CN111327572B

CN111327572B - Account behavior identification method, device and storage medium

Info

Publication number: CN111327572B
Application number: CN201811535116.XA
Authority: CN
Inventors: 陶嘉羚; 熊涛; 杨怡蕙
Original assignee: Alibaba Group Holding Ltd
Current assignee: Alibaba Group Holding Ltd
Priority date: 2018-12-14
Filing date: 2018-12-14
Publication date: 2022-08-09
Anticipated expiration: 2038-12-14
Also published as: CN111327572A

Abstract

The embodiment of the application provides an account behavior identification method, equipment and a storage medium. In the embodiment of the application, according to log data of the electronic account to be identified in a certain time period, at least one piece of user side information initiating at least one event to the electronic account to be identified in the time period can be obtained, and whether the electronic account to be identified has an appointed use behavior or not can be identified based on the difference of the user side information in the time period, so that the identification precision can be improved, and the risk brought by abnormal use of the electronic account can be reduced.

Description

Account behavior identification method, device and storage medium

Technical Field

The present application relates to the field of data processing technologies, and in particular, to an account behavior identification method, device, and storage medium.

Background

With the development of internet technology, internet applications are increasing. Users often need to register an electronic account using internet applications. For example, a user shopping on an e-commerce platform requires the use of a shopping account, a user using taxi-taking software to taxi requires the use of a taxi-taking account number, and so on.

The use of electronic accounts is becoming more common, and the cases of unreasonable and even illegal use of electronic accounts are increasing. The abnormal use of the electronic account may cause problems of information leakage, system security, economic loss and the like. Therefore, there is a need to provide a solution for identifying usage behavior of an electronic account.

Disclosure of Invention

Various aspects of the present application provide an account behavior identification method, an account behavior identification device, and a storage medium, which are used to accurately identify a usage behavior of an electronic account, improve identification accuracy, and reduce a risk caused by abnormal usage of the electronic account.

The embodiment of the application provides an account behavior identification method, which comprises the following steps: acquiring log data of an electronic account to be identified in a first specified time period; determining at least one piece of user side information initiating at least one event to the electronic account to be identified in a first specified time period according to log data of the electronic account to be identified in the first specified time period; identifying a difference existing between at least one piece of user side information initiating at least one event for the electronic account to be identified within the first specified time period; and if the difference meets the differentiation requirement corresponding to the specified use behavior, judging that the specified use behavior occurs to the electronic account to be identified in the first specified time period.

An embodiment of the present application further provides a computing device, including: a memory and a processor; the memory for storing a computer program; the processor to execute the computer program to: acquiring log data of an electronic account to be identified in a first specified time period; determining at least one piece of user side information initiating at least one event to the electronic account in a first specified time period according to log data of the electronic account to be identified in the first specified time period; identifying a difference existing between at least one piece of user side information initiating at least one event for the electronic account to be identified within the first time period; and if the difference meets the differentiation requirement corresponding to the specified use behavior, judging that the specified use behavior occurs to the electronic account to be identified in the first specified time period.

Embodiments of the present application also provide a computer-readable storage medium storing a computer program, which, when executed by a processor, causes the processor to implement the steps in the above-mentioned method embodiments.

In the embodiment of the application, according to log data of the electronic account to be identified in a certain time period, at least one piece of user side information initiating at least one event to the electronic account to be identified in the time period can be obtained, and whether the electronic account to be identified has an appointed use behavior or not can be identified based on the difference of the user side information in the time period, so that the identification precision can be improved, and the risk caused by abnormal use of the electronic account can be reduced.

Further, in the embodiment of the application, the RNN algorithm or the text-CNN algorithm may be used to extract the time sequence characteristics of the user side information, and the time sequence characteristics of the user side information are further summarized in combination with an attention mechanism, which is beneficial to identifying more subtle abnormality of the electronic account.

Furthermore, the interpretability of the recognition result is provided by combining the attention weight in the attention mechanism, the specified use behavior of the electronic account can be well explained when and why the specified use behavior occurs, and the like.

Drawings

The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:

fig. 1a is a schematic architecture diagram of an application system including two terminals according to an exemplary embodiment of the present application;

FIG. 1b is a schematic diagram of an architecture of an application system including three terminals according to an exemplary embodiment of the present application;

FIG. 2a is a schematic diagram of a system architecture for providing an electronic account identification service for the application system shown in FIG. 1a according to an exemplary embodiment of the present application;

FIG. 2b is a schematic diagram of a system architecture for providing an electronic account identification service for the application system shown in FIG. 1b according to an exemplary embodiment of the present application;

fig. 3a is a schematic flowchart of an account behavior identification method according to an exemplary embodiment of the present application;

FIG. 3b is a flowchart illustrating another method for identifying account behavior according to an exemplary embodiment of the present disclosure;

FIG. 3c is a flowchart illustrating a further method for identifying account behavior according to an exemplary embodiment of the present application;

FIG. 3d is a schematic diagram of a deep learning framework provided by an exemplary embodiment of the present application;

FIG. 4a is a diagram illustrating a visual list of explanatory information provided by an exemplary embodiment of the present application;

FIG. 4b is a partial schematic view of an electronic account relationship network provided by an exemplary embodiment of the present application;

fig. 5 is a schematic structural diagram of a computing device according to an exemplary embodiment of the present application.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application more apparent, the technical solutions of the present application will be described in detail and completely with reference to the following specific embodiments of the present application and the accompanying drawings. It should be apparent that the described embodiments are only a few embodiments of the present application, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.

Fig. 1a is a schematic architecture diagram of an application system including two terminals according to an exemplary embodiment of the present application. As shown in fig. 1a, the application system 10 includes: a terminal device 101 and a server 102. Wherein, the terminal device 101 and the server 102 may be connected by a wired or wireless network.

In this embodiment, the terminal device 101 is a computer device used by a user and having functions of computing, accessing internet, communicating, and the like required by the user. For example, the terminal device 101 may be a smartphone, a tablet, a wearable device, or the like. The server 102 is a platform designed by combining hardware and software to meet the data processing requirements of the terminal device 101, and generally includes a processor, a hard disk, a memory, a system bus, and the like, similar to a general computer architecture. The server 102 may provide the terminal device 101 with a corresponding service in response to a request from the terminal device 101, for example, providing resources to the terminal device 101, storing data of the terminal device 101, and so on.

In the present embodiment, the user needs to register an electronic account with the server 102 through the terminal apparatus 101 in advance. The server 102 may manage the user based on the electronic account registered by the user and provide the user with corresponding services. It is necessary for the terminal apparatus 101 to log in to the server 102 based on the registered electronic account in advance before using the service provided by the server 102.

It should be noted that the service that the server 102 can provide for the terminal device 101 may be different according to different application scenarios. For example, the server 102 may be a game-like server, an e-commerce-like server, an instant messaging-like server, and the like.

