1. A case analysis method based on the related network technology is characterized by comprising the following steps:

acquiring a target transaction request; the target transaction request is an online transaction;

judging whether the target transaction request is a risk request or not based on a preset case rule;

and if so, determining a target fraud group having a transaction relation with the target transaction request based on a preset association network.

2. The method of claim 1, further comprising:

marking the risk level of the target transaction request based on the preset case rule; the risk classes include: high risk requests, medium risk requests, and low risk requests.

3. The method of claim 1, further comprising:

acquiring a preset data source; the preset data source comprises: internal data, external data, index data, list data and model data;

configuring a preset case rule based on the preset data source; the preset case rule is a condition rule met by the risk request in the preset data source.

4. The method of claim 3, further comprising: constructing a preset associated network based on the preset data source; the preset association network is a network of association relations among different transaction requests.

5. A case analysis system based on the correlation network technology is characterized by comprising: an acquisition module, a judgment module and a determination module, wherein,

the acquisition module is used for acquiring a target transaction request; the target transaction request is an online transaction;

the judging module is used for judging whether the target transaction request is a risk request or not based on a preset case rule;

and the determining module is used for determining a target fraud group having a transaction relation with the target transaction request based on a preset association network if the target transaction request is judged to be a risk request.

6. The system of claim 5, further comprising: the marking module is used for marking the risk level of the target transaction request based on the preset case rule; the risk classes include: high risk requests, medium risk requests, and low risk requests.

7. The system of claim 5, further comprising: a configuration module and a building module, wherein,

the configuration module is used for acquiring a preset data source; the preset data source comprises: internal data, external data, index data, list data and model data; configuring a preset case rule based on the preset data source; the preset case rule is a condition rule met by the risk request in the preset data source;

the building module is used for building a preset associated network based on the preset data source; the preset association network is a network of association relations among different transaction requests.

8. The system of claim 5, further comprising: a storage module to store the target transaction request in the system.

9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the steps of the method of any of the preceding claims 1 to 4 are implemented when the computer program is executed by the processor.

10. A computer-readable medium having non-volatile program code executable by a processor, wherein the program code causes the processor to perform the method of any of claims 1-4.

Background

In the field of banking business wind control, practices prove that the application of an artificial intelligence technology does not play a certain role in case prevention and control according to supervision requirements and technical progress, case analysis management generally refers to the simple entry and filing management of case information of a case which occurs, and only a single transaction analysis can be performed on a case main body which occurs. The creation of rules relies on expert experience and the fact that a risk has occurred, cannot be automatically updated for new risk patterns, and the wind control rules are easily known to be bypassed by fraudsters. With the diversity and complexity of cases, business personnel cannot participate in the visual configuration of rules, and can only prevent the cases by writing SQL configuration by technical personnel. The understanding of the existing cases by service personnel and technical personnel may have certain deviation, and SQL written by technical personnel cannot be flexibly adjusted in time according to actual services, so that the technical problems of poor validity and poor flexibility of case rules are caused.

Disclosure of Invention

In view of the above, the present invention provides a case analysis method and system based on an associative network technology to solve the technical problems of poor case rule validity and poor flexibility in the prior art.

In a first aspect, an embodiment of the present invention provides a case analysis method based on an associated network technology, including: acquiring a target transaction request; the target transaction request is an online transaction; judging whether the target transaction request is a risk request or not based on a preset case rule; and if so, determining a target fraud group having a transaction relation with the target transaction request based on a preset association network.

Further, the method further comprises: marking the risk level of the target transaction request based on the preset case rule; the risk classes include: high risk requests, medium risk requests, and low risk requests.

Further, the method further comprises: acquiring a preset data source; the preset data source comprises: internal data, external data, index data, list data and model data; configuring a preset case rule based on the preset data source; the preset case rule is a condition rule met by the risk request in the preset data source.

Further, the method further comprises: constructing a preset associated network based on the preset data source; the preset association network is a network of association relations among different transaction requests.

In a second aspect, an embodiment of the present invention further provides a case analysis system based on an association network technology, including: the system comprises an acquisition module, a judgment module and a determination module, wherein the acquisition module is used for acquiring a target transaction request; the target transaction request is an online transaction; the judging module is used for judging whether the target transaction request is a risk request or not based on a preset case rule; and the determining module is used for determining a target fraud group having a transaction relation with the target transaction request based on a preset association network if the target transaction request is judged to be a risk request.

