CN117236721A - Monitoring method, system, computer equipment and storage medium for enterprise abnormal behavior - Google Patents
Monitoring method, system, computer equipment and storage medium for enterprise abnormal behavior Download PDFInfo
- Publication number
- CN117236721A CN117236721A CN202311484122.8A CN202311484122A CN117236721A CN 117236721 A CN117236721 A CN 117236721A CN 202311484122 A CN202311484122 A CN 202311484122A CN 117236721 A CN117236721 A CN 117236721A
- Authority
- CN
- China
- Prior art keywords
- monitoring
- objects
- directed
- vector
- preset
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012544 monitoring process Methods 0.000 title claims abstract description 232
- 238000000034 method Methods 0.000 title claims abstract description 56
- 206010000117 Abnormal behaviour Diseases 0.000 title claims abstract description 31
- 239000013598 vector Substances 0.000 claims abstract description 108
- 238000012512 characterization method Methods 0.000 claims abstract description 61
- 230000006399 behavior Effects 0.000 claims abstract description 21
- 239000011159 matrix material Substances 0.000 claims description 36
- 238000011144 upstream manufacturing Methods 0.000 claims description 18
- 238000004590 computer program Methods 0.000 claims description 13
- 238000004422 calculation algorithm Methods 0.000 claims description 8
- 238000005295 random walk Methods 0.000 claims description 7
- 238000010276 construction Methods 0.000 claims description 6
- 238000004364 calculation method Methods 0.000 claims description 5
- 238000012216 screening Methods 0.000 claims description 4
- 238000012545 processing Methods 0.000 abstract description 18
- 238000011156 evaluation Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 230000003111 delayed effect Effects 0.000 description 1
- 235000019800 disodium phosphate Nutrition 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002035 prolonged effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The application belongs to the technical field of data processing, and relates to a monitoring method, a monitoring system, computer equipment and a storage medium for abnormal behaviors of enterprises, wherein the method comprises the following steps: and obtaining the subordinate relations and the fund flow directions among the monitoring objects to construct a target monitoring object relation table, constructing a directed graph based on the target monitoring object relation table, generating a plurality of directed sequences based on the target monitoring object relation table, inputting a preset model to obtain the characterization vector of each monitoring object, obtaining the monitoring objects similar to the reference object, and extracting common features through the reference object and the similar monitoring objects to perform illegal funding behavior monitoring. The scheme of the application can realize rapid illegal fund collecting behavior identification, can rapidly process a large amount of data in batches, can be used for constructing the directed graph for different data types, simplifies the data processing process and has high processing efficiency.
Description
Technical Field
The application relates to the technical field of data processing, in particular to a monitoring method, a monitoring system, computer equipment and a storage medium for abnormal behaviors of enterprises.
Background
At present, when illegal funding behavior evaluation and identification are carried out, the problems of large data analysis amount and multiple data types are faced, the analysis efficiency is low, the attack period of the illegal funding behavior is prolonged, meanwhile, the evaluation indexes are difficult to effectively form a system due to the fact that the data are numerous, the existing evaluation index system cannot capture some hidden or complex illegal funding means, and the enterprise discovery is relatively delayed for the problem of illegal funding behavior.
Disclosure of Invention
The embodiment of the application aims to provide a monitoring method, a system, computer equipment and a storage medium for abnormal behaviors of enterprises, which are used for solving the problem that illegal funding behaviors cannot be effectively identified due to large data volume, multiple data types and limited evaluation index capability in the prior art.
In order to solve the technical problems, an embodiment of the present application provides a method for monitoring abnormal behavior of an enterprise, where the method includes:
acquiring a data set of a plurality of monitoring objects in a set area, wherein the monitoring objects comprise at least one reference object, the data set comprises associated data of each monitoring object and transaction data, the associated data are used for representing subordinate relations among the monitoring objects, and the transaction data are used for representing fund flow directions among the monitoring objects;
Constructing a monitoring object relation table according to the subordinate relation and the fund flow direction, screening the monitoring object relation table according to a preset white list to obtain a target monitoring object relation table, and constructing a directed graph based on the target monitoring object relation table, wherein the directed graph is provided with a plurality of nodes, and each node corresponds to one monitoring object;
randomly selecting a starting point in the directed graph by adopting a random walk mode, generating a plurality of directed sequences based on the starting point and a preset path length, and inputting the directed sequences into a preset Skip-gram model to obtain a characterization vector of each monitoring object;
and calculating the similarity of the reference object and the rest monitoring objects according to the characterization vector, analyzing the transaction data of the monitoring objects with the similarity meeting the preset condition to extract common characteristics, and carrying out illegal funding behavior monitoring on the monitoring objects or the designated monitoring objects with the similarity meeting the preset condition according to the common characteristics.
Further, after the step of calculating the similarity between the reference object and the remaining monitoring objects according to the characterization vector, the method further includes:
judging whether the number of the monitoring objects similar to the reference object is larger than a first preset value, if so, increasing the preset path length, and re-acquiring the characterization vector;
Otherwise, continuing to judge whether the number of the monitoring objects similar to the reference object is smaller than a second preset value, if so, reducing the preset path length, and re-acquiring the characterization vector until the number of the monitoring objects similar to the reference object is between the first preset value and the second preset value.
Further, after the step of obtaining the characterization vector of each monitoring object, the method further includes:
acquiring an update data set, judging whether the update data set contains a reference object, if so, updating the directed graph based on the update data set, updating the characterization vectors of all original monitoring objects, and acquiring the characterization vectors of newly added monitoring objects;
otherwise, after updating the directed graph based on an updating data set, acquiring a local directed sequence from the directed graph by taking a newly added monitoring object as a starting point or an ending point, inputting the local directed sequence into a preset Skip-gram model, updating the characterization vector of the monitoring object in the local directed sequence, and acquiring the characterization vector of the newly added monitoring object.
