CN118134634A

CN118134634A - Internet credit integrated management system

Info

Publication number: CN118134634A
Application number: CN202410553079.4A
Authority: CN
Inventors: 吴成林; 卢通; 蔡成成; 张龙; 李元博; 温小军
Original assignee: Wuxi Xishang Bank Co ltd
Current assignee: Wuxi Xishang Bank Co ltd
Priority date: 2024-05-07
Filing date: 2024-05-07
Publication date: 2024-06-04

Abstract

The invention discloses an internet credit comprehensive management system, which particularly relates to the technical field of internet credit management, and comprises the steps of acquiring running state information, regional network environment information and identity authentication fluctuation information of terminal identity authentication equipment, evaluating potential intrusion hidden dangers from multiple factor angles, comparing an evaluation result with an intrusion hidden danger threshold, classifying the intrusion hidden dangers, rapidly and accurately determining whether an intruder risks entering a borrowing platform along with a borrower, acquiring operation behavior information and intruded response information of the borrower on the borrowing platform when the intrusion hidden dangers are detected, constructing a behavior analysis abnormal model, further improving identification accuracy, generating different early warning signals by the generated behavior analysis abnormal indexes and abnormal early warning thresholds, timely reminding a platform manager of possible safety risks, enhancing trust feeling of the borrower on the borrowing platform, and improving user satisfaction and loyalty.

Description

Internet credit integrated management system

Technical Field

The invention relates to the technical field of internet credit management, in particular to an internet credit integrated management system.

Background

In recent years, with the wide application of internet technology, the rapid development of commercial banking internet credit consumption plays an important role in promoting resident consumption, forcefully promotes the consumption upgrade, and becomes a new engine for pulling economic growth. Commercial banks rely on internet technology to issue personal consumption loans to the applicant in an online automatic information capturing, automatic approval and automatic paying mode. Compared with traditional consumed credit, the internet consumed credit has obvious advantages in the aspects of customer acquisition, flow management, loan efficiency and the like. But not to be neglected, the wide application of internet technology also makes data easier to disguise, so that the risk management difficulty of commercial banks is increased.

In the loan application process, borrowers need to carry out identity verification through a credit platform, including voice, face and other biological recognition technologies. However, due to the variability of the terminal identity authentication device used by different borrowers and the network environment where the terminal identity authentication device is located, security holes may exist, and an intruder may use the holes to enter the lending platform along with the borrowers and try to perform intrusion operation, the existing credit management system cannot timely sense the hidden danger of intrusion in the identity authentication process, and lack of a general judgment standard, so that the intruder has an opportunity to perform intrusion in the identity authentication process, and perform intrusion operation on the credit platform by using the identity of the borrower in the subsequent process, so that the trust of the borrower to the credit platform is continuously reduced, for example, personal information is stolen: an intruder may steal personal information, including identification numbers, contact addresses, home addresses, etc., by accessing the borrower's account and personal data, which may be used to misappropriate the identity or otherwise conduct fraudulent activities. Tampering with the loan data: an intruder may modify the borrower's loan application data, including the amount of the loan, the repayment period, etc., resulting in a change in the contents of the loan contract, resulting in a loss for the borrower and the borrower's institution. Manipulating account funds: an intruder may attempt to manipulate funds in the borrower account, including transferring funds to other accounts, virtual currency transactions, etc., resulting in financial loss or impaired credit records for the borrower.

In order to solve the above-mentioned defect, a technical scheme is provided.

Disclosure of Invention

In order to overcome the above-mentioned drawbacks of the prior art, an embodiment of the present invention provides an integrated management system for internet credit, so as to solve the above-mentioned problems set forth in the background art.

In order to achieve the above purpose, the present invention provides the following technical solutions:

An internet credit comprehensive management system comprises an intrusion hidden danger detection module, an intrusion hidden danger classification module, a behavior analysis module and an abnormality early warning module;

The intrusion hidden danger detection module is used for acquiring the running state information, the regional network environment information and the identity authentication fluctuation information of the terminal identity authentication equipment when the borrower performs identity authentication, and evaluating the intrusion hidden danger according to the running state information, the regional network environment information and the identity authentication fluctuation information of the terminal identity authentication equipment;

The intrusion hidden danger classification module is used for comparing the evaluation result with an intrusion hidden danger threshold value and classifying whether an intruder intrudes into a lending platform along with a borrower or not;

The behavior analysis module is used for acquiring the operation behavior information and the invaded response information of the borrower on the lending platform when the invasion hidden danger exists, constructing a behavior analysis abnormal model according to the operation behavior information and the invaded response information of the borrower on the lending platform, and generating a behavior analysis abnormal index;

The abnormal early warning module is used for comparing the behavior analysis abnormal index with an abnormal early warning threshold value, generating early warning signals of different categories, and taking different prevention and control measures according to the early warning signals of different categories.