Further, the system further comprises: the marking module is used for marking the risk level of the target transaction request based on the preset case rule; the risk classes include: high risk requests, medium risk requests, and low risk requests.

Further, the system further comprises: the system comprises a configuration module and a construction module, wherein the configuration module is used for acquiring a preset data source; the preset data source comprises: internal data, external data, index data, list data and model data; configuring a preset case rule based on the preset data source; the preset case rule is a condition rule met by the risk request in the preset data source; the building module is used for building a preset associated network based on the preset data source; the preset association network is a network of association relations among different transaction requests.

Further, the system further comprises: a storage module to store the target transaction request in the system.

In a third aspect, an embodiment of the present invention further provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the steps of the method according to the first aspect when executing the computer program.

In a fourth aspect, the present invention further provides a computer-readable medium having non-volatile program code executable by a processor, where the program code causes the processor to execute the method according to the first aspect.

The embodiment of the invention provides a case analysis method and system based on an association network technology, which can determine a target fraud group having a transaction relation with a target transaction request through a preset association network, quickly excavate a potential risk case, and continuously convert an online case into an offline case through a preset case rule, so that qualitative basis of the risk case is enriched, and the technical problems of poor case rule effectiveness and poor flexibility in the prior art are solved.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.

Fig. 1 is a flowchart of a case analysis method based on an associated network technology according to an embodiment of the present invention;

fig. 2 is a schematic diagram of a case analysis system based on an associative network technology according to an embodiment of the present invention;

fig. 3 is a schematic diagram of a second case analysis system based on an associative network technology according to an embodiment of the present invention;

fig. 4 is a schematic diagram of a third case analysis system based on an association network technology according to an embodiment of the present invention.

Detailed Description

The technical solutions of the present invention will be described clearly and completely with reference to the accompanying drawings, and it should be understood that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

The first embodiment is as follows:

fig. 1 is a flowchart of a case analysis method based on an associative network technology according to an embodiment of the present invention. As shown in fig. 1, the method specifically includes the following steps:

step S102, obtaining a target transaction request; the target transaction request is an online transaction. Optionally, the method provided in the embodiment of the present invention may obtain the target transaction request through a plurality of service channels, for example, the service channels include: mobile banking, internet banking system, credit card center, internet credit platform, etc.

And step S104, judging whether the target transaction request is a risk request or not based on the preset case rule.

And step S106, if so, determining a target fraud group having a transaction relation with the target transaction request based on a preset association network.

The embodiment of the invention provides a case analysis method based on an association network technology, which can determine a target fraud group having a transaction relation with a target transaction request through a preset association network, quickly excavate a potential risk case, and continuously convert an online case into an offline case through a preset case rule, thereby enriching qualitative basis of the risk case and relieving the technical problems of poor case rule effectiveness and poor flexibility in the prior art.

Optionally, the method provided in the embodiment of the present invention further includes: acquiring a preset data source; the preset data source comprises: internal data, external data, index data, list data and model data; configuring preset case rules based on a preset data source; the preset case rule is a condition rule which is satisfied by the risk request in the preset data source.

In the embodiment of the invention, the preset case rule can be configured by referring to the preset data source. Specifically, the method comprises the following steps:

(1) index data of reference: in the index management, according to the service attribute indexes configured by different main bodies, such as indexes of counting transaction amount of the same customer in the last day, counting the number of accounts of the same customer in the current day, the number of bank cards associated with the same customer and the like, one index can be selected to be configured in a strategy, for example: and counting whether the transaction amount of the same client in the last day is more than 2 ten thousand.

(2) External data or data in a bank are efficiently accessed through a quoted data aggregation function, wherein the external data is third-party data; third party data such as comprehensive anti-fraud scoring data, people's bank credit report data, risk level list data, multi-head tag data; bank internal data such as a local database, etc. The case rules can be configured according to the parameter information of the data, such as: risk level list data-whether the hit risk level of the mobile phone number is equal to A, the data of the multi-head label, and whether the loan institution number is more than 2 in the last 1 day.

(3) By referencing model data, case rules, such as an incoming credit consumption model, can be configured using model participation information, and then case rules about the model, such as a credit consumption model-whether the number of last 2 years loan issuance runs is greater than 15, can be configured in the policy.

(4) By referring to the list data, if the system is already configured with the mobile phone number blacklist data, the identity card blacklist data and the like, case rules related to list matching can be configured in the policy, for example, whether the reserved mobile phone number of the current client is in the mobile phone number blacklist data or not can be configured.