Taking an online game scenario as an example, a user may log in to the server 102 using a pre-registered electronic account, and after successfully logging in to the server 102, may obtain a game service provided by the server 102, and then play a game online through the terminal device 101.

Taking an online payment scenario as an example, a user may log in to the server 102 by using a pre-registered electronic account, and after successfully logging in to the server 102, may use an online payment service provided by the server 102, and then perform online payment through the terminal device 101.

In any application scenario, in practical applications, a user may resell his electronic account to another user, or lend his electronic account to another user for use. For example, the game account of the user has higher level and higher value, and the game account of the user can be sold to other users. For another example, the friend or family of the user does not have a payment account, and the user can tell the friend or family the payment account of the user, and the friend or family can complete online payment on the terminal device of the user through the payment account.

Fig. 1b is a schematic diagram of an architecture of an application system including three terminals according to an exemplary embodiment of the present application. As shown in fig. 1b, the application system 20 includes: a first terminal device 201, a second terminal device 202 and a server 203. The first terminal device 201, the second terminal device 202 and the server 203 may be connected by a wired or wireless network.

In this embodiment, the first terminal 201 refers to a computer device used by the first type of user and having functions of computing, accessing internet, communicating and the like required by the first type of user. Similarly, the second terminal 202 refers to a computer device used by the second type of user and having functions of computing, accessing internet, communicating and the like required by the second type of user. For example, the first terminal device 201 or the second terminal device 202 may be a smart phone, a tablet computer, a wearable device, or the like. Wherein the first class of users are service users and the second class of users are service providers.

The server 203 is a service platform between the two types of users and is responsible for opening a channel between the first type of users and the second type of users. In this embodiment, the server 203 may provide the service provided by the second terminal device 202 to the first terminal device 201, may also provide the requirement of the first terminal device 201 to the second terminal device 202, and may respond to the relevant request of the first terminal device 201 and/or the second terminal device 202.

In this embodiment, a first type of user needs to register an electronic account with the server 203 through the first terminal device 201 in advance; similarly, the second type of user also needs to register the electronic account with the server 203 through the second terminal device 202 in advance. The server 203 may manage the first type of user and the second type of user based on the electronic accounts registered by the two types of users respectively and provide corresponding services. The first terminal device 201 logs in the server 203 using a pre-registered electronic account, and further, the server 203 may obtain a service provided by the second terminal device 202. Similarly, the second terminal device 202 also needs to log in the server 203 using the pre-registered electronic account, and further obtains the service requirement of the first terminal device 201 through the server 203.

It should be noted that the application systems implemented by the first terminal device 201, the second terminal device 202, and the server 203 may be different according to different application scenarios.

For example, in the taxi taking system, the first terminal device 201 may be a terminal device of a taxi taking user, the second terminal device 202 may be a terminal device of a driver, and the server 203 is mainly responsible for communicating a communication channel between the taxi taking user and the driver, managing information of the taxi taking user, the driver and the like, dimension, other matters related to taxi taking and the like.

For another example, in the e-commerce system, the first terminal device 201 may be a terminal device of a buyer, the second terminal device 202 may be a terminal device of a seller, and the server 203 is mainly responsible for opening a communication channel between the buyer and the seller, managing and maintaining information such as the buyer and the buyer, and other transactions related to transactions between the buyer and the seller.

For another example, in the home service system, the first terminal device 201 may be a terminal device of a home requirement user, the second terminal device 202 may be a terminal device of a home service staff, and the server 203 is mainly responsible for opening a communication channel between the home requirement user and the home service staff, managing information of the home requirement user, the home service staff, and other matters related to the home service.

No matter which application scenario is described above, in practical application, it is possible for users of the first category to lend their own electronic account to other users for use; for the second kind of users, it is possible not only to lend the own electronic account to other users for use, but also to resell the own electronic account to other users. For example, in an e-commerce system, seller a may resell an electronic account to seller B, so that seller a may earn revenue from the reselling account, and seller B may earn profits for seller B by virtue of some of the original advantages of the electronic account (e.g., diamond rating, public praise, etc.). For another example, in the housekeeping service system, the housekeeping service staff C may resell the electronic account to the housekeeping service staff D, so that the housekeeping service staff C can obtain profits from the reselling account, and the housekeeping service staff D may benefit themselves by virtue of some original advantages of the electronic account (e.g., account level, goodness, service life, existing user information).

From the above, no matter what application system architecture, any system involving an electronic account may face the situation of unreasonable or even illegal use of the electronic account. Unreasonable even illegal use behaviors of the electronic account not only can increase the management difficulty of the server on the electronic account and increase the supervision cost, but also can possibly become a source of a network black industrial chain, and bring about problems of fraud, counterfeit goods, information leakage, system safety, economic loss and the like.

In order to solve the above problems, in some embodiments of the present application, user side information of an event initiated by an electronic account to be identified in a certain time period can be obtained according to log data of the electronic account to be identified in the time period, and then whether an electronic account to be identified has an appointed use behavior can be identified based on a difference between the user side information in the time period, so as to achieve an aim of identifying the use behavior of the electronic account, which is beneficial to improving identification accuracy and reducing a risk caused by abnormal use of the electronic account.

It should be noted that the solution provided in the embodiment of the present application may be directly deployed in the server 202 in the application system 10 shown in fig. 1a or directly deployed in the server 203 in the application system 20 shown in fig. 1 b. In addition, the solution provided by the embodiment of the present application may also be deployed separately, for example, on one computing device, and used by the application system 10 of fig. 1a or the application system 20 of fig. 1b in a service manner. As shown in fig. 2a and fig. 2b, the solution provided by the embodiment of the present application is deployed on a computing device 300, and the computing device 300 is in communication connection with a server 202 in the application system 10 and a server 203 in the application system 20, respectively, so as to provide a service for identifying an electronic account usage behavior for the server 202 or the server 203.

It is worthy to note that computing device 300 may be any computing device having some computing capability and communications capabilities. In some alternative embodiments, the computing device 300 may be a terminal device, such as a smartphone, a tablet, a personal computer, a tablet two-in-one ultrabook, and so on. In other alternative embodiments, the computing device 300 may be a server device, such as a server device that may be a conventional server, a cloud host, a virtual center, or the like.

The process of identifying the usage behavior of the electronic account is similar regardless of the above deployment embodiments, and is described in detail below by way of method examples.

Fig. 3a is a schematic flowchart of an account behavior identification method according to an exemplary embodiment of the present application. The execution subject of this embodiment may be the server in fig. 1a or fig. 1b, or may also be the computing device in fig. 2a and fig. 2 b. In the following embodiments, operations that differ depending on execution subjects will be specifically described, and operations that are not specifically described mean the same for various execution subjects. As shown in fig. 3a, the account behavior identification method provided in this embodiment includes the following steps:

301. acquiring log data of the electronic account to be identified in a first designated time period.

302. And determining at least one user side information initiating at least one event to the electronic account to be identified in the first appointed time period according to the log data of the electronic account to be identified in the first appointed time period.