In a preferred embodiment, the running state information of the terminal identity authentication device comprises a security patch defect coefficient and a sensitive directory access rising rate, the network environment information of the area comprises a network connection disconnection delay coefficient, and the identity authentication fluctuation information comprises an abnormal authentication fluctuation coefficient;

marking the security patch defect coefficient, the sensitive directory access rising rate, the network connection disconnection delay coefficient and the abnormal authentication fluctuation coefficient as follows 。

In a preferred embodiment, the security patch defect coefficients are obtained by the following logic:

Counting the quantity sl of the software installed on the terminal identity authentication equipment, and collecting the information of the software installed on the terminal identity authentication equipment, wherein the information comprises a software name and a version number;

Comparing the name and version number of the installed software with a known security hole database, recording the number af of the type of the security patch which is not applied to the software and the version difference cz when the known security hole exists in the software, wherein the version difference is the number of the security patch versions which exist between the version of the security patch which is already applied and the latest security patch version, counting the number la of the software which has the known security hole, calculating a security patch defect coefficient, and the expression is as follows ；

The sensitive directory access ramp rate acquisition logic is as follows:

Defining sensitive directories, determining which directories are defined as sensitive directories;

Acquiring the access number ci of the sensitive directory, setting a reference value jz of the access number of the sensitive directory, and calculating the access rising rate of the sensitive directory when the access number ci of the sensitive directory is larger than the reference value jz, wherein the expression is as follows In the followingIndicating the number of accesses to the sensitive directory at the initial point in time,Indicating the number of accesses to the sensitive directory at a subsequent point in time,A time period representing an interval;

The acquisition logic of the network connection disconnection delay coefficient is as follows:

Collecting network connection data once at fixed time intervals, recording connection states including normal states and disconnection states, recording connection time of network connection of the terminal identity authentication equipment again when the terminal identity authentication equipment is in the disconnection state, comparing the connection time with a preset connection time threshold, marking the connection time greater than the preset connection time threshold as delay time when the connection time is greater than the preset connection time threshold, counting disconnection times k of each time interval time, and delaying the total time I represents the sequence number of network connection data acquisition of borrower during identity authentication by using terminal identity authentication equipment, i=1, 2,3, 4, … …, n is a positive integer, n represents n pieces of data in total, and the network connection disconnection delay coefficient is calculated, with the expression as follows；

The acquisition logic of the abnormal authentication fluctuation coefficient is as follows:

During the identity authentication of borrowers by using terminal identity authentication equipment, recording the state of each authentication, including success and failure, counting the authentication success times ck and failure times sc in each time period, and calculating the failure ratio sa, wherein the expression is as follows And calculates an abnormal authentication fluctuation coefficient based on the failure ratio, the expression is as followsWherein m represents the number of time periods,Indicating the failure ratio of the jth time period,Mean value of failure ratio is expressed as follows。

In a preferred embodiment, the security patch defect coefficient, the sensitive directory access rising rate, the network connection disconnection delay coefficient and the abnormal authentication fluctuation coefficient are normalized, and an intrusion risk assessment model is constructed according to the normalized security patch defect coefficient, the sensitive directory access rising rate, the network connection disconnection delay coefficient and the abnormal authentication fluctuation coefficient to generate an intrusion risk assessment indexThe formula according to which is as followsIn the followingRespectively representing the preset proportionality coefficients of the security patch defect coefficient, the sensitive directory access rising rate, the network connection disconnection delay coefficient and the abnormal authentication fluctuation coefficient,Are all greater than 0.