Further, after the step of generating a plurality of directed sequences based on the starting point and a preset path length, the method further comprises:
And taking the directed sequence with the actual path length smaller than the preset path length as a short sequence, judging whether the number of the short sequences exceeds a third preset value, and if so, reducing the preset path length until the number of the short sequences is smaller than the third preset value.
Further, characterizing each monitoring object in the directed sequence by using an initial vector, and initializing a first weight matrix and a second weight matrix, wherein each row of the first weight matrix corresponds to a vector when each monitoring object is used as an intermediate node, and each column of the second weight matrix corresponds to a vector when each monitoring object is used as an upstream node or a downstream node;
when each monitoring object is used as an intermediate node based on the first weight matrix and the second weight matrix, calculating the probability of the monitoring objects of the upstream node and the downstream node in the directed sequence, namely conditional probability, and updating the vector when each monitoring object is used as the intermediate node by adopting a gradient descent algorithm based on the conditional probability to obtain the characterization vector and updating the first weight matrix.
Further, when the vector of each monitoring object is updated as an intermediate node by adopting a gradient descent algorithm based on the conditional probability, the method further comprises updating the vector of the monitoring object as an upstream node or a downstream node to update the second weight matrix.
Further, when the similarity between the reference object and the rest of the monitoring objects is calculated according to the characterization vector, the cosine similarity is specifically adopted for calculation.
In order to solve the above technical problem, an embodiment of the present application further provides a monitoring system for abnormal behavior of an enterprise, including:
the data acquisition module is used for acquiring a data set of a plurality of monitoring objects in a set area, wherein the monitoring objects comprise at least one reference object, the data set comprises associated data of each monitoring object and transaction data, the associated data are used for representing subordinate relations among the monitoring objects, and the transaction data are used for representing fund flow directions among the monitoring objects;
the directed graph construction module is used for constructing a monitoring object relation table according to the subordinate relation and the fund flow direction, screening the monitoring object relation table according to a preset white list to obtain a target monitoring object relation table, and constructing a directed graph based on the target monitoring object relation table, wherein the directed graph is provided with a plurality of nodes, and each node corresponds to one monitoring object;
the vector acquisition module is used for arbitrarily selecting a starting point in the directed graph by adopting a random walk mode, generating a plurality of directed sequences based on the starting point and a preset path length, and inputting the directed sequences into a preset Skip-gram model to obtain a characterization vector of each monitoring object;
And the monitoring module is used for calculating the similarity between the reference object and the rest of monitoring objects according to the characterization vector, analyzing the transaction data of the monitoring objects with the similarity meeting the preset condition to extract common characteristics, and carrying out illegal funding behavior monitoring on the monitoring objects or designated monitoring objects with the similarity meeting the preset condition according to the common characteristics.
In order to solve the above technical problems, an embodiment of the present application further provides a computer device, including a memory and a processor, where the memory stores a computer program, and the processor implements the method for monitoring abnormal behaviors of an enterprise as described above when executing the computer program.
In order to solve the above technical problem, an embodiment of the present application further provides a computer readable storage medium, where a computer program is stored, and when the computer program is executed by a processor, the method for monitoring abnormal behavior of an enterprise is implemented as described above.
Compared with the prior art, the application has the following main beneficial effects:
according to the application, the directed sequence is obtained by constructing the directed graph, the characterization vector of each monitoring object is obtained by the directed sequence, the monitoring object similar to the reference object is further determined to be used as the quasi-reference object, finally, the shared transaction characteristic is obtained through the transaction data of the reference object and the quasi-reference object, the illegal fund collecting behavior is monitored through the shared transaction characteristic, the rapid illegal fund collecting behavior identification can be realized in such a way, a large amount of data can be rapidly processed in batches, the directed graph can be constructed for different data types, the data processing process is simplified, and the processing efficiency is high.
Drawings
In order to more clearly illustrate the solution of the present application, a brief description will be given below of the drawings required for the description of the embodiments of the present application, it being apparent that the drawings in the following description are some embodiments of the present application, and that other drawings may be obtained from these drawings without the exercise of inventive effort for a person of ordinary skill in the art.
FIG. 1 is an exemplary system architecture diagram in which the present application may be applied;
FIG. 2 is a flow chart of one embodiment of a method of monitoring for abnormal behavior of an enterprise in accordance with the present application;
FIG. 3 is an example of a directed graph generated in accordance with an embodiment of the present application;
FIG. 4 is a schematic diagram of one embodiment of a monitoring system for enterprise abnormal behavior in accordance with the present application;
FIG. 5 is a schematic structural diagram of one embodiment of a computer device in accordance with the present application.
Detailed Description
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs; the terminology used in the description of the applications herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application; the terms "comprising" and "having" and any variations thereof in the description of the application and the claims and the description of the drawings above are intended to cover a non-exclusive inclusion. The terms first, second and the like in the description and in the claims or in the above-described figures, are used for distinguishing between different objects and not necessarily for describing a sequential or chronological order.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the application. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments.
In order to make the person skilled in the art better understand the solution of the present application, the technical solution of the embodiment of the present application will be clearly and completely described below with reference to the accompanying drawings.
As shown in fig. 1, system architecture 100 may include terminal devices (including, but not limited to, cell phone 101, tablet 102, notebook 103), network 104, and server 105. The network 104 is the medium used to provide communication links between the terminal devices and the server 105. The network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
A user may interact with the server 105 via the network 104 using a terminal device to receive or send messages or the like. Various client applications may be installed on the terminal device, such as a web browser application, a shopping class application, a search class application, an instant messaging tool, a mailbox client, social platform software, and the like.
The terminal device may be a variety of electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablets, laptop and desktop computers, and the like.