303. The method comprises the steps of identifying a difference existing between at least one piece of user side information initiating at least one event for an electronic account to be identified within a first specified time period.

304. If the difference identified in step 303 meets the differentiation requirement corresponding to the specified usage behavior, it is determined that the specified usage behavior occurs in the electronic account to be identified within the first specified time period.

In step 301, the electronic account to be identified refers to an electronic account that needs to be identified by using behavior.

In an optional embodiment, the electronic account to be identified may be any electronic account in the application system.

For example, when a user logs in the server in fig. 1a or 1b using an electronic account, the server in fig. 1a or 1b may use the electronic account currently applying for logging in as the electronic account to be identified, and execute the method flow shown in fig. 3a to identify the usage behavior of the electronic account to be identified; alternatively, the server in fig. 1a or fig. 1b may use the electronic account currently applying for login as the electronic account to be recognized, and then request the computing device in fig. 2a or fig. 2b to perform the identification of the usage behavior of the electronic account to be recognized by the method flow shown in fig. 3 a.

For another example, the server in fig. 1a or fig. 1b may periodically execute the method flow shown in fig. 3a to identify the usage behavior of each electronic account in the system, in this embodiment, each electronic account in the system is respectively used as the electronic account to be identified. Alternatively, the server in fig. 1a or fig. 1b may use each electronic account in the system as an electronic account to be identified, and periodically request the computing device in fig. 2a or fig. 2b to execute the method flow shown in fig. 3a to identify the usage behavior of each electronic account.

In another alternative embodiment, the electronic account to be identified may be an electronic account in which an abnormal situation occurs in the application system.

For example, the electronic account to be identified may be an electronic account that is not verified at the time of login, and the server in fig. 1a or fig. 1b may use the electronic account that is not verified at the time of login as the electronic account to be identified, and execute the method flow shown in fig. 3a to identify the usage behavior of the electronic account to be identified; alternatively, the server in fig. 1a or fig. 1b may use the electronic account that is not authenticated at login as the electronic account to be identified, and then request the computing device in fig. 2a or fig. 2b to execute the method flow shown in fig. 3a to identify the usage behavior of the electronic account to be identified.

For another example, the electronic account to be recognized may be an electronic account that is different from the device used for logging in this time, and the server in fig. 1a or fig. 1b may use the electronic account that is different from the device used for logging in this time as the electronic account to be recognized, and execute the method flow shown in fig. 3a to recognize the usage behavior of the electronic account to be recognized; alternatively, the server in fig. 1a or fig. 1b may use the electronic account that is logged in for a different time from the electronic account that was last logged in for use as the electronic account to be recognized, and then request the computing device in fig. 2a or fig. 2b to perform the identification of the usage behavior of the electronic account to be recognized by the method flow shown in fig. 3 a.

Optionally, when a certain electronic account initiates a login request to the server in fig. 1a or 1b, the server in fig. 1a or 1b may determine whether the device used by the electronic account for login is the same as the device used by login before; if the electronic account is not the same as the electronic account to be recognized, the server in fig. 1a or 1b regards the electronic account as the electronic account to be recognized before the electronic account is allowed to be successfully logged in, the server in fig. 1a or 1b or the computing device in fig. 2a or 2b executes the method flow shown in fig. 3a to recognize the usage behavior of the electronic account to be recognized, and the electronic account to be recognized is allowed to be successfully logged in if the specified usage behavior of the electronic account to be recognized does not occur. Of course, the process of identifying the usage behavior of the electronic account and the login process of the electronic account may also be executed in parallel, which are independent of each other, and the login result of the electronic account is not affected by the process of identifying the usage behavior.

For another example, the electronic account to be identified may be an electronic account in which a high-risk event such as password modification and bank card unbinding occurs, and the server in fig. 1a or 1b may use the electronic account in which the high-risk event occurs as the electronic account to be identified, and execute the method flow shown in fig. 3a to identify the usage behavior of the electronic account to be identified; alternatively, the server in fig. 1a or fig. 1b may use the electronic account with a high risk event as the electronic account to be identified, and then request the computing device in fig. 2a or fig. 2b to perform the identification of the usage behavior of the electronic account to be identified by the method flow shown in fig. 3 a. Similarly, optionally, the process of identifying the usage behavior of the electronic account may be performed during the process of generating high-risk events such as password modification and bank card unbinding of the electronic account, and the result of generating high-risk events such as password modification and bank card unbinding of the electronic account is affected by the process of identifying the usage behavior of the electronic account. Or, the process of identifying the use behavior of the electronic account and the process of generating the high-risk event such as password modification, bank card unbinding and the like of the electronic account can be executed in parallel and are independent of each other, and the result of the high-risk event such as password modification, bank card unbinding and the like of the electronic account is not influenced by the process of identifying the use behavior of the electronic account.

In addition to the above examples, the electronic account to be identified may also be a complaint electronic account, or a badly rated electronic account, or the like.

In yet another alternative embodiment, the electronic account to be identified may be an electronic account designated in the application system.

For example, the electronic account to be recognized may be an electronic account with a higher user level (for example, greater than a set level threshold) in the application system, and the server in fig. 1a or 1b may use the electronic account with the higher user level as the electronic account to be recognized when the electronic account with the higher user level logs in, and execute the identification of the usage behavior of the electronic account to be recognized by the method flow shown in fig. 3 a; alternatively, the server in fig. 1a or fig. 1b may also periodically execute the method flow shown in fig. 3a to identify the usage behavior of the electronic accounts with higher user levels; alternatively, the server in fig. 1a or fig. 1b may also use these electronic accounts with higher user rank as the electronic account to be identified, and then request the computing device in fig. 2a or fig. 2b to execute the identification of the usage behavior of the electronic account to be identified by the method flow shown in fig. 3 a.

For another example, the electronic account to be identified may be an electronic account with a higher value in the application system, wherein the value of the electronic account may be evaluated from aspects such as the age of the electronic account, the level of the electronic account, the attractiveness of the electronic account to the user, and the like. For example, the higher the level of a gaming account, the more gaming equipment that the account can use, the higher the value of the account. Based on this, the server in fig. 1a or fig. 1b may, when the electronic account with higher value logs in, take the electronic account with higher value as the electronic account to be identified, and execute the method flow shown in fig. 3a to identify the usage behavior of the electronic account to be identified; alternatively, the server in fig. 1a or fig. 1b may also periodically execute the method flow shown in fig. 3a to identify the usage behavior of the electronic accounts with higher value; alternatively, the server in fig. 1a or fig. 1b may also use these higher-value electronic accounts as the electronic account to be identified, and then request the computing device in fig. 2a or fig. 2b to execute the method flow shown in fig. 3a to identify the usage behavior of the electronic account to be identified.

In step 301, after determining the electronic account to be identified, log data of the electronic account to be identified within a first specified time period may be acquired. The first specified time period may be a period of time before the current time, and the time length thereof may be flexibly set according to an application scenario, for example, the time period may be half a month, two weeks, ten days, three days, or even hours or even minutes.