In a preferred embodiment, the intrusion hidden danger classification module is configured to compare the evaluation result with an intrusion hidden danger threshold value, and classify whether the intruder would accompany the intrusion of the borrower to the lending platform, which specifically includes the following steps:

If the intrusion risk assessment index is greater than the intrusion hidden danger threshold, marking the login operation of the borrower this time as the login operation with the intrusion hidden danger;

if the intrusion risk assessment index is smaller than or equal to the intrusion hidden danger threshold, marking the login operation of the borrower this time as the login operation without the intrusion hidden danger.

In a preferred embodiment, in the behavior analysis module, the operation behavior information of the borrower on the lending platform includes a multidimensional crowd behavior deviation coefficient, and the invaded response information includes an invasion detection response duty ratio coefficient;

respectively marking the multidimensional crowd behavior deviation coefficient and the intrusion detection response duty ratio coefficient as 。

In a preferred embodiment, the logic for obtaining the multidimensional population behavior deviation coefficients is as follows:

acquiring a plurality of groups of historical behavior operation data of the current borrower on a lending platform, and simultaneously acquiring historical behavior operation data of other borrowers in the same time period, wherein the historical behavior operation data comprise, but are not limited to, average stay time of the platform, transaction times, transaction amount, transaction types and personal data change times;

the similarity matching algorithm is used for matching out similar borrowers, and the method is specifically as follows:

In order to facilitate distinguishing between the current borrower being marked as an A borrower, the other borrowers being matched are marked as B borrowers, and meanwhile, the historical behavior operation data is used as similar information and marked as an information set, such as ，; And each element in the collection represents different similar information of the borrower;

Step one, representing a borrower similarity information set as a vector, wherein each element in the set represents each dimension of the vector, and simultaneously obtaining the borrower similarity information set by normalizing the similarity information in the set, and marking the borrower similarity information set as ，；

Step two, calculating the norm of each vector, namely the modulus of the vector, and marking the norms of the two vectors as respectivelyAndThe norm calculation formula of the vector isAnd；

Step three, calculating the inner product of the two vectors, namely multiplying the value of each corresponding dimension of the vector A by the value of the corresponding dimension of the vector B, and adding all the products, wherein the calculation formula of the inner product is as follows；

Step four, calculating cosine similarity: calculating similarity coefficients of the two vectors by using a cosine similarity calculation formula through the obtained vector norm and vector inner product, wherein the expression is thatIn which, in the process,Is the borrower similarity coefficient;

When borrower similarity coefficient When the borrowing person is in the range of [0.9,1], adding the matched B-type borrower into a similar borrower set;

Acquiring behavior operation data of a borrower in a current time period of the borrowing platform, monitoring whether similar borrowers exist on the borrowing platform in the current time period, and acquiring the behavior operation data of the similar borrowers if the similar borrowers exist;

calculating multidimensional crowd behavior deviation coefficients In which, in the process,Representing the borrower's first time period in the borrowing platformThe dimensional behavior is performed on the data,Operational data representing historical behaviorGroup 1Dimension action operation data, u=1, 2, 3, 4, … …, r is a positive integer,Represent the firstA first similar borrowerMaintaining behavior operation data;

the intrusion detection response duty ratio coefficient is calculated as follows In the followingIndicating that borrowers are not able to be invaded by attackersThe number of times that it is detected in time,Indicating that borrower is invaded by attackerThe number of times detected in time.

In a preferred embodiment, normalizing the multidimensional crowd behavior deviation coefficient and the intrusion detection response duty ratio coefficient, constructing a behavior analysis anomaly model according to the normalized multidimensional crowd behavior deviation coefficient and intrusion detection response duty ratio coefficient, and generating a behavior analysis anomaly indexThe formula according to which is as followsIn the followingRespectively representing the preset proportionality coefficients of the behavior deviation coefficients and the intrusion detection response duty ratio coefficients of the multidimensional crowd,Are all greater than 0.

In a preferred embodiment, the anomaly early warning module is configured to compare the behavioral analysis anomaly index with an anomaly early warning threshold value to generate early warning signals of different categories, where the classification situations are as follows:

if the behavior analysis abnormality index is larger than the abnormality early warning threshold, generating a high risk early warning signal;

and if the behavior analysis abnormality index is smaller than or equal to the abnormality early warning threshold, generating a low risk early warning signal.