The server 105 may be a server that provides various services, such as a server that provides end-of-service data hereinafter.
It should be noted that, the method for monitoring abnormal behavior of an enterprise provided by the embodiment of the present application is generally executed by the server 105, and accordingly, the monitoring system for abnormal behavior of an enterprise is generally set in the server 105.
It should be understood that the number of terminal devices, networks and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
With continued reference to FIG. 2, a flow chart of one embodiment of a method of monitoring for abnormal behavior of an enterprise in accordance with the present application is shown. The method for monitoring the abnormal behavior of the enterprise comprises the following steps of S201 to S205:
step S201, acquiring a data set of a plurality of monitoring objects in a set area, where the monitoring objects include at least one reference object, the data set includes association data of each monitoring object and transaction data, the association data is used to represent a subordinate relationship between each monitoring object, and the transaction data is used to represent a fund flow direction between each monitoring object.
In this embodiment, the set area refers to an administrative area or a geographic area where the monitored object is located, and for flexible monitoring of illegal funding in a small range, the data sets of the monitored object in different set areas may be acquired. Accordingly, the monitoring object may be an enterprise, an individual user or a natural person, that is, a main body in a financial activity, wherein the association data for the monitoring object includes investment relations, equity relations, employment relations and the like, the relations may represent subordinate relations between different monitoring objects, and the transaction data includes bank funds transaction flow, which may intuitively reflect the funds flow direction between different monitoring objects. The reference object refers to a monitoring object for determining that illegal funding exists.
Step S202, a monitoring object relation table is constructed according to the subordinate relation and the fund flow direction, the monitoring object relation table is screened according to a preset white list, a target monitoring object relation table is obtained, a directed graph is constructed based on the target monitoring object relation table, the directed graph is provided with a plurality of nodes, and each node corresponds to one monitoring object.
In this embodiment, when the monitor object relationship table is constructed, two relationship tables with directivity can be respectively constructed according to the association data and the transaction data, where the directivity represents the relationship or the fund flow direction of the monitor object, as shown in the following table 1 and table 2, table 1 is the relationship table representing the relationship of the monitor object, and table 2 is the relationship table representing the fund flow direction of the monitor object:
;
。
All the monitoring objects can be connected in series through the above-mentioned monitoring object relation table to generate at least one directed graph, for example, the directed graph generated through table 1 and table 2 is shown in fig. 3.
In some embodiments, if multiple directed graphs are generated, which means that the directed graphs are independent of each other, and there is no master-slave relationship or no fund flow relationship, when the directed sequence is acquired in the subsequent step S203, the method further includes determining whether the number of nodes of the directed graph meets a preset condition, where the preset condition can be flexibly set according to the data size of the data set, and when a certain number of nodes are met, the directed sequence is acquired, so that the data processing amount in the subsequent step can be reduced, and the processing efficiency is improved.
Step S203, a random walk mode is adopted to randomly select a starting point in the directed graph, a plurality of directed sequences are generated based on the starting point and a preset path length, and the directed sequences are input into a preset Skip-gram model to obtain the characterization vector of each monitoring object.
In this embodiment, by randomly selecting a starting point in the directed graph, a plurality of directed sequences may be obtained given a preset path length, for example, according to the directed graph shown in fig. 3, and taking the preset path length as 3, the directed sequences of a→c→u3→ F, A →c→u3→u4, c→u3→f→e may be obtained by a random walk, and the relationship of each monitored object may be more accurately represented by using the directed sequences, so that the representation vector obtained in the subsequent step may more effectively represent the corresponding monitored object, which is helpful for improving the accuracy of illegal fund collection evaluation.
In this embodiment, the directed sequence is divided into an upstream node, an intermediate node and a downstream node according to node directions, and the step of inputting the directed sequence into a preset Skip-gram model to obtain the characterization vector of each monitoring object includes:
characterizing each monitoring object in the directed sequence by using an initial vector, and initializing a first weight matrix and a second weight matrix, wherein each row of the first weight matrix corresponds to a vector when each monitoring object is used as an intermediate node, and each column of the second weight matrix corresponds to a vector when each monitoring object is used as an upstream node or a downstream node; when each monitoring object is used as an intermediate node based on the first weight matrix and the second weight matrix, calculating the probability of the monitoring objects of the upstream node and the downstream node in the directed sequence, namely conditional probability, and updating the vector when each monitoring object is used as the intermediate node by adopting a gradient descent algorithm based on the conditional probability to obtain the characterization vector and updating the first weight matrix. Specifically, in calculating the conditional probability, the following formula is adopted:
;
wherein,is a representation vector of intermediate nodes, " >Is->The representation vectors of the surrounding nodes (upstream node and downstream node), m is the total number of different nodes in the directed graph, k represents the number of different nodes in the graph, i represents the index of the node for which the conditional probability is to be calculated, j represents the index of all nodes of the current window. In the Skip-gram model of the embodiment, the index refers to the position or number of the monitoring object in the object library, and one monitoring object can be uniquely identified through the index; in addition, after the intermediate node is determined, the upstream node and the downstream node of the intermediate node are obtained by setting a proper sliding window, so that all nodes of the current window are obtained.
In this embodiment, when the vector of each monitored object is updated using the gradient descent algorithm as the intermediate node based on the conditional probability, the method further includes updating the vector of the monitored object as the upstream node or the downstream node to update the second weight matrix.
And obtaining the characterization vector of each monitoring object in the directed graph after obtaining the final first weight matrix and the second weight matrix.
Step S204, calculating the similarity between the reference object and the rest of monitoring objects according to the characterization vector, analyzing the transaction data of the monitoring objects with the similarity meeting the preset condition to extract common characteristics, and performing illegal funding behavior monitoring on the monitoring objects or designated monitoring objects with the similarity meeting the preset condition according to the common characteristics.