For the server in fig. 1a or fig. 1b, the log data of the electronic account to be identified in the first specified time period may be directly obtained from the log data of each electronic account. For the computing device in fig. 2a or fig. 2b, log data of the electronic account to be identified within a first specified time period may be obtained from the server in fig. 1a or fig. 1 b. For example, the computing device in fig. 2a or fig. 2b may access the server in fig. 1a or fig. 1b, requesting log data of the electronic account to be identified for a first specified time period therefrom; alternatively, the server in fig. 1a or fig. 1b may also directly send the log data of the electronic account to be identified in the first specified time period to the computing device.

The log data of the electronic account to be identified in the first specified time period records an event initiated by the user in the first specified time period, the time of initiating the event, and user side information for initiating the event to the electronic account to be identified. In the embodiment of the application, "event" refers to an operation initiated by a user and related to an electronic account to be identified. These events may include, but are not limited to: login success, login failure, password modification, identity verification, real-name authentication, bank card unbinding, new bank card rebinding, address modification, contact information modification, bound equipment information modification and the like. The user side information for the electronic account initiating event to be identified is some information that can reflect the user for the electronic account initiating event to be identified, and may include, for example, information of a device used by the user, information of a network environment used by the user, information of a location where the user is located, and the like.

In step 302, at least one piece of user side information initiating at least one event to the electronic account to be identified within a first specified time period may be determined according to log data of the electronic account to be identified within the first specified time period. For example, the user side information may include: the method comprises the steps that a user initiates equipment information used when an event is initiated on an electronic account to be identified, network environment information used by the user and the like.

In the first designated time period, the user may initiate one event or multiple events (two or more events) for the electronic account to be identified. The term "user" is used broadly and is not meant to refer to a specific user. In other words, the users initiating the event of the electronic account to be identified may be the same user or different users within the first specified time period, in this embodiment of the present application, the users initiating the event of the electronic account to be identified are mainly represented according to the user side information, and if the user side information is the same, the users initiating the event of the electronic account to be identified are considered to be the same.

Each event corresponds to user side information. For different events, the corresponding ue information may be the same or different. For example, a user may initiate multiple events, such as login, password modification, and real-name authentication, on an electronic account to be identified using the same device and the same network environment. Of course, the user may go on business with his own computer, and the network environment of the place of business is different from the network environment of the company or the home, so it is possible to use the same device and different network environments to initiate login and other related events to the electronic account to be identified. In addition, the user may also initiate a login or other related event to the electronic account to be identified using a different device and a different network environment. For example, a user may initiate a login and other related events to an electronic account to be identified using his/her own computer and home network environment at home, or may initiate a login and other related events to an electronic account to be identified using his/her company computer and network environment at work.

It should be noted that, if the user's usage behavior is the same, what kind of device and what kind of network environment the user uses to initiate a corresponding event to the electronic account to be identified may have a certain rule in time.

Generally, the client information for initiating events for the electronic account and the regularity of the events initiated by the client information are different or changed for the same electronic account under different usage behaviors. On the contrary, under the same usage behavior of the same electronic account, the client information initiating the event for the electronic account and the regularity of the event initiated by using the client information do not change or change too much. Usage behavior herein refers to usage behavior for an electronic account and may include, but is not limited to: the method comprises the following steps of a behavior that a registered user uses an electronic account by himself, a behavior that the registered user debits the electronic account to other users, a behavior that the registered user resells the electronic account to other users, and the like.

Based on the above analysis, in

steps

303 and 304 of the present embodiment, a difference between the user side information of the electronic account initiating event to be identified within the first specified time period may be identified; comparing the difference with a differentiation requirement corresponding to the specified using behavior; if the difference meets the differentiation requirement corresponding to the specified use behavior, the electronic account to be identified can be judged to have the specified use behavior within a first specified time period; otherwise, if the difference does not meet the differentiation requirement corresponding to the specified usage behavior, it may be determined that the specified usage behavior does not occur in the electronic account to be recognized within the first specified time period. The difference here may include a difference between the ue information itself and also a difference occurring in the occurrence rule of the ue information.

It should be noted that, according to the difference of the designated usage behaviors, the differentiation requirements corresponding to the designated usage behaviors may also be different. For example, if the electronic account is reselling, the device and network environment used by the user of the electronic account will change before and after reselling, so that the corresponding differentiation requirement can limit the change of the device information and the network environment information requirement for initiating the event to the electronic account when the specified usage behavior is reselling. Of course, the usage-specific behavior may be lending behavior in addition to resale behavior. The resale behavior of the electronic account refers to a behavior that an actual owner of the electronic account changes; accordingly, the loan behavior of the electronic account refers to the behavior that the actual owner of the electronic account has not changed, but the user of the electronic account has changed within a certain time.

In this embodiment, according to log data of the electronic account to be identified in a certain time period, at least one piece of user side information initiating at least one event to the electronic account to be identified in the time period can be obtained, and further, whether the electronic account to be identified has an appointed use behavior or not can be identified based on a difference between the user side information in the time period, which is beneficial to improving identification accuracy and reducing risks caused by abnormal use of the electronic account.

It should be noted that the scheme for identifying the usage behavior of the electronic account provided in the embodiment of the present application may be executed as needed, or may set a period, and execute the scheme cyclically according to the set period, so that the usage behavior of the electronic account may be identified periodically, which is convenient for discovering an abnormality occurring in the usage behavior of the electronic account in time, and reduces a risk brought by abnormal usage of the electronic account.

In the embodiment of the present application, it is considered that the types of the user-side information are many, and the processing complexity of different information is generally different. Therefore, in an optional embodiment, the device information and the network environment information used by the user when initiating the event for the to-be-identified electronic account are selected to be used as the user side information. Further, the device information may optionally be information that can uniquely identify the device, such as an ID or a MAC address of the device used by the user. Accordingly, the network environment information may be any information capable of embodying the network environment used by the user when initiating an event for the to-be-recognized electronic account, and may be, for example, an IP address of a device used by the user. Still further, to reduce the amount of computation, the first three segments of the IP address may be used instead of the complete IP address information.

On the basis of the device information and the network environment information, the time sequence of the log data is further considered, so that the time sequence log data can be acquired to finely depict events, device information and network environment information related to the electronic account to be identified and regularity of the events, the device information and the network environment information in time. Based on this, in some embodiments of the application, the sequence of the electronic account to be identified in three dimensions, namely, the event, the device information and the network environment information, may be split from the log data according to the time sequence, and the time sequence characteristics of the three sequences are extracted by using an RNN algorithm or a text-CNN (text-CNN) algorithm and propagated, so as to identify the slight change of the electronic account to be identified in the use behavior, thereby achieving the purpose of identifying whether the electronic account to be identified has the designated use behavior. As shown in fig. 3b, the account behavior recognition method provided by these exemplary embodiments includes the following steps:

30a, acquiring log data of the electronic account to be identified in a first designated time period.