The invention has the technical effects and advantages that:

1. According to the invention, through acquiring the running state information, the regional network environment information and the identity authentication fluctuation information of the terminal identity authentication equipment, potential intrusion hidden dangers are evaluated from multiple factor angles, the evaluation results are compared with the intrusion hidden dangers, the intrusion hidden dangers are classified, whether the risk of an intruder entering a borrowing platform along with a borrower is rapidly and accurately determined, when the intrusion hidden dangers are detected, the operation behavior information and the intruded response information of the borrower on the borrowing platform are acquired, an abnormal behavior analysis model is constructed, the recognition accuracy is further improved, the generated abnormal behavior analysis index and an abnormal early warning threshold are generated, different early warning signals are generated, the platform manager is timely reminded of possible safety risks, the trust feeling of the borrower on the borrowing platform is enhanced, and the satisfaction degree and the loyalty degree of a user are improved.

Drawings

For the convenience of those skilled in the art, the present invention will be further described with reference to the accompanying drawings;

Fig. 1 is a schematic structural diagram of a system according to an embodiment of the present invention.

Detailed Description

The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

Examples

The invention provides an Internet credit comprehensive management system shown in figure 1, which comprises an intrusion hidden danger detection module, an intrusion hidden danger classification module, a behavior analysis module and an abnormality early warning module;

The running state information of the terminal identity authentication equipment comprises a security patch defect coefficient and a sensitive directory access rising rate, the network environment information of the area comprises a network connection disconnection delay coefficient, and the identity authentication fluctuation information comprises an abnormal authentication fluctuation coefficient;

marking the security patch defect coefficient, the sensitive directory access rising rate, the network connection disconnection delay coefficient and the abnormal authentication fluctuation coefficient as follows ；

The security patch defect coefficient is used for measuring the application conditions of software installed on the terminal identity authentication equipment and the corresponding security patch, and the software of the security patch which is not applied possibly has known security holes, so that the terminal identity authentication equipment is more vulnerable to invasion of an attacker, and the higher the security patch defect coefficient is, the worse the running state of the terminal identity authentication equipment is, the higher the facing security risk is, and the probability of having invasion hidden danger is higher;

The acquisition logic of the security patch defect coefficients is as follows:

The rising rate of the access of the sensitive directory refers to an index of whether the borrower has abnormal rising of the access activity of the sensitive directory on the terminal identity authentication device during the identity authentication by using the terminal identity authentication device, and in general, the sensitive directory contains folders storing sensitive data or key files, and access to the directories may expose important information of the borrower. When the access activity of the sensitive directory is abnormally increased, the borrower may be implied that the borrower has a potential safety hazard of invasion of an attacker during the process of identity authentication by using the terminal identity authentication equipment.

The greater the access rising rate of the sensitive catalogue, the higher the abnormal rising degree of the access activity of the sensitive catalogue during the identity authentication of a borrower by using the terminal identity authentication equipment, and the greater the probability of intrusion hidden danger;

The sensitive directory access ramp rate acquisition logic is as follows:

Defining sensitive directories, determining which directories are defined as sensitive directories, wherein the directories generally comprise folders storing sensitive data or key files, for example, personal identity information of borrowers, such as names, identity card numbers, mobile phone numbers, financial information of borrowers, such as bank account numbers, loan application records, credit decision models or algorithm related files, such as grading cards, model parameters and training data;

It should be noted that, the definition of the sensitive directory is set and adjusted by those skilled in the art according to the actual requirements of different credit platforms;

It should be noted that, the number of accesses to the sensitive directory may be obtained by using a special monitoring tool, and the reference value of the number of accesses to the sensitive directory may be determined by a person skilled in the art according to a plurality of sets of historical data, by analyzing the distribution and variation trend of the number of accesses to the sensitive directory in different time periods, and according to the analysis result, the reference value may be an average value, a median value, or other suitable statistics;

The network connection disconnection delay coefficient refers to an important index of the network connection condition of the terminal identity authentication equipment during the identity authentication of a borrower by using the terminal identity authentication equipment, reflects the connection stability and the delay condition between the terminal identity authentication equipment and a network, and means that the higher the network connection disconnection delay coefficient is, the more unstable the network connection of the terminal identity authentication equipment is, the more serious the disconnection and the delay condition is, the more opportunities and conditions are provided for an attacker to invade, and the higher the probability of hidden invasion is;

the higher the network connection disconnection delay coefficient, the more vulnerable the attacker is to intrusion, including:

Network instability increases the attack window: network connection disconnection and delay means that the terminal device cannot communicate with the network for a period of time, which provides an attacker with more time windows, which can conduct an attack before the network connection is restored.