Optionally, the method provided in the embodiment of the present invention further includes: marking the risk level of the target transaction request based on a preset case rule; the risk classes include: high risk requests, medium risk requests, and low risk requests.

Specifically, the method provided by the embodiment of the present invention may combine different types of preset case rules according to the policy requirements according to the preset data sources configured in the above steps, and configure different service risk levels according to different service scenarios, for example, a high risk request, a medium risk request, and a low risk request are configured for the risk levels, when a transaction application is initiated in an online transaction, different case rules in the policy may be triggered, and a corresponding risk level is marked for the current transaction application after the rules are hit.

Once the preset case rule configured in the strategy is hit in the transaction request, a high-risk request is triggered, a case is automatically generated and added into case management, marking is carried out by service personnel, and rediscovery push (white is more than 4 weeks, gray is less than 2 weeks and cannot be judged) is carried out on users with different periods. And simultaneously, marking result information can be recorded.

Optionally, the method provided in the embodiment of the present invention further includes: constructing a preset associated network based on a preset data source; the preset association network is a network of association relations between different transaction requests.

Optionally, the preset association network is constructed based on an association map. In a data organization mode, the association map is different from the traditional data mart, and the data generated by the business is reorganized in an association network mode by abstracting the association relationship between the entity nodes in the business data and the association relationship between the entity nodes, so that the relationship between the entity nodes such as a complicated person (an identity card), equipment, a mobile phone number, a bank account, a business order, an address and the like is constructed. Based on the constructed association map, by means of a graph theory, graph data mining and a graph deep learning algorithm, topological structure analysis, group discovery, abnormal risk group mining, similar risk group mining and risk propagation are carried out on a relationship network in the association map so as to identify business risks with complex relationship properties.

In the embodiment of the invention, potential risk events of group fraud can be found according to the established preset associated network and the cluster group with fraud tags in the associated network, and association relation query and risk identification of the group to be processed can be realized; deep mining of network information typically begins with the computation of a connected subgraph, which may reveal fraudulent networks for financial institution applications with weak social attributes. On the basis, further community expanding discovery can be carried out. The discovery of the communities in the network is not equal to that of the connected subgraph, and the convergence is a stricter index. In addition, known fraud markers are spread out by the fraud scale propagation, or staining, to obtain more fraud markers. For example, one or more network loan applicants utilize a batch of personal data (data of self, relatives, friends or other people purchased in black), to fictitious production and management items, transactions, large-amount commodities, mortgages and various data to forge various data, apply for operating loans, consuming loans or mortgage loans to financial institutions, and directly bring economic loss to the financial institutions. And identifying related fraud groups of the application environment through incidence relation and risk mining.

The group partner fraud event to be processed is an event of a case after being manually confirmed, the case can be recorded into case management together, decision judgment is carried out on the case in advance, and the occurrence of online risk events is greatly reduced. Such as through counterfeit uses, consumer loans, personal loans, etc., in whole or in part, into another designated account. Once a large area of overdue or default is generated, the financial institution is lost in funds and even causes systemic risks, and the phenomenon of fund collection is one of group fraud risks. The reasons behind the phenomenon of fund collection are often cheating actions such as loan agencies, public property, and borrowing between relatives and friends for investments and for the indexes of the task performed by the operators. Wherein, the loan application packaged by the loan agency, the activities of private public use, relatives and friends borrowing and the like. Once the overall economic environment is poor, the overdue risk is rapidly increased.

The embodiment of the invention provides a case analysis method based on an associated network technology, which realizes the all-round analysis of offline and online cases, can add offline cases manually and also manually convert risk events generated online into cases, provides qualitative basis for the online case analysis, continuously converts online cases into offline cases, enriches the qualitative basis of risk cases, and realizes the all-round case prevention and control of offline and online; meanwhile, when the case is checked, risk nodes related to the client can be inquired through the related network technology, and the case with potential risk is quickly mined; the method provided by the embodiment of the invention also realizes the cross-channel, cross-service and cross-scene formation of a joint defense joint control system based on a surface, makes up for the defect that the traditional wind control is based on single-point prevention and control, and excavates the service risk which is not discovered by the traditional wind control.

Example two:

fig. 2 is a schematic diagram of a first case analysis system based on an associative network technology according to an embodiment of the present invention. The method comprises the following steps: an acquisition module 10, a judgment module 20 and a determination module 30.

Specifically, the obtaining module 10 is configured to obtain a target transaction request; the target transaction request is an online transaction.

The judging module 20 is configured to judge whether the target transaction request is a risk request based on a preset case rule.

