the performance of each risk domain can be better considered through the two stages of training, and massive client data can be utilized.
Further, the self-supervision agent task comprises: and masking feature values corresponding to all features corresponding to the same operation in the feature sequence, and predicting the feature values of part or all of the masked features.
FIG. 6 illustrates an auto-supervision agent task diagram according to one embodiment. Referring to FIG. 6, the auto-supervising agent task is used to predict the occluded feature value, e.g., replace the feature value corresponding to feature 1 of operation 3 with a mask, and then predict the feature value. For a feature sequence of multiple features, having the same operation corresponds to the feature values of the multiple features, for example, operation 3 corresponds to the feature value of X13 for feature 1, operation 3 corresponds to the feature value of X23 for feature 2, operation 3 corresponds to the feature value of X33 for feature 3, operation 3 corresponds to the feature value of X43 for feature 4, and operation 3 corresponds to the feature value of X53 for feature 5. In order to avoid information leakage, when masking a certain feature value of an operation, the feature values corresponding to all features of the operation need to be masked, for example, all the feature values corresponding to features 1 to 5 in operation 3 are used for mask replacement in fig. 6. Inputting the masked feature sequence into a feature extraction network to obtain fused feature vectors corresponding to the operations, for example, in fig. 6, γ 1 represents the fused feature vector corresponding to operation 1, γ 2 represents the fused feature vector corresponding to operation 2, γ 3 represents the fused feature vector corresponding to operation 3, and γ 4 represents the fused feature vector corresponding to operation 4, the masked feature values can be predicted according to γ 3, all the masked feature values X13, X23, X33, X43, and X53 can be predicted, and only the partially masked feature values X13, X23, and X33 can be predicted.
As an example, feature 1 may represent a visited page, feature 2 may represent a page dwell time, feature 3 may represent a time interval from the current time, feature 4 may represent an absolute time, and feature 5 may represent a date.
In addition to the two-stage training mode, the risk prediction model may also have other training modes, for example, training may be performed only by means of multi-task learning without pre-training.
Further, the risk prediction model is trained as follows:
training the feature extraction network, the encoder and the first prediction network by using a label of a first risk prediction task of a training sample; wherein the first risk prediction task is any one of the plurality of risk prediction tasks, and the first prediction network corresponds to the first risk prediction task.
Finally, in step 23, in a second execution link executed in parallel with the first execution link, the target service is processed continuously until a service request of the target service is submitted to the server; and the server side judges whether the target service has the risk of a preset category or not according to the service request and the risk score. It can be understood that, since the foregoing first operation is a predetermined operation before submitting the service request of the target service to the server, a certain processing is generally required between the first operation and submitting the service request, for example, when the target service is a payment service, the processing generally includes inputting a password or rendering a payment.
FIG. 7 illustrates a dual lane parallel processing schematic according to one embodiment. Referring to fig. 7, in a conventional wind control model, when a user completes payment, wind control analysis, namely cloud analysis in the graph, is initiated, and at this time, necessary wind control characteristics are transmitted back to the cloud for analysis, while in the embodiment of the present description, calculation needs to be completed on a client, and if the calculation of a risk prediction model is triggered when payment is submitted, the cloud analysis cannot be caught up; and due to the limitation of the size of the data packet, the calculation result of the model can not be consistent with the main link of the payment return data. The proposed solution is therefore to score the fronthaul and backhaul bypasses. Scoring and pre-positioning: the calculation can be started when the user calls up the cash register for paying money, and 1-2 seconds exist in the process of completing the password input by the user, and the calculation of the model is completed in the time window. And (3) returning and bypassing: the calculated result may be opened up by another branch of Remote Procedure Call (RPC), and the branch is transmitted back to the cloud, and analyzed together with the wind control characteristics of other dimensions at the cloud. It can be understood that the cloud is a server.
According to the method provided by the embodiment of the specification, firstly, a client receives a first operation aiming at a target service, wherein the target service is one of the multiple service services, and the first operation is a predetermined operation before a service request of the target service is submitted to a server; then responding to the first operation, acquiring a historical operation sequence executed by a user through the client in a first execution link, inputting a characteristic sequence corresponding to the historical operation sequence into a pre-trained risk prediction model to obtain a risk score of the target service, and sending the risk score to the server; in a second execution link executed in parallel with the first execution link, continuing to process the target service until submitting a service request of the target service to the server; and the server side judges whether the target service has the risk of a preset category or not according to the service request and the risk score. As can be seen from the above, in the embodiments of the present specification, since determining the risk score is performed by the client, a historical operation sequence performed by the user through the client may be effectively utilized, so that the determined risk score may ensure high accuracy, and before the client submits the service request of the target service to the server, the risk score may be determined, so that the risk score may be determined within the time difference by using the time difference between receiving the first operation and submitting the service request, and thus low time consumption may be ensured.