Network defense capability is reduced: network connection disconnection and delay can affect the normal operation and response capabilities of the network security defense system, making network defense measures less effective, thereby increasing the likelihood of successful intrusion by an attacker.

Causing an anomaly in the authentication process: if the network connection is abnormal in the identity authentication process, the authentication process may be interrupted or failed, thereby providing an attacker with an opportunity to make intrusion by using the authentication interruption.

The abnormal authentication fluctuation coefficient refers to fluctuation degrees of successful and failed identity authentication of a borrower during the process of using terminal identity authentication equipment to conduct identity authentication, and the more severe the fluctuation degrees of the identity authentication are, the more likely the system is to be interfered by the outside, and the more likely an attacker tries different attack means, namely the higher the probability of existing invasion hidden danger is;

During the identity authentication of borrowers by using the terminal identity authentication device, recording the state of each authentication, including success and failure, counting the authentication success times ck and failure times sc in each time period (for example, each minute), and calculating the failure ratio sa, wherein the expression is as follows And calculates an abnormal authentication fluctuation coefficient based on the failure ratio, the expression is as followsWherein m represents the number of time periods,Indicating the failure ratio of the jth time period,Mean value of failure ratio is expressed as follows；

Normalizing the security patch defect coefficient, the sensitive directory access rising rate, the network connection disconnection delay coefficient and the abnormal authentication fluctuation coefficient, constructing an intrusion risk assessment model according to the normalized security patch defect coefficient, the normalized sensitive directory access rising rate, the normalized network connection disconnection delay coefficient and the normalized abnormal authentication fluctuation coefficient, and generating an intrusion risk assessment indexThe formula according to which is as followsIn the followingRespectively representing the preset proportionality coefficients of the security patch defect coefficient, the sensitive directory access rising rate, the network connection disconnection delay coefficient and the abnormal authentication fluctuation coefficient,Are all greater than 0;

According to the calculation expression, the greater the security patch defect coefficient, the greater the rising rate of the sensitive directory access, the greater the network connection disconnection delay coefficient and the greater the abnormal authentication fluctuation coefficient, the greater the intrusion risk assessment index is, which indicates that the higher the probability of intrusion hidden danger exists during the identity authentication of a borrower by using the terminal identity authentication equipment, otherwise, the smaller the security patch defect coefficient, the smaller the rising rate of the sensitive directory access, the smaller the network connection disconnection delay coefficient and the smaller the abnormal authentication fluctuation coefficient are, the smaller the intrusion risk assessment index is, which indicates that the lower the probability of intrusion hidden danger exists during the identity authentication of the borrower by using the terminal identity authentication equipment;

The intrusion hidden danger classification module is used for comparing the evaluation result with an intrusion hidden danger threshold value to classify whether an intruder intrudes into a lending platform along with a borrower or not, and specifically comprises the following steps:

If the intrusion risk assessment index is larger than the intrusion hidden danger threshold, the probability that the borrower has intrusion risk during the identity authentication by using the terminal identity authentication equipment is larger, the borrower possibly enters a lending platform to perform intrusion operation along with the borrower, and the login operation of the borrower at the time is marked as the login operation with the intrusion hidden danger;

If the intrusion risk assessment index is smaller than or equal to the intrusion hidden danger threshold, the probability of intrusion risk existing in the identity authentication period of the borrower by using the terminal identity authentication equipment is lower, and the login operation of the borrower at the present time is marked as the login operation without the intrusion hidden danger;

When the login operation of the borrower is marked as the existence of an intrusion hidden trouble, continuously tracking the operation access activity of the borrower on the lending platform, acquiring the operation behavior information of the borrower on the lending platform, and simultaneously combining the intrusion response information of the borrower, and performing behavior analysis on the borrower marked as the existence of an intrusion risk, wherein the operation behavior information of the borrower on the lending platform comprises a multidimensional crowd behavior deviation coefficient, and the intrusion response information comprises an intrusion detection response duty ratio coefficient;

respectively marking the multidimensional crowd behavior deviation coefficient and the intrusion detection response duty ratio coefficient as ；