In this embodiment, when calculating the similarity between the reference object and the rest of the monitoring objects according to the characterization vector, the cosine similarity is specifically adopted for calculation. After the monitoring objects with the similarity meeting the preset conditions are obtained, the monitoring objects can be initially judged to have illegal funding actions similar to the reference objects, the transaction data of the monitoring objects are analyzed to obtain common characteristics related to the illegal funding actions in the transaction data of the monitoring objects by analyzing various characteristics including transaction amount, transaction time, transaction range and the like, and based on the common characteristics, any monitoring object in the directed graph or the monitoring object appointed outside the directed graph can be monitored for illegal funding actions, so that the monitoring efficiency is high.
In some embodiments, after the step of calculating the similarity of the reference object and the remaining monitored objects from the characterization vector, the method further comprises:
judging whether the number of the monitoring objects similar to the reference object is larger than a first preset value, if so, increasing the preset path length, and re-acquiring the characterization vector; otherwise, continuing to judge whether the number of the monitoring objects similar to the reference object is smaller than a second preset value, if so, reducing the preset path length, and re-acquiring the characterization vector until the number of the monitoring objects similar to the reference object is between the first preset value and the second preset value.
Specifically, for a preset path length, an effective characterization vector cannot be obtained when the path is too long or too short, the originally dissimilar monitored objects are easily related strongly when the path is too short, the originally similar monitored objects are easily related to the decrease of the association strength when the path is too long, and erroneous judgment during illegal funding behavior evaluation can be caused in both cases, so that the number of the monitored objects similar to the reference object can be preferably kept between the first preset value and the second preset value, and the two values can be adjusted adaptively according to the size of the data volume, which is not limited herein.
In some embodiments, after the step of generating a plurality of directed sequences based on the starting point and a preset path length, the method further comprises:
and taking the directed sequence with the actual path length smaller than the preset path length as a short sequence, judging whether the number of the short sequences exceeds a third preset value, and if so, reducing the preset path length until the number of the short sequences is smaller than the third preset value. The step is also aimed at obtaining a proper preset path length, so as to avoid the problem of strong correlation or reduced correlation strength of the monitored object, and ensure the accuracy of illegal funding behavior evaluation.
In some embodiments, after the step of obtaining the characterization vector of each of the monitored objects, the method further includes:
acquiring an update data set, judging whether the update data set contains a reference object, if so, updating the directed graph based on the update data set, updating the characterization vectors of all original monitoring objects, and acquiring the characterization vectors of newly added monitoring objects; otherwise, after updating the directed graph based on an updating data set, acquiring a local directed sequence from the directed graph by taking a newly added monitoring object as a starting point or an ending point, inputting the local directed sequence into a preset Skip-gram model, updating the characterization vector of the monitoring object in the local directed sequence, and acquiring the characterization vector of the newly added monitoring object. When the update data does not contain the reference object, only the monitoring object in the local directed sequence in the directed graph is updated with the characterization vector, so that the data processing amount can be reduced, the efficiency can be improved, when the update data contains the reference object, the global is updated, and the similarity calculation is carried out on the characterization vector of the updated monitoring object and the characterization vector of the newly added reference object, so that the accuracy of subsequent evaluation can be improved.
Compared with the prior art, the embodiment of the application has the following main beneficial effects:
according to the application, the directed sequence is obtained by constructing the directed graph, the characterization vector of each monitoring object is obtained by the directed sequence, the monitoring object similar to the reference object is further determined to be used as the quasi-reference object, finally, the shared transaction characteristic is obtained through the transaction data of the reference object and the quasi-reference object, the illegal fund collecting behavior is monitored through the shared transaction characteristic, the rapid illegal fund collecting behavior identification can be realized in such a way, a large amount of data can be rapidly processed in batches, the directed graph can be constructed for different data types, the data processing process is simplified, and the processing efficiency is high.
Those skilled in the art will appreciate that implementing all or part of the above-described methods in accordance with the embodiments may be accomplished by way of a computer program stored in a computer-readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. The storage medium may be a nonvolatile storage medium such as a magnetic disk, an optical disk, a Read-only memory (ROM), or a random access memory (RandomAccessMemory, RAM).
It should be understood that, although the steps in the flowcharts of the figures are shown in order as indicated by the arrows, these steps are not necessarily performed in order as indicated by the arrows. The steps are not strictly limited in order and may be performed in other orders, unless explicitly stated herein. Moreover, at least some of the steps in the flowcharts of the figures may include a plurality of sub-steps or stages that are not necessarily performed at the same time, but may be performed at different times, the order of their execution not necessarily being sequential, but may be performed in turn or alternately with other steps or at least a portion of the other steps or stages.
With further reference to fig. 4, as an implementation of the method shown in fig. 2, the present application provides an embodiment of a monitoring system for abnormal behavior of an enterprise, where the system embodiment corresponds to the method embodiment shown in fig. 2, and the system may be specifically applied to various servers.
As shown in fig. 4, the monitoring system for abnormal behavior of an enterprise according to the present embodiment includes: a data acquisition module 401, a directed graph construction module 402, a vector acquisition module 403, and a monitoring module 404. Wherein: the data acquisition module 401 is configured to acquire a data set of a plurality of monitoring objects in a set area, where the monitoring objects include at least one reference object, the data set includes association data of each monitoring object and transaction data, the association data is used to represent a subordinate relationship between each monitoring object, and the transaction data is used to represent a fund flow direction between each monitoring object; the directed graph construction module 402 is configured to construct a monitored object relationship table according to the subordinate relationship and the fund flow direction, screen the monitored object relationship table according to a preset white list to obtain a target monitored object relationship table, and construct a directed graph based on the target monitored object relationship table, where the directed graph has a plurality of nodes, and each node corresponds to one monitored object; the vector obtaining module 403 is configured to randomly select a starting point from the directed graph by using a random walk manner, generate a plurality of directed sequences based on the starting point and a preset path length, and input the directed sequences into a preset Skip-gram model to obtain a characterization vector of each monitoring object; the monitoring module 404 is configured to calculate the similarity between the reference object and the rest of monitoring objects according to the token vector, analyze the transaction data of the monitoring objects with the similarity satisfying the preset condition to extract a common feature, and perform illegal funding behavior monitoring on the monitoring objects or designated monitoring objects with the similarity satisfying the preset condition according to the common feature.