30b, according to the log data of the electronic account to be identified in the first appointed time period, generating an event sequence initiated by the user in the first appointed time period, and an equipment information sequence and a network environment information sequence which correspond to the event sequence.

The event sequence comprises at least one event initiated by a user to the electronic account to be identified in a first designated time period, and the at least one event is sequentially sequenced according to initiation time to form the event sequence. The device information sequence and the network environment information sequence respectively comprise at least one piece of device information and at least one piece of network environment information which are correspondingly used when a user initiates at least one event contained in the event sequence; the user side information comprises equipment information and network environment information corresponding to the equipment information. The event sequence, the device information sequence and the network environment information sequence all belong to a time sequence.

And 30c, respectively carrying out vectorization processing on the equipment information sequence and the network environment information sequence to obtain an equipment information vectorization sequence and a network environment information vectorization sequence.

And 30d, respectively extracting the equipment information characteristic sequence and the network environment information characteristic sequence from the equipment information vectorization sequence and the network environment information vectorization sequence by utilizing an RNN algorithm or a text-CNN algorithm.

Optionally, the RNN algorithm may be used to perform deep learning on the device information vectorization sequence and the network environment information vectorization sequence in time, so as to extract the time sequence features in the device information vectorization sequence and the network environment information vectorization sequence to form a device information feature sequence and a network environment information feature sequence.

Optionally, wherein the text-CNN algorithm is an algorithm for classifying texts using a convolutional neural network. In this embodiment, the text-CNN algorithm may be used to extract the time sequence features in the device information vectorization sequence and the network environment information vectorization sequence, respectively, to form a device information feature sequence and a network environment information feature sequence.

And 30e, judging whether the electronic account to be identified has the appointed use behavior within the first appointed time period according to the equipment information characteristic sequence and the network environment information characteristic sequence.

Optionally, in step 30e, the device information feature sequence and the network environment information feature sequence may be integrated by using a full link in the RNN algorithm or the text-CNN algorithm, and a two-dimensional value is obtained by performing weighted summation on the device information feature sequence and the network environment information feature sequence; comparing the two-dimensional value with a set numerical threshold; if the two-dimensional value is smaller than a set numerical threshold, the difference existing between the user side information does not accord with the differentiation requirement corresponding to the appointed using behavior, and the electronic account to be identified is judged not to have the appointed using behavior within a first appointed time period; otherwise, if the two-dimensional value is greater than or equal to the set numerical threshold, which indicates that the difference between the user side information meets the differentiation requirement corresponding to the specified using behavior, it is determined that the specified using behavior of the electronic account to be identified occurs within the first specified time period.

Alternatively, the above-mentioned full link layer may be a single layer or a plurality of layers.

In practical application, many merchants can associate many devices due to normal operation requirements, register a plurality of electronic accounts, set office points in a plurality of cities, and frequently make business trips, and for such a situation, if whether the electronic accounts are abnormal is judged based on whether login devices change or whether the used network environment changes, misjudgment is easy to occur, and unreasonable misjudgment and mispenalty are caused to the electronic accounts or the merchants thereof. However, in this embodiment, instead of simply using whether some information has a change, the device information and the network environment information of the event initiated by the electronic account to be recognized are used at the same time, and the characteristics of these pieces of information in time sequence are combined to comprehensively recognize the usage behavior of the electronic account to be recognized, which is beneficial to recognizing the more subtle differences of the usage behavior of the electronic account to be recognized, and is beneficial to improving the recognition accuracy and reducing the accidental injury rate.

Further, on the basis of the RNN algorithm or the text-CNN algorithm, in order to enhance the interpretability of the algorithm recognition result so as to provide a reasonable explanation of the recognition result to the relevant person, and further if the customer service person can deal with the relevant complaint based on the explanation, in some exemplary implementations of the present application, a deep learning technique may be employed to combine the RNN algorithm or the text-CNN algorithm with an attention mechanism, so that on one hand, the RNN algorithm or the text-CNN algorithm is used to propagate the time characteristics of the three sequences, on the other hand, the attention mechanism is used to summarize information, and the interpretability of the recognition result is provided by the attention weight in the attention mechanism. The deep learning framework provided in this embodiment is shown in fig. 3d, and an RNN algorithm is taken as an example in fig. 3 d. On the basis of the deep learning framework shown in fig. 3d, as shown in fig. 3c, the account behavior recognition method provided by the exemplary embodiments includes the following steps:

31a, acquiring log data of the electronic account to be identified in a first designated time period.

31b, generating an event sequence initiated by the user in the first specified time period for the electronic account to be identified, and an equipment information sequence and a network environment information sequence corresponding to the event sequence according to the log data of the electronic account to be identified in the first specified time period.

The device information sequence and the network environment information sequence respectively comprise at least one piece of device information and at least one piece of network environment information which are correspondingly used when a user initiates at least one event contained in the event sequence; the user side information comprises equipment information and network environment information corresponding to the equipment information.

31c, respectively carrying out vectorization processing on the equipment information sequence, the network environment information sequence and the event sequence to obtain an equipment information vectorization sequence, a network environment information vectorization sequence and an event vectorization sequence.

And 31d, respectively extracting time sequence characteristics from the equipment information vectorization sequence, the network environment information vectorization sequence and the event vectorization sequence by utilizing an RNN algorithm or a text-CNN algorithm to obtain an equipment information characteristic sequence, a network environment information characteristic sequence and an event characteristic sequence.

31e, distributing first layer attention weights for vector values at the same time in the event characteristic sequence, the equipment information characteristic sequence and the network environment information characteristic sequence by using a first layer attention mechanism, and performing weighted summation to obtain a summarized vectorization sequence; each first-level attention weight represents the interpretation strength of the corresponding vector value of the electronic account to be identified on why the specified usage behavior occurs.

In the first-layer attention mechanism, if the vector value at a certain moment is different from the vector values at other moments in the same feature sequence, the corresponding first-layer attention weight is larger, which means that the vector value is likely to be the main reason for the occurrence of the specified use behavior.

31f, distributing second-layer attention weights for vector values at all times in the summarized vectorization sequence by using a second-layer attention system, and performing weighted summation to obtain a summarized vector; each second-tier attention weight represents the degree of interpretation of when a specified usage behavior occurs for the electronic account to be identified at its corresponding time.

In the second-tier attentiveness mechanism, in the aggregated vectorization sequence, if the difference between the vector value at a certain time and the vector values at other times is larger, the corresponding second-tier attentiveness weight is larger, which means that the time is likely to be the occurrence time of the designated usage behavior.

Optionally, as shown in fig. 3d, before performing the second layer attention mechanism, the summed vectorization sequences may also be subjected to weighted summation, and then RNN processing is performed again to further extract the time-series characteristics of the summed vectorization sequences.