The determining module 30 is configured to determine, based on a preset association network, a target fraud group having a transaction relationship with the target transaction request if the target transaction request is determined to be a risk request.

The embodiment of the invention provides a case analysis system based on an association network technology, which can determine a target fraud group having a transaction relation with a target transaction request through a preset association network, quickly excavate potential risk cases, and continuously convert online cases into offline cases through preset case rules, so that qualitative basis of the risk cases is enriched, and the technical problems of poor case rule effectiveness and poor flexibility in the prior art are solved.

Optionally, fig. 3 is a schematic diagram of a second case analysis system based on an associative network technology according to an embodiment of the present invention. As shown in fig. 3, the system further includes: a marking module 40, configured to mark a risk level of the target transaction request based on a preset case rule; the risk classes include: high risk requests, medium risk requests, and low risk requests.

Optionally, as shown in fig. 3, the system further includes: a configuration module 50, a build module 60 and a storage module 70.

Specifically, the configuration module 50 is configured to obtain a preset data source; the preset data source comprises: internal data, external data, list data and model data; configuring preset case rules based on a preset data source; the preset case rule is a condition rule which is satisfied by the risk request in the preset data source.

A building module 60, configured to build a preset associated network based on a preset data source; the preset association network is a network of association relations between different transaction requests.

A storage module 70 for storing the target transaction request in the system.

Example three:

fig. 4 is a schematic diagram of a third case analysis system based on the associative network technology according to an embodiment of the present invention. As shown in fig. 4, the system includes: a model platform 41, a data aggregation module 42, a list management module 43, an index management module 44, a policy management module 45, an association network module 46 and a case management module 47.

Specifically, the model platform 41 is a platform for providing a fraud risk quantification model, and based on the existing case transaction characteristic variables and the determined case report data according to the training combination of supervised and unsupervised models of model machine learning, the model distinguishes good and bad of the characteristic variables from the case report, and discriminates what is a bad case, thereby performing correct risk prediction. Meanwhile, an unsupervised machine learning model is applied in some scenes such as transaction, account login and the like, and fraud risks are identified by analyzing the difference of behavior patterns of a fraudulent user and a normal user under the condition that label data of 'correct answers' do not exist. The method mainly comprises data analysis, characteristic engineering, model construction, model optimization and model online.

Specifically, data analysis: model data needing to be trained are subjected to data preprocessing, and data are subjected to quality inspection, data cleaning, data restoration and the like to construct modeling data table information.

Characteristic engineering: the method mainly comprises the steps of feature extraction, feature dimension reduction, feature null value processing, feature conversion (one-hot) and feature normalization; null processing of target values, target value conversion (one-hot); the characteristic value is screened, information such as applicant telephone, applicant working unit, applicant identity card number and the like input in the loan and related to all cases is retained or removed according to the importance degree, meanwhile, the screened characteristic value is derived or converted, and new meaningful characteristics are generated or a new characteristic is formed, such as the identity card number is converted into specific geographic information;

constructing a model: after the data preparation work is completed, model development needs to be performed by means of an analysis modeling tool, for example, a credit risk assessment model before credit in a network credit business scene, and the model development, model verification and model design mainly exist; selecting a supported sample window in model design, determining an exclusion rule, determining a good definition and a bad definition and the like; the method comprises the following steps of supporting data partitioning and sampling, characteristic variable binning, variable dimension reduction, model training and the like in model development; the model verification supports functions of model expression report, model variable correlation check, crowd stability check and the like.

Model optimization: the method mainly comprises the steps of expanding from a transverse dimension and a longitudinal dimension, wherein the transverse dimension is used for optimizing the same model at different time points, the performance of each aspect of the model is possibly reduced along with the passage of an event, and the model is possibly at a failure risk within a certain reduction range; the longitudinal comparison refers to comparison and replacement between different types of models at the same time point, and different machine learning algorithms are adopted for the same sample data, so that model performances may be different.

Model online: by analyzing the off-line data, effective characteristics are extracted, and finally, the model effect is guaranteed to generate value to the business after model training and evaluation are completed. If the results of the models are needed in policy management, the models need to be taken offline so that the offline models can provide real-time services.

The data aggregation module 42 supports the butt joint of third-party data and free data, and the provided data ensures compliance, accuracy, flexibility and stability; third-party data or data in a bank are efficiently accessed through a data aggregation function, wherein the third-party data comprises comprehensive anti-fraud scoring data, people credit investigation report data, risk level list data and multi-head label data; bank internal data such as a local database, etc. Can be configured into case rules according to the parameter information of the data.