In some embodiments, if the directed graph construction module 402 generates a plurality of directed graphs, it means that the directed graphs are independent of each other, and there is no master-slave relationship or no fund flow relationship, and when the subsequent vector acquisition module 403 performs the directed sequence acquisition, the vector acquisition module 403 is further configured to determine whether the number of nodes of the directed graph meets a preset condition, where the preset condition can be flexibly set according to the data size of the data set, and when a certain number of nodes are met, the directed sequence is acquired, so that the subsequent data processing amount can be reduced, and the processing efficiency is improved.
In this embodiment, the directional sequence is divided into an upstream node, an intermediate node and a downstream node according to node directions, and the vector obtaining module 403 inputs the directional sequence into a preset Skip-gram model, so as to obtain a characterization vector of each monitoring object, where the method is specifically used for:
characterizing each monitoring object in the directed sequence by using an initial vector, and initializing a first weight matrix and a second weight matrix, wherein each row of the first weight matrix corresponds to a vector when each monitoring object is used as an intermediate node, and each column of the second weight matrix corresponds to a vector when each monitoring object is used as an upstream node or a downstream node; when each monitoring object is used as an intermediate node based on the first weight matrix and the second weight matrix, calculating the probability of the monitoring objects of the upstream node and the downstream node in the directed sequence, namely conditional probability, and updating the vector when each monitoring object is used as the intermediate node by adopting a gradient descent algorithm based on the conditional probability to obtain the characterization vector and updating the first weight matrix. Specifically, in calculating the conditional probability, the following formula is adopted:
;
Wherein,is a representation vector of intermediate nodes, ">Is->The representation vectors of the surrounding nodes (upstream node and downstream node), m is the total number of different nodes in the directed graph.
In this embodiment, when the vector obtaining module 403 updates the vector when each monitored object is an intermediate node by using a gradient descent algorithm based on the conditional probability, the vector obtaining module is further configured to update the vector when the monitored object is an upstream node or a downstream node, so as to update the second weight matrix.
And obtaining the characterization vector of each monitoring object in the directed graph after obtaining the final first weight matrix and the second weight matrix.
In some embodiments, the monitoring module 404 is further configured to determine whether the number of monitoring objects similar to the reference object is greater than a first preset value after calculating the similarity between the reference object and the rest of the monitoring objects according to the token vector, and if so, cause the vector acquisition module 403 to increase the preset path length to reacquire the token vector; otherwise, continuing to determine whether the number of monitoring objects similar to the reference object is smaller than a second preset value, if yes, making the vector acquisition module 403 reduce the preset path length, and reacquiring the characterization vector until the number of monitoring objects similar to the reference object is between the first preset value and the second preset value.
In some embodiments, the vector obtaining module 403 is further configured to, after generating a plurality of directed sequences based on the starting point and a preset path length, determine, as a short sequence, whether the number of the short sequences exceeds a third preset value, and if so, reduce the preset path length until the number of the short sequences is less than the third preset value. The step is also aimed at obtaining a proper preset path length, so as to avoid the problem of strong correlation or reduced correlation strength of the monitored object, and ensure the accuracy of illegal funding behavior evaluation.
In some embodiments, after the vector obtaining module 403 obtains the characterization vectors of each monitoring object, the obtaining module 401 is further configured to obtain an update data set, determine whether the update data set includes a reference object, if so, cause the directed graph building module 402 to update the directed graph based on the update data set, and cause the vector obtaining module 403 to update the original characterization vectors of all the monitoring objects and obtain the characterization vectors of the newly added monitoring objects; otherwise, after the directed graph construction module 402 updates the directed graph based on the update data set, the vector acquisition module 403 acquires a local directed sequence from the directed graph with the newly added monitored object as a starting point or an end point, inputs the local directed sequence into a preset Skip-gram model, updates the characterization vector of the monitored object in the local directed sequence, and acquires the characterization vector of the newly added monitored object.
The technical content specifically related to each operation in performing the related operation by each module may refer to the related content in the method embodiment, which is not expanded herein.
Compared with the prior art, the embodiment of the application has the following main beneficial effects:
according to the application, the directed sequence is obtained by constructing the directed graph, the characterization vector of each monitoring object is obtained by the directed sequence, the monitoring object similar to the reference object is further determined to be used as the quasi-reference object, finally, the shared transaction characteristic is obtained through the transaction data of the reference object and the quasi-reference object, the illegal fund collecting behavior is monitored through the shared transaction characteristic, the rapid illegal fund collecting behavior identification can be realized in such a way, a large amount of data can be rapidly processed in batches, the directed graph can be constructed for different data types, the data processing process is simplified, and the processing efficiency is high.
In order to solve the above technical problems, an embodiment of the present application further provides a computer device, including a memory and a processor, where the memory stores a computer program, and the processor implements the steps of the method for monitoring abnormal behaviors of an enterprise as described above when executing the computer program, and has corresponding technical effects.