According to another embodiment, an apparatus for determining a business risk based on a user operation is further provided, where the apparatus is disposed at a client, the client provides multiple service businesses, and the apparatus is configured to execute the method for determining a business risk based on a user operation provided in the embodiments of the present specification. Fig. 8 shows a schematic block diagram of an apparatus for determining business risk based on user operation according to an embodiment. As shown in fig. 8, the apparatus 800 includes:
a receiving unit 81, configured to receive a first operation for a target service, where the target service is one of the multiple service services, and the first operation is a predetermined operation before a service request of the target service is submitted to a server;
a first executing unit 82, configured to, in response to the first operation received by the receiving unit 81, obtain, in a first execution link, a historical operation sequence executed by the user through the client, input a feature sequence corresponding to the historical operation sequence into a risk prediction model trained in advance, obtain a risk score of the target service, and send the risk score to the server;
a second execution unit 83, configured to continue to process the target service in a second execution link executed in parallel with the first execution link until submitting a service request of the target service to the server; and the server side judges whether the target service has the risk of a preset category or not according to the service request and the risk score.
Optionally, as an embodiment, the target service belongs to a payment service, and the first operation includes one of: and starting the cashier desk, displaying the money receiving code and displaying the payment code.
Optionally, as an embodiment, the historical operation sequence includes operations for a service other than the target service.
Optionally, as an embodiment, the history operation sequence includes:
the method comprises the steps of coarse-grained operation which can be perceived by the server and fine-grained operation which cannot be perceived by the server.
Further, the coarse-grained operations include:
browsing, collecting or purchasing;
the fine-grained operations include:
click, slide, or expose.
Optionally, as an embodiment, the sequence of features corresponds to a plurality of features; the risk prediction model includes a feature extraction network; the feature extraction network is used for aggregating the features corresponding to different features of the same operation in a convolution processing mode to obtain a fusion feature vector corresponding to the same operation.
Further, the plurality of features includes at least one of:
visit page, page dwell time, time interval from current, absolute time, date.
Further, the risk prediction model further comprises an encoder and prediction networks corresponding to the plurality of risk prediction tasks;
the encoder is used for obtaining each encoding vector corresponding to each operation through convolution processing and a self-attention mechanism according to the fusion characterization vectors corresponding to each operation;
and any one of the prediction networks carries out weighted summation on each coding vector based on the weight of each coding vector and the corresponding risk prediction task to obtain a target domain characterization vector, and determines the risk score of the corresponding risk prediction task according to the target domain characterization vector.
Further, the risk prediction model is trained as follows:
pre-training the feature extraction network by adopting a self-supervision agent task;
fixing the parameters of the pre-trained feature extraction network, and training the encoder and the first prediction network by using the label of the first risk prediction task of the training sample; wherein the first risk prediction task is any one of the plurality of risk prediction tasks, and the first prediction network corresponds to the first risk prediction task.
Further, the self-supervision agent task comprises: and masking feature values corresponding to all features corresponding to the same operation in the feature sequence, and predicting the feature values of part or all of the masked features.
Further, the risk prediction model is trained as follows:
training the feature extraction network, the encoder and the first prediction network by using a label of a first risk prediction task of a training sample; wherein the first risk prediction task is any one of the plurality of risk prediction tasks, and the first prediction network corresponds to the first risk prediction task.
With the apparatus provided in this specification, first, the receiving unit 81 receives a first operation for a target service, where the target service is one of the multiple service services, and the first operation is a predetermined operation before submitting a service request of the target service to a server; then, in response to the first operation, the first execution unit 82 acquires a historical operation sequence executed by the user through the client in a first execution link, inputs a feature sequence corresponding to the historical operation sequence into a pre-trained risk prediction model to obtain a risk score of the target service, and sends the risk score to the server; the second execution unit 83 continues to process the target service in a second execution link executed in parallel with the first execution link until submitting a service request of the target service to the server; and the server side judges whether the target service has the risk of a preset category or not according to the service request and the risk score. As can be seen from the above, in the embodiments of the present specification, since determining the risk score is performed by the client, a historical operation sequence performed by the user through the client may be effectively utilized, so that the determined risk score may ensure high accuracy, and before the client submits the service request of the target service to the server, the risk score may be determined, so that the risk score may be determined within the time difference by using the time difference between receiving the first operation and submitting the service request, and thus low time consumption may be ensured.
According to an embodiment of another aspect, there is also provided a computer-readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method described in connection with fig. 2.
According to an embodiment of yet another aspect, there is also provided a computing device comprising a memory having stored therein executable code, and a processor that, when executing the executable code, implements the method described in connection with fig. 2.
Those skilled in the art will recognize that, in one or more of the examples described above, the functions described in this invention may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium.
The above-mentioned embodiments, objects, technical solutions and advantages of the present invention are further described in detail, it should be understood that the above-mentioned embodiments are only exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made on the basis of the technical solutions of the present invention should be included in the scope of the present invention.
- 上一篇:石墨接头机器人自动装卡簧、装栓机
- 下一篇:针对目标业务的风险识别方法及装置