The multidimensional crowd behavior deviation coefficient refers to analysis of the operation behaviors of the borrower on the lending platform from crowds with multiple dimensions, and is used for measuring whether the operation behaviors of the borrower on the lending platform have important indexes of abnormal behaviors, the existing abnormal behavior detection methods are all used for comparing the behavior operation of the borrower with the past historical behavior operation, and as the uniformity of the abnormal behavior detection method is added with the detection logic of the invader familiar with the abnormal behavior detection method, the abnormal behavior detection method possibly fails, so that whether the operation behaviors of the borrower on the lending platform have abnormality is further analyzed by calculating the multidimensional crowd behavior deviation coefficient;

the larger the multidimensional crowd behavior deviation coefficient is, the abnormal hidden danger exists in the operation behavior of borrowers on a lending platform, and the sensitivity and timeliness of early warning need to be improved;

the acquisition logic of the multidimensional crowd behavior deviation coefficient is as follows:

It should be noted that the number of the substrates, Respectively representing the average stay time of the platform of the borrower A, the transaction times, the transaction amount, the transaction type and the personal data change times; Respectively representing the average stay time of the platform of the borrower B, the transaction times, the transaction amount, the transaction type and the personal data change times;

Step three, the inner product of the two vectors is calculated, i.e. the value of each corresponding dimension of vector a is multiplied by the value of the corresponding dimension of vector B, and then all the products are added. The inner product has the calculation formula of；

Step four, calculating cosine similarity: calculating similarity coefficients of the two vectors by using a cosine similarity calculation formula through the obtained vector norm and vector inner product, wherein the expression is thatIn which, in the process,Is a borrower similarity coefficient.

Cosine similarity indicates the degree of similarity of two vectors in a specified feature space. The numerical range is between-1 and 1, the closer the value is to 1, the more similar the two vectors are, namely the two vectors have higher matching degree, and the closer the included angle is to 0 degree; the closer the value is to-1, the more dissimilar the two vectors are, i.e. the lower the matching degree of the two vectors is, the closer the included angle is to 180 degrees; a value of 0 indicates that the two vectors are perfectly orthogonal, with no similarity.

When borrower similarity coefficientWhen the borrowing person is in the range of [0.9,1], adding the matched B-type borrower into a similar borrower set;

The intrusion detection response duty ratio coefficient is used for measuring whether the borrower can be detected in a shorter time when the borrower is invaded by an attacker in the history access record of the borrower, and the larger the intrusion detection response duty ratio coefficient is, the higher the importance degree of the borrower in the eyes of the attacker is, the deeper the degree of invasion is, and the higher the probability of the borrower being truly invaded is reflected; the intrusion detection response duty ratio coefficient is calculated as follows In the followingIndicating that borrowers are not able to be invaded by attackersThe number of times that it is detected in time,Indicating that borrower is invaded by attackerThe number of times detected in time;

Normalizing the multidimensional crowd behavior deviation coefficient and the intrusion detection response duty ratio coefficient, constructing a behavior analysis abnormal model according to the normalized multidimensional crowd behavior deviation coefficient and intrusion detection response duty ratio coefficient, and generating a behavior analysis abnormal index The formula according to which is as followsIn the followingRespectively representing the preset proportionality coefficients of the behavior deviation coefficients and the intrusion detection response duty ratio coefficients of the multidimensional crowd,Are all greater than 0;

According to the calculation expression, the larger the multidimensional crowd behavior deviation coefficient is, the larger the intrusion detection response ratio coefficient is, the larger the behavior analysis abnormality index is, the behavior operation of the borrower on the lending platform is in an abnormal state, meanwhile, the importance degree of the borrower in the eyes of an attacker is combined, the sensitivity and timeliness of early warning need to be improved, otherwise, the smaller the multidimensional crowd behavior deviation coefficient is, the smaller the intrusion detection response ratio coefficient is, the smaller the behavior analysis abnormality index is, the behavior operation of the borrower on the lending platform is in a normal state, the lower the probability that the borrower is invaded is, and frequent early warning is not needed;

The abnormal early warning module is used for comparing the behavior analysis abnormal index with an abnormal early warning threshold value to generate early warning signals of different categories, and taking different prevention and control measures according to the early warning signals of different categories, and specifically comprises the following steps:

If the behavioral analysis abnormality index is larger than an abnormality early warning threshold, the behavioral operation of the borrower on the lending platform is in an abnormal state, and meanwhile, the sensitivity and timeliness of early warning are required to be improved by combining the importance degree of the borrower in the eyes of an attacker, so that a high-risk early warning signal is generated;

if the behavioral analysis abnormality index is smaller than or equal to the abnormality early warning threshold, the behavioral operation of the borrower on the lending platform is slightly abnormal, and a low-risk early warning signal is generated;

Different prevention and control measures are adopted according to different types of early warning signals, for example, when a high risk early warning signal is generated, account operation of borrowers needs to be immediately suspended, and deep investigation and auditing are performed. Notifying relevant departments or authorities to perform further processing and associating borrowers to verify the identity and activities of the borrowers, suggesting the borrowers to update passwords, enabling security measures such as two-factor identity verification and the like so as to ensure account security; when a low-risk early warning signal is generated, monitoring of the borrower account is enhanced, auditing frequency and severity are improved, a reminding notification is sent, the borrower is prompted that abnormal behaviors possibly exist, the borrower is suggested to check account safety settings, account activities are noted, and the like;

According to the invention, through acquiring the running state information, the regional network environment information and the identity authentication fluctuation information of the terminal identity authentication equipment, potential intrusion hidden dangers are evaluated from multiple factor angles, the evaluation results are compared with the intrusion hidden dangers, the intrusion hidden dangers are classified, whether the risk of an intruder entering a borrowing platform along with a borrower is rapidly and accurately determined, when the intrusion hidden dangers are detected, the operation behavior information and the intruded response information of the borrower on the borrowing platform are acquired, an abnormal behavior analysis model is constructed, the recognition accuracy is further improved, the generated abnormal behavior analysis index and an abnormal early warning threshold are generated, different early warning signals are generated, the platform manager is timely reminded of possible safety risks, the trust feeling of the borrower on the borrowing platform is enhanced, and the satisfaction degree and the loyalty degree of a user are improved.

The above formulas are all formulas with dimensions removed and numerical values calculated, the formulas are formulas with a large amount of data collected for software simulation to obtain the latest real situation, and preset parameters in the formulas are set by those skilled in the art according to the actual situation.

The above embodiments may be implemented in whole or in part by software, hardware, firmware, or any other combination. When implemented in software, the above-described embodiments may be implemented in whole or in part in the form of a computer program product. The computer program product comprises one or more computer instructions or computer programs. When the computer instructions or computer program are loaded or executed on a computer, the processes or functions described in accordance with embodiments of the present application are produced in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from one website site, computer, server, or data center to another website site, computer, server, or data center by wired or wireless means (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains one or more sets of available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium. The semiconductor medium may be a solid state disk.

It should be understood that, in various embodiments of the present application, the sequence numbers of the foregoing processes do not mean the order of execution, and the order of execution of the processes should be determined by the functions and internal logic thereof, and should not constitute any limitation on the implementation process of the embodiments of the present application.

The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.

The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a read-only memory (ROM), a random access memory (random access memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.

The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims

1. An internet credit integrated management system is characterized in that: the system comprises an intrusion hidden danger detection module, an intrusion hidden danger classification module, a behavior analysis module and an abnormality early warning module;

2. The internet credit integrated management system according to claim 1, wherein: the running state information of the terminal identity authentication equipment comprises a security patch defect coefficient and a sensitive directory access rising rate, the network environment information of the area comprises a network connection disconnection delay coefficient, and the identity authentication fluctuation information comprises an abnormal authentication fluctuation coefficient;

3. The internet credit integrated management system according to claim 2, wherein: the acquisition logic of the security patch defect coefficients is as follows:

The sensitive directory access ramp rate acquisition logic is as follows:

Acquiring the access number ci of the sensitive directory, setting a reference value jz of the access number of the sensitive directory, and calculating the access rising rate of the sensitive directory when the access number ci of the sensitive directory is larger than the reference value jz, wherein the expression is as follows In/>Representing the number of accesses to the sensitive directory at the initial point in time,/>Representing the number of accesses to the sensitive directory at a subsequent point in time,/>A time period representing an interval;