The list management module 43 supports the entry of list data into the system, and the policy management module 45 can configure a list policy according to the list data, and can also update the list data in reverse when the policy runs on line, so that the list data can continuously enable the prevention and control risk cases; such as: and whether the current mobile phone number of the client is matched with a mobile phone number blacklist or not is judged, and if yes, the high-risk request is obtained.

An index management module 44 for processing and calculating the characteristic variables by using an index engine; the index processing is to process, quickly extract and calculate indexes which have requirements on time sequence or are in statistical class in huge bank transaction data through index engine streaming big data processing, for example, characteristic quantities such as accumulation, proportion, variance, mean, summation, counting, minimum number statistics, standard deviation statistical calculation, skewness, kurtosis, de-weighting and the like of historical transaction quantity of a user in a certain dimensionality in a certain time interval can be obtained. The method is a basic element for configuring case rules, and is used for counting business attribute values under a certain subject, such as the transaction amount accumulated in the past 1 hour of the same client.

The policy management module 45 is used for integrating the indexes, the list information, the models and the external data into a rule set, the multi-dimensional rules run in parallel and complement each other, and the decision engine can judge the matching degree of the business data, the rules and the models in real time; when a corresponding rule is triggered, summarizing the rule, and selecting a rule with a high priority to execute a corresponding handling action according to an initially set rule handling strategy and a risk level; and then transmitting the data generation check list of the trigger rule to the check platform.

The association network module 46: in a data organization mode, the association map is different from the traditional data mart, and the data generated by the business is reorganized in a relation network mode by abstracting the entity nodes in the business data and the association relation between the nodes, so that the relation between the entity nodes such as a complicated person (an identity card), equipment, a mobile phone number, a bank account, a business order, an address and the like is constructed. Based on the constructed association map, by means of a graph theory, graph data mining and a graph deep learning algorithm, topological structure analysis, group discovery, abnormal risk group mining, similar risk group mining and risk propagation are carried out on a relationship network in the association map so as to identify business risks with complex relationship properties.

Optionally, the associative network module 46 is also used for case query and associative network result query. Specifically, case query: different types of incidence relations can be inquired in a platform in a visual mode through the map database and the scene relation configuration, such as customer basic relations, fund chain relations, cyclic guarantee relations, equipment incidence relations, customer account relations and the like can be inquired; aiming at the generated risk cases, network data can be directly extracted, a connected subnet can be found out according to transaction data in the cases, such as an address list, an emergency relation person, historical transactions and other nodes, and the nodes are extracted to perform first-degree and second-degree association query and analysis.

And associating the network query result: according to the inquiry of different node dimensions of the associated network, the risk node of the case can be accurately positioned and decision disposal judgment can be carried out; such as IP, account number and equipment, the corresponding black IP pool, equipment pool and account pool can be found by analyzing the details in the subgraph, and accounts which transfer with each other are found to find potential risk cases. For example, when the second degree association relationship is inquired by the association network, in the network credit application, the first degree is a contact, the number of applications sharing the same contact with the target application is the first degree association number, and if the applications share the same address with other applications, the applications and the target application form the second degree association. Therefore, areas with concentrated network topological structures are found, the areas are often highly related to fraudulent behaviors and are provided for case processing personnel to further analyze and process cases, some simple case characteristic indexes such as first-degree related nodes or second-degree related nodes can be judged whether to be black or not during manual processing, then known fraudulent case labels are marked to search more risk points related to cases through network diffusion, and the effect is very obvious in actual anti-fraud practice.

Case management module 47: the case generation can support the case generated offline to be recorded into the system, and the pre-recorded case data can be used for the model platform to train the case characteristics and also can provide network data for the relational network, so that the case generation method can be used as a basis for batching and judging when a new air inlet risk case is checked; certainly, when the case is checked and analyzed, the method not only supports the inquiry of suspicious main points of the current user, but also can inquire node information with various association relations with the client by means of an association network platform, including the checking of dimensions such as historical transactions associated with the client, whether close-relation persons are involved in the dark, association relations between counter-party accounts and the like, so that the case is accurately determined, and the occurrence of the case is timely reduced or even prevented.

The embodiment of the present invention further provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and capable of running on the processor, and when the processor executes the computer program, the steps of the method in the first embodiment are implemented.

The embodiment of the invention also provides a computer readable medium with a non-volatile program code executable by a processor, wherein the program code causes the processor to execute the method in the first embodiment.

Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.