Referring specifically to fig. 5, fig. 5 is a basic structural block diagram of a computer device according to the present embodiment. The computer device 5 comprises a memory 51, a processor 52, a network interface 53 which are communicatively connected to each other via a system bus. It should be noted that only the computer device 5 with components 51-53 is shown in the figures, but it should be understood that not all of the illustrated components are required to be implemented and that more or fewer components may be implemented instead. It will be appreciated by those skilled in the art that the computer device herein is a device capable of automatically performing numerical calculations and/or information processing in accordance with predetermined or stored instructions, the hardware of which includes, but is not limited to, microprocessors, application specific integrated circuits (Application Specific Integrated Circuit, ASICs), programmable gate arrays (fields-Programmable Gate Array, FPGAs), digital processors (Digital Signal Processor, DSPs), embedded devices, etc.
The computer equipment can be a desktop computer, a notebook computer, a palm computer, a cloud server and other computing equipment. The computer equipment can perform man-machine interaction with a user through a keyboard, a mouse, a remote controller, a touch pad or voice control equipment and the like.
The memory 51 includes at least one type of readable storage medium including flash memory, hard disk, multimedia card, card memory (e.g., SD or DX memory, etc.), random Access Memory (RAM), static Random Access Memory (SRAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), programmable Read Only Memory (PROM), magnetic memory, magnetic disk, optical disk, etc. In some embodiments, the storage 51 may be an internal storage unit of the computer device 5, such as a hard disk or a memory of the computer device 5. In other embodiments, the memory 51 may also be an external storage device of the computer device 5, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash Card (Flash Card) or the like, which are provided on the computer device 5. Of course, the memory 51 may also comprise both an internal memory unit of the computer device 5 and an external memory device. In this embodiment, the memory 51 is generally used to store an operating system and various application software installed on the computer device 5, such as program codes of a monitoring method for abnormal behavior of an enterprise. Further, the memory 51 may be used to temporarily store various types of data that have been output or are to be output.
The processor 52 may be a central processing unit (Central Processing Unit, CPU), controller, microcontroller, microprocessor, or other data processing chip in some embodiments. The processor 52 is typically used to control the overall operation of the computer device 5. In this embodiment, the processor 52 is configured to execute a program code stored in the memory 51 or process data, such as a program code for executing a method for monitoring abnormal behavior of the enterprise.
The network interface 53 may comprise a wireless network interface or a wired network interface, which network interface 53 is typically used to establish communication connections between the computer device 5 and other electronic devices.
In order to solve the above technical problems, an embodiment of the present application further provides a computer readable storage medium, where a computer program is stored on the computer readable storage medium, where the computer program may be executed by at least one processor, so that the at least one processor performs the steps of the method for monitoring abnormal behavior of an enterprise as described above, and has corresponding technical effects.
From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) comprising instructions for causing a terminal device (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) to perform the method according to the embodiments of the present application.
It is apparent that the above-described embodiments are only some embodiments of the present application, but not all embodiments, and the preferred embodiments of the present application are shown in the drawings, which do not limit the scope of the patent claims. This application may be embodied in many different forms, but rather, embodiments are provided in order to provide a thorough and complete understanding of the present disclosure. Although the application has been described in detail with reference to the foregoing embodiments, it will be apparent to those skilled in the art that modifications may be made to the embodiments described in the foregoing description, or equivalents may be substituted for elements thereof. All equivalent structures made by the content of the specification and the drawings of the application are directly or indirectly applied to other related technical fields, and are also within the scope of the application.
Claims (10)
1. A method for monitoring abnormal behavior of an enterprise, the method comprising:
acquiring a data set of a plurality of monitoring objects in a set area, wherein the monitoring objects comprise at least one reference object, the data set comprises associated data of each monitoring object and transaction data, the associated data are used for representing subordinate relations among the monitoring objects, and the transaction data are used for representing fund flow directions among the monitoring objects;
Constructing a monitoring object relation table according to the subordinate relation and the fund flow direction, screening the monitoring object relation table according to a preset white list to obtain a target monitoring object relation table, and constructing a directed graph based on the target monitoring object relation table, wherein the directed graph is provided with a plurality of nodes, and each node corresponds to one monitoring object;
randomly selecting a starting point in the directed graph by adopting a random walk mode, generating a plurality of directed sequences based on the starting point and a preset path length, and inputting the directed sequences into a preset Skip-gram model to obtain a characterization vector of each monitoring object;
and calculating the similarity of the reference object and the rest monitoring objects according to the characterization vector, analyzing the transaction data of the monitoring objects with the similarity meeting the preset condition to extract common characteristics, and carrying out illegal funding behavior monitoring on the monitoring objects or the designated monitoring objects with the similarity meeting the preset condition according to the common characteristics.
2. The method for monitoring abnormal behavior of an enterprise according to claim 1, wherein after the step of calculating the similarity between the reference object and the remaining monitoring objects based on the characterization vector, the method further comprises:
Judging whether the number of the monitoring objects similar to the reference object is larger than a first preset value, if so, increasing the preset path length, and re-acquiring the characterization vector;
otherwise, continuing to judge whether the number of the monitoring objects similar to the reference object is smaller than a second preset value, if so, reducing the preset path length, and re-acquiring the characterization vector until the number of the monitoring objects similar to the reference object is between the first preset value and the second preset value.
3. The method for monitoring abnormal behavior of an enterprise according to claim 2, wherein after the step of obtaining the characterization vector of each monitored object, the method further comprises:
acquiring an update data set, judging whether the update data set contains a reference object, if so, updating the directed graph based on the update data set, updating the characterization vectors of all original monitoring objects, and acquiring the characterization vectors of newly added monitoring objects;
otherwise, after updating the directed graph based on an updating data set, acquiring a local directed sequence from the directed graph by taking a newly added monitoring object as a starting point or an ending point, inputting the local directed sequence into a preset Skip-gram model, updating the characterization vector of the monitoring object in the local directed sequence, and acquiring the characterization vector of the newly added monitoring object.