It is noted that in steps 31e and 31f, a two-layer attention mechanism is used, but not limited thereto, and three or more layers of attention mechanisms may be used. The event characteristic sequence, the equipment information characteristic sequence and the network environment information characteristic sequence are subjected to interpretable analysis by adopting an attention mechanism, so that interpretation information of the specified use behaviors in the dimensions of time, events, equipment information and network environment information can be obtained.

And 31g, judging whether the electronic account to be identified has the appointed use behavior in the first appointed time period based on the summarized vector.

Optionally, in step 31g, the aggregated vectors may be integrated by using a full link in the RNN algorithm or the text-CNN algorithm, and a two-dimensional value is obtained by performing weighted summation on the integrated vectors; comparing the two-dimensional value with a set numerical threshold; if the two-dimensional value is smaller than a set numerical threshold, the difference existing between the user side information does not accord with the differentiation requirement corresponding to the appointed using behavior, and the electronic account to be identified is judged not to have the appointed using behavior within a first appointed time period; otherwise, if the two-dimensional value is greater than or equal to the set numerical threshold, which indicates that the difference between the user side information meets the differentiation requirement corresponding to the specified using behavior, it is determined that the specified using behavior of the electronic account to be identified occurs within the first specified time period. Alternatively, the above-mentioned full link layer may be a single layer or a plurality of layers.

Further, in some embodiments of the present application, the interpretation information of the specified usage behavior can also be visualized in the dimensions of time, event, device information, and network environment information. The embodiment of the application does not limit the visualization mode, and also does not limit the implementation form of the interpretation information.

In an alternative embodiment, the interpretation strength may be used as an implementation form of the interpretation information. Based on the information, the explanation strength of the specified use behaviors in the dimensions of the event, the equipment information and the network environment information at each moment can be output in a visual mode; and/or outputting the occurrence time of the specified use behavior and the interpretation strength of the specified use behavior in the dimensions of the event, the equipment information and the network environment information at the occurrence time in a visual mode.

Alternatively, one way of visualization is in a list. Based on this, the explaining strength of the appointed using behaviors in the dimensions of the event, the equipment information and the network environment information at each moment is output in a visual mode, and the explaining strength comprises the following steps: displaying each moment and events, equipment information and network environment information corresponding to each moment in a list mode according to the sequence of the events; and displaying corresponding explanation strength marks around the event, the equipment information and the network environment information corresponding to each moment. Wherein, the explanation strength mark is used for reflecting the corresponding explanation strength. Fig. 4a shows a style sheet in the form of a list. In fig. 4a, a bar-shaped box is an explanatory strength mark, and the length of the bar-shaped box represents the magnitude of the explanatory strength.

Further, on the basis of the list shown in fig. 4a, outputting the occurrence time of the specified usage behavior and the interpretation strength of the occurrence time to the specified usage behavior in the dimensions of the event, the device information and the network environment information in a visual manner, including: and highlighting the occurrence time of the specified use behavior and the explanation strength marks around the event, the equipment information and the network environment information corresponding to the occurrence time.

The highlighting manner includes but is not limited to: bold font, italics, highlight, underlining, or boxed, etc. The log data within the box as shown in fig. 4a represents events, device information, and network environment information specifying the time at which the usage behavior occurred.

In the embodiments shown in fig. 3b and 3c, it is necessary to perform vectorization processing on the device information sequence and the network environment information sequence, respectively. In order to improve the efficiency of vectorization processing, an electronic account relationship network may be constructed in advance for the electronic accounts, the existing device information, and the existing network environment information that already exist in the application system, and vector representations of the existing electronic accounts, the existing device information, and the existing network environment information may be added to the electronic account relationship network. Based on this, in the embodiments shown in fig. 3b and fig. 3c, when it is necessary to perform vectorization processing on the device information sequence and the network environment information sequence, the electronic account relationship network may be queried, and the device information sequence and the network environment information sequence may be respectively subjected to vectorization processing directly according to the vector representation of the existing electronic account, the existing device information, and the existing network environment information in the system stored in the electronic account relationship network, so as to obtain the device information vectorization sequence and the network environment information vectorization sequence.

In an optional embodiment, the technical solution provided by the embodiment of the present application may be divided into: a globally accurate phase and an identification phase. Wherein, the global preparation phase: the method comprises the steps of obtaining log data of an existing electronic account in a system in advance within a second specified time period, wherein the second specified time period is earlier than the first time period and is longer than the first specified time period. For example, the second specified period of time may be 2 months, 3 months, or even longer; accordingly, the first designated time period may be 2 weeks, 3 weeks, etc. Then, according to log data of the existing electronic account in a second designated time period, determining equipment information and network environment information for initiating events to the existing electronic account; and then, constructing an electronic account relation network by taking the existing electronic account, the equipment information for initiating the event to the existing electronic account and the network environment information as nodes. And then, mapping the nodes in the electronic account relationship network to the same dense space by adopting Node embedding (Node embedding) for vectorization processing to obtain vector representation of each Node in the electronic account relationship network. A partial schematic diagram of the electronic account relationship network is shown in fig. 4b, but is not limited thereto. In fig. 4b, a denotes an electronic account, a followed by a different number denotes a different electronic account; d represents the device information used when the user initiates an event to the corresponding electronic account, and d is followed by different numbers to represent different device information; i represents network environment information used when a user initiates an event to a corresponding electronic account, such as the first three segments of an IP address, and i is followed by different numbers to represent the first three segments of different IP addresses.

It should be noted that in some of the flows described in the above embodiments and the drawings, a plurality of operations are included in a specific order, but it should be clearly understood that the operations may be executed out of the order presented herein or in parallel, and the sequence numbers of the operations, such as 301, 302, etc., are merely used for distinguishing different operations, and the sequence numbers do not represent any execution order per se. Additionally, the flows may include more or fewer operations, and the operations may be performed sequentially or in parallel. It should be noted that, the descriptions of "first", "second", etc. in this document are used for distinguishing different messages, devices, modules, etc., and do not represent a sequential order, nor limit the types of "first" and "second" to be different.

Fig. 5 is a schematic structural diagram of a computing device according to an embodiment of the present application. As shown in fig. 5, the computing device includes: a memory 51 and a processor 52.

The memory 51 is used to store computer programs and may be configured to store other various data to support operations on the computing device. Examples of such data include instructions for any application or method operating on the computing device, contact data, phonebook data, messages, pictures, videos, and so forth.

A processor 52 coupled to the memory 51 for executing the computer program stored in the memory 51 for: acquiring log data of an electronic account to be identified in a first specified time period; determining at least one piece of user side information initiating at least one event to the electronic account in a first specified time period according to log data of the electronic account to be identified in the first specified time period; identifying a difference existing between at least one user side information initiating at least one event to the electronic account to be identified in a first time period; and if the difference meets the differentiation requirement corresponding to the specified using behavior, judging that the electronic account to be identified has the specified using behavior in the first specified time period.

In an optional embodiment, the processor 52, when determining the user-side information for initiating the event to the electronic account within the first specified time period, is specifically configured to: according to log data of the electronic account to be identified in a first appointed time period, generating an event sequence initiated by a user in the first appointed time period, and an equipment information sequence and a network environment information sequence which correspond to the event sequence; the device information sequence and the network environment information sequence respectively contain at least one piece of device information and at least one piece of network environment information which are correspondingly used when a user initiates at least one event contained in the event sequence, and one piece of user side information comprises one piece of device information and the network environment information corresponding to the device information.

Optionally, the device information may be an ID or a MAC address of a device used by the user when initiating an event to the electronic account to be identified; correspondingly, the network environment information may be the first three segments of an IP address of a device used by the user when initiating an event to the electronic account to be identified.

In an optional embodiment, when identifying the difference existing between the user-side information of the to-be-identified electronic account initiating event in the first time period, the processor 52 is specifically configured to: vectorizing the equipment information sequence and the network environment information sequence to obtain an equipment information vectorization sequence and a network environment information vectorization sequence; and respectively extracting the equipment information characteristic sequence and the network environment information characteristic sequence from the equipment information vectorization sequence and the network environment information vectorization sequence by utilizing an RNN algorithm or a text-CNN algorithm.

In an alternative embodiment, processor 52 is further configured to: vectorizing the event sequence to obtain an event vectorization sequence; and extracting an event characteristic sequence from the event vectorization sequence by utilizing the RNN algorithm or the text-CNN algorithm.

On the basis of the event signature sequence, the device information signature sequence, and the network environment information sequence, the processor 52 is further configured to: and performing interpretable analysis on the event characteristic sequence, the equipment information characteristic sequence and the network environment information characteristic sequence by adopting an attention mechanism to obtain interpretation information of the specified use behaviors in the dimensions of time, events, equipment information and network environment information.

Further optionally, the processor 52, when performing interpretable analysis on the event signature sequence, the device information signature sequence, and the network environment information signature sequence by using the attention mechanism, is specifically configured to: distributing first layer attention weights for vector values at the same time in the event characteristic sequence, the equipment information characteristic sequence and the network environment information characteristic sequence by using a first layer attention mechanism algorithm, and performing weighted summation to obtain a summarized vectorization sequence; the first layer of attention weight represents the explanation strength of the corresponding vector value to the electronic account to be identified on the appointed use behavior; distributing second-layer attention weights for vector values at all moments in the summarized vectorization sequence by using a second-layer attention mechanism algorithm, and performing weighted summation to obtain summarized vectors; the second layer attention weight represents the explanation strength of the time corresponding to the time when the specified using behavior of the electronic account to be recognized occurs.

Based on the first and second tier attention weights, processor 52 is further configured to: outputting the explanation strength of the appointed use behaviors on the dimensions of the event, the equipment information and the network environment information at each moment in a visual mode; and/or outputting the occurrence time of the specified use behavior and the interpretation strength of the specified use behavior in the dimensions of the event, the equipment information and the network environment information at the occurrence time in a visual mode.

Further, when the processor 52 outputs the interpretation strength of the specified usage behavior in the event, device information, and network environment information dimension at each time in a visual manner, it is specifically configured to: displaying each moment and events, equipment information and network environment information corresponding to each moment in a list mode according to the sequence of the occurrence of the events; and displaying corresponding explanation strength marks around the event, the equipment information and the network environment information corresponding to each moment.

On the basis of displaying each time and the event, the device information, and the network environment information corresponding to each time, when the processor 52 outputs the occurrence time of the specified usage behavior and the interpretation strength of the occurrence time to the specified usage behavior in the event, the device information, and the network environment information dimension in a visual manner, the processor is specifically configured to: and highlighting the occurrence time of the specified use behavior and the explanation strength marks around the event, the equipment information and the network environment information corresponding to the occurrence time.

In an optional embodiment, the processor 52, when obtaining the device information vectorization sequence and the network environment information vectorization sequence, is specifically configured to: and respectively carrying out vectorization processing on the equipment information sequence and the network environment information sequence according to the vector representation of the existing equipment information and the existing network environment information in the system stored in the electronic account relation network to obtain an equipment information vectorization sequence and a network environment information vectorization sequence.

Optionally, the processor 52, prior to using the electronic account relationship network, is further configured to: the method comprises the steps that log data of an existing electronic account in a system in a second specified time period are obtained in advance, wherein the second specified time period is earlier than a first time period and is longer than the first specified time period; determining equipment information and network environment information for initiating events to the existing electronic account according to log data of the existing electronic account in a second designated time period; constructing an electronic account relation network by taking the existing electronic account, the equipment information for initiating the event to the existing electronic account and the network environment information as nodes; and mapping the nodes in the electronic account relationship network to the same dense space for vectorization processing to obtain the vector representation of each node in the electronic account relationship network.

In an alternative embodiment, the specified usage behavior may be a resale behavior or a loan behavior.

In an alternative embodiment, the electronic account to be identified may be a shop account number on an e-commerce platform, a driver account number on a taxi-taking platform, or an account number of a housekeeper on a housekeeping platform.

Further, as shown in fig. 5, the computing device further includes: communication components 53, display 54, power components 55, audio components 56, and the like. Only some of the components are schematically shown in fig. 5, and the computing device is not meant to include only the components shown in fig. 5. In fig. 5, the components shown in the dashed boxes are optional components, which may depend on the implementation form of the computing device.

Accordingly, the present application further provides a computer-readable storage medium storing a computer program, where the computer program can implement the steps that can be executed by a computing device in the foregoing method embodiments when executed.

The memory in the above embodiments may be implemented by any type or combination of volatile or non-volatile memory devices, such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disks.

The communication component in the above embodiments is configured to facilitate communication between the device in which the communication component is located and other devices in a wired or wireless manner. The device in which the communication component is located may access a wireless network based on a communication standard, such as WiFi, 2G or 3G, or a combination thereof. In an exemplary embodiment, the communication component receives a broadcast signal or broadcast related information from an external broadcast management system via a broadcast channel. In an exemplary embodiment, the communication component may further include a Near Field Communication (NFC) module, Radio Frequency Identification (RFID) technology, infrared data association (IrDA) technology, Ultra Wideband (UWB) technology, Bluetooth (BT) technology, and the like.

The display in the above embodiments includes a screen, which may include a Liquid Crystal Display (LCD) and a Touch Panel (TP). If the screen includes a touch panel, the screen may be implemented as a touch screen to receive an input signal from a user. The touch panel includes one or more touch sensors to sense touch, slide, and gestures on the touch panel. The touch sensor may not only sense the boundary of a touch or slide action, but also detect the duration and pressure associated with the touch or slide operation.

The power supply assembly of the above embodiments provides power to various components of the device in which the power supply assembly is located. The power components may include a power management system, one or more power supplies, and other components associated with generating, managing, and distributing power for the device in which the power component is located.