Collecting network connection data once at fixed time intervals, recording connection states including normal states and disconnection states, recording connection time of network connection of the terminal identity authentication equipment again when the terminal identity authentication equipment is in the disconnection state, comparing the connection time with a preset connection time threshold, marking the connection time greater than the preset connection time threshold as delay time when the connection time is greater than the preset connection time threshold, counting disconnection times k of each time interval time, and delaying the total time I represents the sequence number of network connection data acquisition of borrower during identity authentication by using terminal identity authentication equipment, i=1, 2,3, 4, … …, n is a positive integer, n represents n pieces of data in total, and the network connection disconnection delay coefficient is calculated, and the expression is as follows/>；

During the identity authentication of borrowers by using terminal identity authentication equipment, recording the state of each authentication, including success and failure, counting the authentication success times ck and failure times sc in each time period, and calculating the failure ratio sa, wherein the expression is as follows And calculates an abnormal authentication fluctuation coefficient according to the failure ratio, the expression is as follows/>Wherein m represents the number of time periods,/>Representing the failure ratio of the jth time period,/>Mean value of failure ratio is expressed as follows。

4. The internet credit integrated management system according to claim 2, wherein: normalizing the security patch defect coefficient, the sensitive directory access rising rate, the network connection disconnection delay coefficient and the abnormal authentication fluctuation coefficient, constructing an intrusion risk assessment model according to the normalized security patch defect coefficient, the normalized sensitive directory access rising rate, the normalized network connection disconnection delay coefficient and the normalized abnormal authentication fluctuation coefficient, and generating an intrusion risk assessment indexThe formula according to which is as follows/>In/>Preset proportionality coefficients respectively representing security patch defect coefficients, sensitive directory access rising rate, network connection disconnection delay coefficients and abnormal authentication fluctuation coefficients,/>Are all greater than 0.

5. The integrated internet credit management system of claim 4, wherein: the intrusion hidden danger classification module is used for comparing the evaluation result with an intrusion hidden danger threshold value to classify whether an intruder intrudes into a lending platform along with a borrower or not, and specifically comprises the following steps:

6. The internet credit integrated management system according to claim 1, wherein: in the behavior analysis module, the operation behavior information of the borrower on the lending platform comprises a multidimensional crowd behavior deviation coefficient, and the invaded response information comprises an invasion detection response duty ratio coefficient;

7. The internet credit integrated management system of claim 6, wherein: the acquisition logic of the multidimensional crowd behavior deviation coefficient is as follows:

In order to facilitate distinguishing between the current borrower being marked as an A borrower, the other borrowers being matched are marked as B borrowers, and meanwhile, the historical behavior operation data is used as similar information and marked as an information set, such as ，/>; And each element in the collection represents different similar information of the borrower;

Step one, representing a borrower similarity information set as a vector, wherein each element in the set represents each dimension of the vector, and simultaneously obtaining the borrower similarity information set by normalizing the similarity information in the set, and marking the borrower similarity information set as ，/>；

Step two, calculating the norm of each vector, namely the modulus of the vector, and marking the norms of the two vectors as respectivelyAnd/>The norm calculation formula of the vector is/>And；

Step four, calculating cosine similarity: calculating similarity coefficients of the two vectors by using a cosine similarity calculation formula through the obtained vector norm and vector inner product, wherein the expression is thatIn the above, the ratio of/>Is the borrower similarity coefficient;

calculating multidimensional crowd behavior deviation coefficients In the above, the ratio of/>Representing the borrower's/>, within the current time period, of the borrowing platformDimension action data,/>Representing historical behavioural operation data No. >Group/>Dimension action data, u=1, 2, 3, 4, … …, r is a positive integer,/>Represents the/>/>, Of individual similar borrowersMaintaining behavior operation data;

the intrusion detection response duty ratio coefficient is calculated as follows In/>Indicating that borrowers cannot be in the way of being invaded by an attackerThe number of times detected in time,/>Indicating that borrowers can be at/>, when being invaded by an attackerThe number of times detected in time.

8. The internet credit integrated management system of claim 7, wherein: normalizing the multidimensional crowd behavior deviation coefficient and the intrusion detection response duty ratio coefficient, constructing a behavior analysis abnormal model according to the normalized multidimensional crowd behavior deviation coefficient and intrusion detection response duty ratio coefficient, and generating a behavior analysis abnormal indexThe formula according to which is as follows/>In/>Respectively representing preset proportionality coefficients of multidimensional crowd behavior deviation coefficients and intrusion detection response duty ratio coefficients,/>, ofAre all greater than 0.