4. The method for monitoring abnormal behavior of an enterprise according to claim 3, wherein after the step of generating a plurality of directed sequences based on the start point and a preset path length, the method further comprises:
and taking the directed sequence with the actual path length smaller than the preset path length as a short sequence, judging whether the number of the short sequences exceeds a third preset value, and if so, reducing the preset path length until the number of the short sequences is smaller than the third preset value.
5. The method for monitoring abnormal behaviors of an enterprise according to any one of claims 1 to 4, wherein the directed sequence is divided into an upstream node, an intermediate node and a downstream node according to node directions, and the step of inputting the directed sequence into a preset Skip-gram model to obtain a characterization vector of each monitoring object includes:
characterizing each monitoring object in the directed sequence by using an initial vector, and initializing a first weight matrix and a second weight matrix, wherein each row of the first weight matrix corresponds to a vector when each monitoring object is used as an intermediate node, and each column of the second weight matrix corresponds to a vector when each monitoring object is used as an upstream node or a downstream node;
When each monitoring object is used as an intermediate node based on the first weight matrix and the second weight matrix, calculating the probability of the monitoring objects of the upstream node and the downstream node in the directed sequence, namely conditional probability, and updating the vector when each monitoring object is used as the intermediate node by adopting a gradient descent algorithm based on the conditional probability to obtain the characterization vector and updating the first weight matrix.
6. The method for monitoring abnormal behavior of an enterprise according to claim 5, wherein when the vector of each monitoring object as an intermediate node is updated using a gradient descent algorithm based on the conditional probability, the method further comprises updating the vector of the monitoring object as an upstream node or a downstream node to update the second weight matrix.
7. The method for monitoring abnormal behaviors of an enterprise according to claim 5, wherein when calculating the similarity between the reference object and the rest of the monitoring objects according to the characterization vector, the method specifically uses cosine similarity for calculation.
8. A monitoring system for abnormal behavior of an enterprise, comprising:
the data acquisition module is used for acquiring a data set of a plurality of monitoring objects in a set area, wherein the monitoring objects comprise at least one reference object, the data set comprises associated data of each monitoring object and transaction data, the associated data are used for representing subordinate relations among the monitoring objects, and the transaction data are used for representing fund flow directions among the monitoring objects;
The directed graph construction module is used for constructing a monitoring object relation table according to the subordinate relation and the fund flow direction, screening the monitoring object relation table according to a preset white list to obtain a target monitoring object relation table, and constructing a directed graph based on the target monitoring object relation table, wherein the directed graph is provided with a plurality of nodes, and each node corresponds to one monitoring object;
the vector acquisition module is used for arbitrarily selecting a starting point in the directed graph by adopting a random walk mode, generating a plurality of directed sequences based on the starting point and a preset path length, and inputting the directed sequences into a preset Skip-gram model to obtain a characterization vector of each monitoring object;
and the monitoring module is used for calculating the similarity between the reference object and the rest of monitoring objects according to the characterization vector, analyzing the transaction data of the monitoring objects with the similarity meeting the preset condition to extract common characteristics, and carrying out illegal funding behavior monitoring on the monitoring objects or designated monitoring objects with the similarity meeting the preset condition according to the common characteristics.
9. A computer device comprising a memory and a processor, the memory having stored therein a computer program, the processor implementing the method of monitoring for abnormal behaviour of an enterprise as claimed in any one of claims 1 to 7 when the computer program is executed.
10. A computer-readable storage medium, on which a computer program is stored, which computer program, when being executed by a processor, implements the method for monitoring abnormal behaviour of an enterprise according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311484122.8A CN117236721A (en) | 2023-11-09 | 2023-11-09 | Monitoring method, system, computer equipment and storage medium for enterprise abnormal behavior |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311484122.8A CN117236721A (en) | 2023-11-09 | 2023-11-09 | Monitoring method, system, computer equipment and storage medium for enterprise abnormal behavior |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117236721A true CN117236721A (en) | 2023-12-15 |
Family
ID=89095063
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311484122.8A Pending CN117236721A (en) | 2023-11-09 | 2023-11-09 | Monitoring method, system, computer equipment and storage medium for enterprise abnormal behavior |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117236721A (en) |
Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110807103A (en) * | 2019-10-18 | 2020-02-18 | ***股份有限公司 | Knowledge graph construction method and device, electronic equipment and storage medium |
| CN112307272A (en) * | 2020-10-30 | 2021-02-02 | 杭州海康威视数字技术股份有限公司 | Method and device for determining relation information between objects, computing equipment and storage medium |
| CN112418386A (en) * | 2020-12-10 | 2021-02-26 | 北京理工大学 | Network embedding method based on network structure information entropy |
| CN112819175A (en) * | 2021-01-14 | 2021-05-18 | 中博信征信有限公司 | Method, device, equipment and storage medium for identifying illegal legal account |
| CN113094594A (en) * | 2021-03-22 | 2021-07-09 | 北京海致星图科技有限公司 | Similar financial community network mining algorithm based on graph partitioning algorithm and graph embedding algorithm |