The audio component in the above embodiments may be configured to output and/or input an audio signal. For example, the audio component includes a Microphone (MIC) configured to receive an external audio signal when the device in which the audio component is located is in an operational mode, such as a call mode, a recording mode, and a voice recognition mode. The received audio signal may further be stored in a memory or transmitted via a communication component. In some embodiments, the audio assembly further comprises a speaker for outputting audio signals.

As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.

Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.

It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.

Claims

1. An account behavior recognition method, comprising:

acquiring log data of an electronic account to be identified in a first specified time period;

according to log data of the electronic account to be identified in a first appointed time period, determining user side information for initiating an event to the electronic account to be identified in the first appointed time period;

identifying a difference existing between at least one piece of user side information initiating at least one event for the electronic account to be identified within the first specified time period;

and if the difference meets the differentiation requirement corresponding to the specified using behavior, judging that the specified using behavior occurs to the electronic account to be identified in the first specified time period.

2. The method of claim 1, wherein determining at least one piece of user-side information for initiating at least one event for the electronic account to be identified within a first specified time period according to log data of the electronic account to be identified within the first specified time period comprises:

according to log data of the electronic account to be identified in a first appointed time period, generating an event sequence initiated by a user to the electronic account to be identified in the first appointed time period, and an equipment information sequence and a network environment information sequence corresponding to the event sequence;

the device information sequence and the network environment information sequence respectively contain at least one piece of device information and at least one piece of network environment information which are correspondingly used when a user initiates at least one event contained in the event sequence, and one piece of client information comprises one piece of device information and the corresponding piece of network environment information.

3. The method of claim 2, wherein the device information is an ID or a MAC address of a device used by the user, and the network environment information is the first three segments of an IP address of the device used by the user.

4. The method of claim 2, wherein identifying the difference existing between at least one piece of user-side information that initiates at least one event for the electronic account to be identified within the first specified time period comprises:

vectorizing the equipment information sequence and the network environment information sequence respectively to obtain an equipment information vectorization sequence and a network environment information vectorization sequence;

and respectively extracting a device information characteristic sequence and a network environment information characteristic sequence from the device information vectorization sequence and the network environment information vectorization sequence by using an RNN algorithm or a text-CNN algorithm.

5. The method of claim 4, further comprising:

vectorizing the event sequence to obtain an event vectorization sequence;

and extracting an event characteristic sequence from the event vectorization sequence by utilizing the RNN algorithm or the text-CNN algorithm.

6. The method of claim 5, further comprising:

and performing interpretable analysis on the event characteristic sequence, the equipment information characteristic sequence and the network environment information characteristic sequence by adopting an attention mechanism to obtain interpretation information of the specified use behaviors in the dimensions of time, events, equipment information and network environment information.

7. The method of claim 6, wherein performing interpretable analysis of the sequence of event signatures, the sequence of device information signatures, and the sequence of network environment information signatures using an attention mechanism to obtain interpretative information of the specified usage behavior in the dimensions of time, event, device information, and network environment information comprises:

distributing first layer attention weights for vector values at the same time in the event characteristic sequence, the equipment information characteristic sequence and the network environment information characteristic sequence by using a first layer attention mechanism, and performing weighted summation to obtain a summarized vectorization sequence; each first-layer attention weight represents the explanation strength of the corresponding vector value to the electronic account to be identified on why the specified usage behavior occurs;

distributing second-layer attention weights for vector values at all times in the summarized vectorization sequence by using a second-layer attention system, and performing weighted summation to obtain summarized vectors; each second-layer attention weight represents the explaining strength of the corresponding moment to the specified using behavior of the electronic account to be identified when.

8. The method of claim 7, further comprising:

outputting the explanation strength of the specified use behaviors on the dimensions of events, equipment information and network environment information at each moment in a visual mode; and/or

And outputting the occurrence time of the specified use behavior and the interpretation strength of the specified use behavior on the dimensions of events, equipment information and network environment information at the occurrence time in a visual mode.

9. The method of claim 8, wherein visually outputting the interpretation strength of the specified usage behavior in the dimensions of the event, the device information and the network environment information at each time comprises:

displaying each moment and events, equipment information and network environment information corresponding to each moment in a list mode according to the sequence of the occurrence of the events;

and displaying corresponding explanation strength marks around the event, the equipment information and the network environment information corresponding to each moment.

10. The method of claim 9, wherein visually outputting the occurrence time of the specified usage behavior and the interpretation strength of the specified usage behavior in terms of the dimensions of events, device information and network environment information at the occurrence time comprises:

and highlighting the occurrence time of the specified use behavior and the explanation strength marks around the event, the equipment information and the network environment information corresponding to the occurrence time on the list.

11. The method of claim 4, wherein the vectorizing the device information sequence and the network environment information sequence to obtain a device information vectorization sequence and a network environment information vectorization sequence comprises:

and respectively carrying out vectorization processing on the equipment information sequence and the network environment information sequence according to the vector representation of the existing electronic account, the existing equipment information and the existing network environment information in the system stored in the electronic account relational network to obtain an equipment information vectorization sequence and a network environment information vectorization sequence.

12. The method of claim 11, further comprising:

the method comprises the steps that log data of an existing electronic account in a system in a second specified time period are obtained in advance, wherein the second specified time period is earlier than the first specified time period and is longer than the first specified time period;

determining equipment information and network environment information for initiating events to the existing electronic account according to log data of the existing electronic account in a second designated time period;

constructing an electronic account relation network by taking the existing electronic account, the equipment information for initiating the event to the existing electronic account and the network environment information as nodes;

and mapping the nodes in the electronic account relationship network to the same dense space for vectorization processing to obtain the vector representation of each node in the electronic account relationship network.

13. The method of any of claims 1-12, wherein the specified usage behavior is a resale behavior or a lending behavior.

14. The method according to any one of claims 1 to 12, wherein the electronic account to be identified is a store account number on an e-commerce platform, a driver account number on a taxi-taking platform, or an account number of a housekeeping person on a housekeeping platform.

15. A computing device, comprising: a memory and a processor;

the memory for storing a computer program;

the processor to execute the computer program to:

determining at least one piece of user side information initiating at least one event to the electronic account in a first specified time period according to log data of the electronic account to be identified in the first specified time period;

and if the difference meets the differentiation requirement corresponding to the specified use behavior, judging that the specified use behavior occurs to the electronic account to be identified in the first specified time period.

16. The computing device of claim 15, wherein the processor is specifically configured to:

the device information sequence and the network environment information sequence respectively contain at least one piece of device information and at least one piece of network environment information which are correspondingly used when a user initiates at least one event contained in the event sequence, and one piece of user side information comprises one piece of device information and the corresponding network environment information.

17. The computing device of claim 16, wherein the processor is specifically configured to:

18. The computing device of claim 17, wherein the processor is further configured to:

vectorizing the event sequence to obtain an event vectorization sequence;

19. The computing device of claim 18, wherein the processor is further configured to:

20. A computer-readable storage medium storing a computer program, which, when executed by a processor, causes the processor to carry out the steps of the method according to any one of claims 1 to 14.