| CN113094595A (en) * | 2021-04-08 | 2021-07-09 | 中国工商银行股份有限公司 | Object recognition method, device, computer system and readable storage medium |
| CN113177841A (en) * | 2021-05-26 | 2021-07-27 | 中国工商银行股份有限公司 | Abnormal community identification method, device and equipment |
| CN114372869A (en) * | 2022-01-06 | 2022-04-19 | 中国工商银行股份有限公司 | Capital flow direction monitoring method, device and computer program product |
| CN114638704A (en) * | 2022-04-07 | 2022-06-17 | 中国工商银行股份有限公司 | Illegal fund transfer identification method and device, electronic equipment and storage medium |
| CN115269924A (en) * | 2022-06-22 | 2022-11-01 | 阿里云计算有限公司 | Link completion method and device, computer readable storage medium and electronic equipment |
| CN115271939A (en) * | 2022-06-20 | 2022-11-01 | 支付宝(杭州)信息技术有限公司 | Method and device for identifying fund link group, computing equipment and medium |
| CN115905309A (en) * | 2022-12-30 | 2023-04-04 | 奇安信网神信息技术(北京)股份有限公司 | Similar entity searching method and device, computer equipment and readable storage medium |
| CN116502132A (en) * | 2022-01-18 | 2023-07-28 | 腾讯科技(深圳)有限公司 | Account set identification method, device, equipment, medium and computer program product |
-
2023
- 2023-11-09 CN CN202311484122.8A patent/CN117236721A/en active Pending
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110807103A (en) * | 2019-10-18 | 2020-02-18 | ***股份有限公司 | Knowledge graph construction method and device, electronic equipment and storage medium |
| CN112307272A (en) * | 2020-10-30 | 2021-02-02 | 杭州海康威视数字技术股份有限公司 | Method and device for determining relation information between objects, computing equipment and storage medium |
| CN112418386A (en) * | 2020-12-10 | 2021-02-26 | 北京理工大学 | Network embedding method based on network structure information entropy |
| CN112819175A (en) * | 2021-01-14 | 2021-05-18 | 中博信征信有限公司 | Method, device, equipment and storage medium for identifying illegal legal account |
| CN113094594A (en) * | 2021-03-22 | 2021-07-09 | 北京海致星图科技有限公司 | Similar financial community network mining algorithm based on graph partitioning algorithm and graph embedding algorithm |
| CN113094595A (en) * | 2021-04-08 | 2021-07-09 | 中国工商银行股份有限公司 | Object recognition method, device, computer system and readable storage medium |
| CN113177841A (en) * | 2021-05-26 | 2021-07-27 | 中国工商银行股份有限公司 | Abnormal community identification method, device and equipment |
| CN114372869A (en) * | 2022-01-06 | 2022-04-19 | 中国工商银行股份有限公司 | Capital flow direction monitoring method, device and computer program product |
| CN116502132A (en) * | 2022-01-18 | 2023-07-28 | 腾讯科技(深圳)有限公司 | Account set identification method, device, equipment, medium and computer program product |
| CN114638704A (en) * | 2022-04-07 | 2022-06-17 | 中国工商银行股份有限公司 | Illegal fund transfer identification method and device, electronic equipment and storage medium |
| CN115271939A (en) * | 2022-06-20 | 2022-11-01 | 支付宝(杭州)信息技术有限公司 | Method and device for identifying fund link group, computing equipment and medium |
| CN115269924A (en) * | 2022-06-22 | 2022-11-01 | 阿里云计算有限公司 | Link completion method and device, computer readable storage medium and electronic equipment |
| CN115905309A (en) * | 2022-12-30 | 2023-04-04 | 奇安信网神信息技术(北京)股份有限公司 | Similar entity searching method and device, computer equipment and readable storage medium |
Non-Patent Citations (2)
| Title |
|---|
| LYRICHU: "介绍一个全局最优化的方法:随机游走算法(random walk)", pages 1 - 3, Retrieved from the Internet <URL:https://www.cnblogs.com/lyrichu/p/7209529.html> * |
| UQI-LIUWJ: "NLP笔记:Skip-gram", pages 1 - 8, Retrieved from the Internet <URL:https://blog.csdn.net/qq_40206371/article/details/118448249> * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10958748B2 (en) | Resource push method and apparatus | |
| CN111784348B (en) | Account risk identification method and device | |
| CN113360580B (en) | Abnormal event detection method, device, equipment and medium based on knowledge graph | |
| CN110827924B (en) | Clustering method and device for gene expression data, computer equipment and storage medium | |
| CN112394908A (en) | Method and device for automatically generating embedded point page, computer equipment and storage medium | |
| WO2019061664A1 (en) | Electronic device, user's internet surfing data-based product recommendation method, and storage medium | |
| CN113806653B (en) | Page preloading method, device, computer equipment and storage medium | |
| CN110798440A (en) | Abnormal user detection method, device and system and computer storage medium | |
| CN113221104A (en) | User abnormal behavior detection method and user behavior reconstruction model training method | |
| CN114124460A (en) | Industrial control system intrusion detection method and device, computer equipment and storage medium | |
| CN113538070A (en) | User life value cycle detection method and device and computer equipment | |
| CN116684330A (en) | Traffic prediction method, device, equipment and storage medium based on artificial intelligence | |
| CN110674397B (en) | Method, device, equipment and readable medium for training age point prediction model | |
| CN115757075A (en) | Task abnormity detection method and device, computer equipment and storage medium | |
| CN113886821A (en) | Malicious process identification method and device based on twin network, electronic equipment and storage medium | |
| CN117234844A (en) | Cloud server abnormality management method and device, computer equipment and storage medium | |
| CN116644298A (en) | Method for detecting performance of network attack detection model and related equipment thereof | |
| CN117236721A (en) | Monitoring method, system, computer equipment and storage medium for enterprise abnormal behavior | |
| CN113590447B (en) | Buried point processing method and device | |
| CN115099875A (en) | Data classification method based on decision tree model and related equipment | |
| CN114925275A (en) | Product recommendation method and device, computer equipment and storage medium | |
| CN114581086A (en) | Phishing account detection method and system based on dynamic time sequence network | |
| CN114219664A (en) | Product recommendation method and device, computer equipment and storage medium | |
| CN114897290A (en) | Evolution identification method and device of business process, terminal equipment and storage medium | |
| CN114090407A (en) | Interface performance early warning method based on linear regression model and related equipment thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |